Search and find what you need faster.

Posts Tagged ‘crypto recovery’

Matt Green on Recovering $1.5M in USDC in Under Two Weeks: Legal “Nuclear Options” and Peer-to-Peer Strategy

Posted on: January 12th, 2026 by Ella Darnell


This article was written by Matt Green, Director and Head of Blockchain and Digital Assets, and was published on Thomson Reuters Regulatory Intelligence on 8 January, 2026.

You can read the full article as published on Thomson Reuters below.

As traditional finance houses seek to diversify and enter the decentralised world (bitcoin’s value increased by 132% over the last five years), the obvious risks are less technical and more human.

Senior boards are hiring staff whose job specifications are sometimes not fully understood or wildly unfamiliar. Crypto traders often possess specific knowledge that is not widely shared across an organisation, posing a significant risk to business operations.

Little exemplifies this pattern more than a recent UK High Court case (held in private) brought by a London hedge fund that found more than 1.9 million USDC (a stablecoin called Circle, whose value is pegged to the U.S. dollar) drained from their trading account. They had no idea how this happened, no clear leads and no technical vulnerabilities.

This article deals with how lawyers, investigators and blockchain forensic firms helped recover most of the funds within nine working days from being instructed through to recovery, and how the most “nuclear” of legal tools can be used to secure fast and substantial results.

Tracing stablecoins and the smoking gun

The approximately 1.9 million USDC drained was traced by Token Recovery, a blockchain forensics firm that confirmed the funds were consolidated into a single address and remained there for several days. From experience, in the event of a theft, funds are quickly laundered via tumblers and put out of reach by a process known as “smurfing,” whereby large sums of money are broken down into smaller transactions to remain undetected by anti-money laundering protocols and to frustrate tracing. The fact that this money remained in one place for several days indicated that the threat actor was likely unsophisticated and opportunistic.

It was suggested that the hedge fund conduct an internal investigation to determine whether any suspicious staff or activity indicated that the theft was an inside job.

The hedge fund found that one employee, a software engineer (“Mark”), had recently resigned, and according to access logs, took a particular interest in the targeted wallets on the day of the theft.

In response to certain behaviours during employment, the hedge fund had implemented human-resources-led monitoring software on his profile, which took a screenshot of his computer every few seconds, creating a video of his activities. The software had largely been forgotten, but was now vital evidence, given the direction of blockchain forensics.

The video showed that Mark:

  • Reviewed the balances of the hedge fund’s crypto trading accounts.
  • Logged into the relevant servers which ran the trading engines.
  • Initiated memory dumps of those engines and copied them to his local system.
  •  Loaded the files into a debugger and immediately navigated to the relevant private keys, which gave any holder the ability to withdraw funds from the relevant account.
  • Then, moments later, searched Google for “Metamask” (cryptocurrency wallet management software) and “what is a Polygon wallet,” suggesting he intended to trade the funds on the Polygon market.

In all, this was key evidence, given there was no genuine reason for Mark to navigate to the private keys. It may have taken longer to consider this evidence without the forensics and laundering patterns.

Law enforcement

The incident was reported to police on several occasions, and a crime reference number was provided, to be handled by Action Fraud, a triaging service for law enforcement.

From the pace and manner following reporting, the hedge fund instructed its lawyers, law firm Lawrence Stephens Limited, of which the author is a partner, to make a move more quickly, given the evidence at hand. This is the timeline’s first working day.

Urgent injunctions, nuclear options

On the second working day, the hedge fund and its legal team appeared in the High Court on an urgent basis, seeking highly intrusive court orders.

The first was a proprietary injunction (an order to do or not do something with specific property or its traceable proceeds) over the approximately 1.9 million USDC, which in the meantime had started moving and was being laundered more professionally.

The second was a worldwide freezing injunction over Mark’s assets over £1,000 in value and up to $1.9 million (approximately £1.5 million) in total, preventing him from moving assets or money, except for his capped living expenses, without being in contempt of court.

The third was a search and imaging order (also known as an “Anton Piller”[1] order), which allowed the legal team to search Mark’s premises for relevant documents and electronic devices, gain access to relevant accounts, compel the delivery of information and hardware and image the contents of those devices.

