Resources Blog
LAW ENFORCEMENT 8 min read

The First 24 Hours After a Crypto Seizure: What Law Enforcement Teams Need to Know

A practical guide for law enforcement teams on the critical first 24 hours after seizing cryptocurrency — from securing wallets to documenting the chain of custody.

ShadowTrace Research
Published 24 February 2026

When law enforcement seizes cryptocurrency as part of an investigation, the first 24 hours are critical. Unlike physical assets — cash in a safe, property on a register — digital assets can be moved, split, or obfuscated within seconds. A suspect with remote access to a wallet, a pre-signed transaction waiting to execute, or a co-conspirator monitoring the blockchain can shift funds before an agency has even begun its post-seizure procedures.

Yet many agencies still lack clear protocols for the immediate post-seizure period. Officers may be experienced in handling physical evidence but unfamiliar with the specific requirements of digital asset custody. The result is a gap between seizure and secure handling that creates evidential risk, operational vulnerability, and — in worst cases — loss of the seized assets entirely.

This guide sets out a practical, time-based framework for the first 24 hours after a crypto seizure, designed to help law enforcement teams secure assets, document the chain of custody, and lay the groundwork for a defensible investigation.

Hour 0–1: Secure the Assets

The single most important action in the first hour is getting seized cryptocurrency out of any wallet controlled by, or accessible to, the suspect. Every minute that funds remain in a suspect's wallet is a minute in which those funds could be moved.

  • Immediately transfer seized crypto to a law-enforcement-controlled wallet. This should be a wallet specifically designated for evidential holdings, not a personal wallet or a general-purpose account. Many forces now maintain dedicated seizure wallets with multi-signature access controls.
  • Document the exact time, transaction hash, and originating address. This information forms the foundation of the chain of custody. Record it in writing, not just digitally — contemporaneous notes remain a cornerstone of evidential integrity.
  • Use a hardware wallet or air-gapped system where possible. Hardware wallets (such as Ledger or Trezor devices) provide a layer of physical security that software wallets cannot match. An air-gapped system — one that has never been connected to the internet — offers the highest level of protection against remote compromise.
  • Screenshot blockchain explorer data before and after the transfer. Capture the state of the originating wallet before the transfer (showing the balance and recent transactions) and after (showing the outgoing transaction). These screenshots serve as corroborating evidence alongside the transaction hash.
  • Never leave seized assets in a suspect's wallet longer than necessary. Even if the suspect is in custody, other parties may have access to the wallet's private keys. Pre-signed transactions or smart contract triggers could move funds automatically. The longer the delay, the greater the risk.

If the seizure involves multiple wallets or multiple blockchains, prioritise by value and by risk. High-value wallets and wallets on chains with fast finality (where transactions confirm quickly and irreversibly) should be secured first.

Hour 1–4: Document the Chain of Custody

Once the assets are secure, the focus shifts to documentation. The chain of custody for digital assets must be at least as rigorous as for physical evidence — and in practice, it often needs to be more detailed, because the technical steps involved are unfamiliar to many in the criminal justice system.

  • Create a formal evidence log with timestamps. This log should record every action taken in relation to the seized assets: the initial seizure, the transfer to a controlled wallet, any subsequent movements, and any access to the private keys. Each entry should include the date, time, the individual responsible, and a description of the action taken.
  • Record who authorised the seizure, who executed the transfer, and who has access to the keys. Accountability must be clear at every stage. If private keys are stored on a hardware wallet, document who holds the device, who knows the PIN, and where it is stored.
  • Store private keys according to force evidence handling policies. Private keys are the equivalent of the keys to a safe. They should be treated with the same care as any other high-value evidence item — stored securely, with access restricted and logged.
  • Begin a blockchain intelligence assessment of the seized addresses. Even at this early stage, a preliminary analysis of the seized wallet's transaction history can reveal incoming and outgoing connections that may be evidentially significant. This assessment may identify additional wallets linked to the same suspect, connections to known illicit services, or patterns of behaviour that inform the broader investigation.

Good documentation at this stage pays dividends later. Defence teams will scrutinise the chain of custody, and any gaps or inconsistencies can undermine the evidential value of the seizure.

Hour 4–12: Assess the Full Picture

With the assets secured and the custody documentation in place, the investigation can move to a broader assessment of the seized funds and their context within the wider case.