This would ensure that critical evidence could be searched for, seized, recorded and preserved for future use. In short, it prevented Mark from destroying evidence that could potentially prove his liability and reveal to the hedge fund what happened to its stolen USDC.

Anton Piller orders are rare, granted by the courts in limited circumstances and widely viewed as the civil court’s “nuclear option.”There must be an extremely strong prima facie case to persuade the court to make such an order, and the court appoints a supervising solicitor to safeguard a defendant’s interests during the search.

The hearing was on an “ex parte” (without notice) basis, meaning Mark had no knowledge that this was happening. The court issued the orders that night. A private investigator was then hired to follow Mark’s movements and monitor his home.

Working day three was spent preparing documents for service and instructing forensic imaging experts (JS Held) who would image devices, and the supervising solicitors.

Home entry

Execution of the search was planned for working day four, a Friday. Service of documents was limited to between 0930 and 1400. There was always a risk that Mark might not be at home, that he (or any cohabitant) might refuse to open the door, or that he might jump out of the window and run away. In any of those cases, a new court order would likely be required. Had he wilfully refused to open the door, he would have been in contempt of court.

The investigator confirmed that Mark was seen entering the house the night before, and there was no evidence that he had left. The supervising solicitors knocked just after 0930 and woke the house. A relative opened the front door, shortly followed by Mark, who thought it was an Amazon delivery.

Mark was immediately served with the Anton Piller order. He had two hours to seek legal advice before the search party entered and was immediately required to hand over his mobile phone and other relevant electronic devices. He was not to be left out of sight for the day.

Search party

Two hours later, the legal team search party was allowed in. There was no protestation or outward denial of wrongdoing, and Mark granted access to the search party. The incumbents’ movements were monitored carefully to mitigate the risk of Mark destroying key documents or dissipating his assets. As the funds are digital, any internet access is high-risk, and 30 seconds locked in a toilet is enough time to put the USDC or other assets out of reach. As ordered by the judge, his phone was imaged on site and returned without delay.

All relevant electronic items were secured, including mobile phones, a PlayStation5, USB sticks, memory cards and a gaming computer. Physical reviews of paper, including receipts and pages of old cheque books, might reveal seed phrases (a collection of innocuous words, which, when input, give access to a crypto wallet) or private keys.

Mark was required to give the forensic imaging team access to all relevant accounts, including financial and crypto trading accounts. He maintained various cryptocurrency accounts with several providers and also held an account for Monero, a privacy-focused cryptocurrency designed to make tracing difficult.

The search lasted until around 1730, a time deemed reasonable to avoid unnecessary intrusion. The next two days were a weekend.

Freezing order

Mark was also served with the worldwide freezing and proprietary orders on the search day. Although he could technically move funds and dissipate assets, if it were found that he had done so after service, he would have been in contempt of court (a criminal offence). The power of that deterrent may have been reinforced by his mother, who happened to be a lawyer. Non-compliance, in his mind, may be outweighed by the value of the assets.

The freezing order also required him to detail all worldwide assets worth more than £1,000 on working day nine. This is vital. If he had the stolen funds or any proceeds, he must disclose them — unless, in limited circumstances, they are incriminating — or face contempt of court.

Settlement negotiations

Settlement offers yield quick results, especially when court hearings are imminent and pressure is greatest. As the first hearing was ex parte, the process required a further hearing two weeks later to allow Mark, the respondent, to seek to amend, discharge or agree to continue the orders. This is called a “return date” and is for the benefit of the respondent following ex parte hearings.

Mark’s lawyers made various attempts to settle. However, on working day nine, no agreement had been reached, and Mark was required to disclose his assets by 1730.

This was the overwhelming pressure point for settlement, because without a deal, Mark would now have to disclose his assets.

Eventually, Mark offered to agree to stay proceedings and discharge the orders, after which he would send more than 1.5 million USDC to the hedge fund directly, on a peer-to-peer basis.

Since trust was low, the preferred mechanism was inverse, such that the parties would agree that, upon receipt of Mark’s funds, the hedge fund’s lawyers irrevocably undertook to file a consent order (agreed by the parties) to stay proceedings and discharge the orders, subject to a short contract detailing terms. Mark was to send the funds in two stages, one dollar first, then the balance, to ensure transaction integrity.

The hedge fund made a take-it-or-leave-it offer: recover the money first, or Mark discloses and the parties proceed to litigation, knowing he had more than 1.5 million USDC that could be paid into the court as security during the proceedings. Mark took the deal.

Peer-to-peer settlement

This was a pure peer-to-peer settlement. The respective lawyers did not hold nor were they in any way in control of the flow of funds. On a call, Mark sent the first dollar, which the hedge fund received. Notably, the sending address was now identifiable, given that the transaction took place, and the hedge fund conducted a cursory review of the address.

Mark then paid the balance directly to the hedge fund.

Upon receipt, the consent order was filed, and proceedings were stayed. This was working day nine.

Decisive action

Understanding blockchain analytics helped to identify Mark, where there were no other obvious targets in the aftermath of an emergency. Convincing evidence of wrongdoing led to draconian injunctions and the Anton Piller order, which put enormous pressure on Mark. The settlement offer resulted in Mark’s disclosure of approximately 1.5 million USDC, which was the determining factor.

Within nine business days, the hedge fund’s team had changed the position from a complete unknown to obtaining more than 80% of the value of lost USDC, the hedge fund being satisfied that the balance had been dissipated and/or not worth the cost to pursue.

Often, published court proceedings involving lost cryptocurrency have yielded less-than-satisfactory results for victims. Accordingly, it is important to share success stories and show that recovery is real when the facts align and the analytics are well understood.

[1] Anton Piller KG v Manufacturing Processes Ltd [1976] Ch. 55

Matt Green Shares Expertise on BBC’s File on 4: Investigating Crypto Crime in the UK

Posted on: October 2nd, 2025 by Ella Darnell

Matt Green, Director and Head of Blockchain and Digital Assets, is a regular commentator on all things crypto and recently featured in BBC’s File on 4, one of the UK’s most respected investigative journalism programmes.

File on 4 has built a reputation for in-depth investigative reporting on some of the most pressing topics in society, from political scandals and corporate misconduct to human rights and financial crime. Produced by BBC Radio 4, the programme is known for shaping public understanding and policy on the UK’s most complex issues and has a weekly audience running into millions.

In this episode, which aired on the 30 September, File on 4 investigated the surge in phone thefts across London and the associated theft of funds from online accounts. In 2024 alone, there were up to 80,000 devices stolen in London’s streets and transport network. The loss to users goes far beyond having to replace stolen devices, as gangs are now exploiting unlocked phones to access victims’ online banking and cryptocurrency accounts.

Matt offered his expert insight into why crypto assets are particularly attractive to criminals, and how victims’ funds are emptied and transferred into criminal accounts: “The problem is that there are no regulatory provisions that ensure you can get your money back. You have to spend, as a consumer, a good deal of money paying for investigators and lawyers to seek to recover your funds. That is expensive, it doesn’t always work because funds can be sent to various jurisdictions which don’t always comply with court orders, and it makes the process a lot more difficult. I would like it so that there is some sort of duty or obligation for crypto currency exchanges to play a role in helping consumers and protect them further.”

Known for his work tracing and recovering crypto assets across borders, Matt regularly advises on high-value disputes involving blockchain technology and has helped shape UK legal precedent on digital property. As part of his role as chair of techUK’s Digital Asset Working Group, he is closely involved in the drive to improve regulation to help consumers recover stolen digital assets.

You can listen to the full podcast here, Matt enters the conversation at 29m16s.

To read more about our blockchain, digital and crypto assets services, please click here.

Crypto recovery – navigating the first 72 hours

Posted on: May 23rd, 2025 by Natasha Cox

When a person goes missing, the first 72-hours are mission critical.

The same urgency applies if you have been hacked, scammed or are the victim of a theft- even more so if the loss are crypto assets. Quick and decisive action in the immediate hours will significantly mitigate the risk of those assets being obfuscated and dissipated and assist with recovery.

Crypto scammers are particularly ruthless, often deploying all manner of sophisticated tactics. From straightforward account compromises and theft with no direct interaction, to elaborate social engineering, often gaining trust through dating websites, fake investment platforms, or social media, their ultimate aim is to deprive a rightful owner of crypto assets.

Discovering that you have been the victim, regardless of the methodology used, can be emotionally draining as well as financially devastating. Clarity of thought and rational action can often give way to absentmindedness. This can lead to victims continuing to pay the bad actors, or fake recovery firms who are one and the same.