  • Use blockchain analytics to trace the history of seized funds. Where did the funds originate? How many hops have they taken? Have they passed through mixers, bridges, or decentralised exchanges? Understanding the provenance of the seized assets is essential for both the current case and any related investigations.
  • Identify any connected addresses not yet accounted for. Cluster analysis can reveal additional wallets controlled by the same entity. These may contain further seizable assets or provide intelligence leads for the investigation.
  • Assess risk indicators. Are the funds linked to known illicit services — sanctioned entities, darknet markets, ransomware groups, or fraud operations? Risk indicators help investigators understand the significance of the seized assets and prioritise next steps.
  • Check for any pending outgoing transactions or smart contract interactions. On some blockchains, transactions can be queued or triggered by smart contracts. If the seized wallet has any pending interactions, these need to be identified and, where possible, prevented.
  • Look for additional wallets that may be connected to the same suspect or network. Cross-referencing on-chain data with off-chain intelligence (such as exchange records, IP data, or device forensics) can reveal a broader picture of the suspect's cryptocurrency holdings and activity.

This phase is where blockchain intelligence platforms add the most value. Manual analysis of transaction histories across multiple chains is time-consuming and prone to error. Automated tracing, clustering, and risk assessment tools enable investigators to cover more ground in less time, with greater consistency and auditability.

Hour 12–24: Reporting and Next Steps

By the 12-hour mark, the team should have a clear picture of the seized assets, their provenance, and their connections. The final phase of the first 24 hours is about consolidating findings and preparing for the next stage of the investigation.

  • Prepare an initial intelligence summary. This document should provide an overview of the seized assets, key findings from the blockchain analysis, and any immediate intelligence leads. It should be concise, factual, and suitable for sharing with senior officers or partner agencies.
  • Generate evidence-grade reports documenting the seizure and initial analysis. These reports should include transaction flow diagrams, risk assessments, methodology documentation, and audit trails. They form the basis of the evidential package that will be presented to prosecutors and, ultimately, to the court.
  • Brief the senior investigating officer on findings. The SIO needs to understand what has been seized, what the initial analysis reveals, and what further investigative steps are recommended. This briefing should be delivered in plain language, avoiding unnecessary technical jargon.
  • Identify whether further seizure applications are warranted. If the analysis has revealed additional wallets or assets connected to the suspect, consider whether further seizure orders should be sought. Speed matters — if the suspect or co-conspirators become aware of the initial seizure, connected assets may be moved.
  • Ensure all documentation meets the standard for subsequent legal proceedings. Every step taken in the first 24 hours should be documented to a standard that will withstand scrutiny in court. This means complete records, clear methodology, and a defensible chain of custody from the moment of seizure.

Common Mistakes to Avoid

Even experienced investigative teams can make errors during the high-pressure post-seizure period. The following mistakes are among the most common — and the most consequential:

  • Leaving seized funds in the suspect's wallet. This is the single most dangerous error. Until funds are in a law-enforcement-controlled wallet, they are not truly secured.
  • Failing to document the chain of custody from the moment of seizure. Retrospective documentation is always weaker than contemporaneous records. Start documenting from the first moment of seizure, not after the fact.
  • Not capturing blockchain data immediately. On-chain data is immutable, but exchange account data, web wallet interfaces, and third-party service records may be deleted or altered. Capture everything as early as possible.
  • Using personal devices to manage seized assets. Personal phones, laptops, or wallets should never be used to handle seized cryptocurrency. This creates security risks, evidential vulnerabilities, and potential conflicts of interest.
  • Not involving a blockchain analyst early enough in the process. Specialist expertise should be engaged from the outset, not brought in days or weeks later. Early involvement ensures that the seizure is handled correctly and that no intelligence opportunities are missed.

How ShadowTrace Supports Post-Seizure Workflows

ShadowTrace is designed to support law enforcement teams throughout the post-seizure process, from initial asset securing to court-ready reporting. The platform provides automated evidence logging, real-time risk assessment of seized addresses, and structured reporting workflows that meet the documentation standards required for criminal proceedings. By integrating blockchain intelligence directly into the seizure workflow, ShadowTrace helps teams act faster, document more thoroughly, and build stronger cases.

Law Enforcement Asset Seizure Evidence Crypto Forensics Procedures
Share this article:

Related Articles

LAW ENFORCEMENT | 7 min read

From Wallet to Warrant: How Blockchain Intelligence Supports Modern Law Enforcement Investigations

Blockchain intelligence platforms are becoming essential for law enforcement — supporting faster, more defensible outcomes.

Read more
INVESTIGATIONS | 6 min read

Following the Money in a Multi-Chain World: The Reality of Crypto Crime Investigations

Illicit funds routinely move across multiple networks, decentralised exchanges, bridges, and layer-2 systems.

Read more

Built for evidence-driven investigations

ShadowTrace provides the transparency, audit trails, and reporting capabilities that law enforcement teams need.

See how it works