In the circumstances this is entirely understandable.

The appropriate next steps can vary depending on the specific circumstances, however our recommended action plan is detailed below and applies to most scenarios:

  1. Secure your communications

Often, particularly in cases where victims have been socially engineered, your email addresses and social media accounts will likely have been compromised as the result of the hack.

Most mainstream email providers will allow you to see a log-in history which details the IP address and location of all log-in attempts. Consider if any are unrecognisable.

If there are any suspicious log-ins, it is likely that your email address has been compromised and your communications may be monitored by the scammers. This could also impact other personal and financial accounts linked to your email, such as online shopping accounts, bank accounts and social media profiles. Credit ratings and access to future baking facilities may also be affected.

In this case, it is vital that you immediately change the password for your email, and then for all other accounts held online.

In addition, we recommend that you set up a new, secure email address immediately and avoid logging into any accounts you suspect may have compromised. You should divert any personal and critical emails to your new account, and ensure that you update your email address across your online shopping, social media and bank accounts.

It is important that you notify your bank and or cryptocurrency exchange of your new email address, which replaces the old one, and ensure to communicate that no instructions are to be taken from the old email address.

  1. Cease communications strategically

In cases where scammers have maintained prolonged contact, they may continue to reach out to you. Let them remain unaware you know this is a fraudulent scheme. If they know that you are aware, there is a heightened risk that they will take steps to obfuscate their trail and dissipate assets, which can make asset recovery more complicated.

If you can, you should look to cease communication strategically without encouraging further interaction. One approach might be to indicate you will be unavailable or away for a few weeks. This will hopefully give you and your legal team time to investigate and trace the assets, write to any centralised exchanges who may be in receipt of those assets, and put them on notice of the theft and request that they freeze those accounts pending further legal action.

In short, the longer the scammers believe that their scam is undetected, the better.

You should then immediately begin collating a detailed record of all previous communications, including requests for payments, emails, phone calls, text messages, social media interactions, transaction details, wallet addresses and transaction hashes etc. Accurate records are crucial for any subsequent legal action and investigations. If you have been directed to a webpage during your interactions with the scammers, you should ensure to take screenshots of these pages in case they disappear.

Evidence of what jurisdiction they may be in is also vital. For example, note of their telephone number and dialling code (e.g. +44 for UK) or mention of a registered office (even if untrue) will help dramatically.

  1. Report to law enforcement

As soon as possible, you should report the theft to the police and Action Fraud – or equivalent law enforcement agencies. Make sure you keep a copy of your report, as well as any crime reference numbers provided.

It is important that you engage with your local police force as much as possible, and obtain a direct liaison and contact details. Action Fraud is only a database, and your query will not progress unless the police investigate.

Try not be discouraged or frustrated if the police cannot offer much help. Police resources, expertise, and capacity to deal with crypto related crimes can vary considerably, and officers may lack immediate familiarity with blockchain technology, or the complexities involved

Even if the police are unable to offer much direct assistance, formally reporting the incident is a crucial step as it creates an official record that supports any subsequent legal and recovery actions you may take with the support of your legal team.

  1. Device management and evidence preservation

Given that so much of our lives are conducted online and contained within personal devices such as laptops and mobile phones, it is crucial to exercise heightened caution if these devices may have been compromised.

If you notice unusual behaviour or unexpected activity on your devices (for example, unprompted command prompt windows opening up for split seconds, or excessive system resources being used when your device does not appear to be doing much) then this may be an indication your device may be compromised.

This is more likely if the scammers have previously taken remote control of your device under the pretence of assisting you through services, like AnyDesk.

As tempting as it may be, avoid formatting or performing factory resets at this stage. Evidence preservation is vital, particularly as forensic digital examination of your devices could yield critical information, instrumental in tracing and recovering the stolen assets. Formatting or resetting the device risks destroying potentially valuable evidence which often indicates the attack vectors used by the scammers and can be a useful part of the puzzle in identifying who they may be.

If your budget permits, obtaining new, uncompromised devices for interim use is recommended.

  1. Secure remaining crypto assets

It may be that the scammers have only targeted or been able to target specific parts of your crypto holdings. However, if your devices or email/social media accounts have been compromised, it is likely they know much more than you think – including what centralised exchange accounts and wallet addresses you have that they may wish to target next.

As such, you should immediately access and review all centralised exchange accounts you may hold online, and cold storage where applicable. Update your details held at these accounts, including email, contact information and passwords.

It is also crucial to strengthen your two-factor authentication and carefully review transactions to identify any activity you do not recognise which may be indicative of that account being compromised.

If you are holding any assets on these accounts, consider creating new, secure self custodial wallets on uncompromised devices and transferring remaining assets between multiple wallets.

If you have previously staked assets, check to see whether these remain staked or have been unstaked without your knowledge and are in any cooldown period. If unstaking has been initiated, try to take steps to ensure the unstaked assets can immediately be sent to your new, secure wallets as soon as possible.

  1. Engage with experts

Engaging promptly with specialist lawyers experienced in crypto asset disputes, particularly asset tracing on blockchains and recovery, can be vital ensuring the swift tracing and recovery of your assets.

Your legal team will quickly be able to identify suitable independent blockchain tracing specialists who will be tasked with conducting an initial tracing report to follow the movement of your crypto assets and their traceable proceeds. You will need to provide proof that you owned the assets (such as statements) as well as relevant transaction hashes or addresses as this will form the basis of asserting your proprietary claim to those assets. This is essential in recovering such assets.

Scammers typically seek to convert stolen crypto assets into cash, often using centralised exchanges as their off-ramp. The first step in any successful crypto asset recovery matter is identifying the exchanges used. These exchanges will have established payment rails which allow them to enable the transfer of fiat funds and are crucial to their business operations. 

As these payment rails exist within a regulated environment, banks must be comfortable with the funds handled by these exchanges. Consequently, exchanges are subject to a degree of regulatory oversight and compliance mechanisms to satisfy the requirements of typically highly regulated banking entities.

Once an investigator can identify exchanges which have received the stolen assets, your legal team should then enter into dialogue to place them on notice that they have received the proceeds of crime and request they take specific actions. These include freezing the relevant accounts to secure any assets held within, as well as requesting disclosure of any onward transfers and withdrawals from that account which can be used to further trace the stolen assets with a view to recovery.

This draws a line in the sand – the exchange is now aware of the issue and any funds held at or subsequently deposited at that account must now be frozen.

  1. Seek emotional support

Recognising that you have fallen victim to a scam can trigger intense emotional distress, anxiety, and feelings of isolation. It is important to recognise you are not alone and that these feelings, while overwhelming, are a common response to what can be a very personal breach of privacy, trust and security.

If you find yourself in such a position, consider reaching out to supportive friends and family. Whilst there are also online communities offering support to victims, you should treat these with caution, as these can present attractive hunting grounds for scammers seeking to exploit those at their most vulnerable.

If you find your emotional state severely impacted or you are feeling persistent low, anxious or overwhelmed, it is essential to seek professional medical or mental health support.

As outlined above, acting quickly and methodically within the immediate hours and days after discovering a scam or can significantly improve the prospects of recovery and limit the broader financial and emotional damage.

For more information on our services relating to technology disputes, please click here. For our cryptoassets services, please click here

Matt Green co-authors chapter of The Founders’ Guide to UK Crypto Law

Posted on: December 16th, 2024 by Natasha Cox

Matt Green, Director and Head of Blockchain and Digital Assets at Lawrence Stephens has contributed to the launch of a new guide, The Founders’ Guide to UK Crypto Law by Lisa McClory, Digital Technologies Lead at D2 Legal Technology, an award-winning legal data consulting firm.

Matt’s co-author is Marcin Zarakowski, CEO of Token Recovery. In their chapter on ‘Tracing, Freezing and Recovery – when crypto assets are stolen‘, they explain the risks, and the legal procedures available to those affected.

The publication came about through the recognition of the urgent need for some solid and practical guidance for projects looking to start out in the Web3 space (the concept emphasising personal data ownership and the use of blockchain technology and cryptocurrencies).

The guide brings together many of the top experts in the area to deliver on this objective. It is intended as a starting point for Web3 builders and entrepreneurs in the UK. The guide acknowledges the important role that law and regulation play and seeks to assist projects in overcoming uncertainty, avoid pitfalls and generally equip the reader with the essential knowledge to empower and catalyse their ideas.

To read the guide please follow the link: The Founder’s Guide to UK.pdf – Google Drive