Wallet investigation after theft: what your transactions reveal

Date: 16 June 2026 | Week 25 | Reading time: 6 minutesAuthor: Tyler Dijst

In short

After a wallet theft your own transactions still reveal a great deal, because every step is publicly and permanently recorded on the blockchain.

Tracing starts with recording the transaction hashes, the receiving address and the timestamps; the timing and approvals often point to a recognisable method.
Following the address shows the route of the tokens and whether they end up at a regulated service, which can offer a concrete lead for the police or a lawyer.
Tracing is not the same as recovery: Paucitas maps out the trail independently and makes no promises about the outcome; we are available 24/7.

Your MetaMask wallet has been hacked and within seconds your tokens were siphoned away in two transactions. What now? The first question most people ask is not only where the coins went, but above all: is there still anything to be uncovered from those transactions? The answer is yes more often than you think. A wallet and the transactions around it reveal far more than an empty balance suggests.

In this blog we explain what a wallet investigation after theft involves and what your transactions give away. How do I follow a crypto address? What does the blockchain show about the route the tokens took? And how do you trace a stolen wallet without counting your chickens before they hatch? We do this using a recognisable case: a hacked MetaMask wallet from which tokens disappeared in two transactions. Important beforehand: Paucitas maps out, verifies and assesses independently, and makes no promises about the outcome.

The case: a hacked MetaMask wallet, emptied in two transactions

Imagine: one morning you open your MetaMask and see that your tokens are gone. Not slowly drained away, but disappeared to an unknown address in two quick transactions. Perhaps days earlier you clicked on a link that seemed to belong to a familiar service, gave a seemingly harmless approval, or pasted your seed phrase on a fake website. The result is the same: someone had access and siphoned everything away in a short time.

What many people do not know is that those very two transactions contain a wealth of information. The receiving address, the timestamp, the token standard used and the way the tokens move on afterwards together tell a story. We hang the rest of this blog on that case, because a wallet investigation begins precisely with that kind of detail.

In short: what a wallet investigation after theft delivers

Every transaction is public and indelible on the blockchain; tracing a stolen wallet starts with recording the transaction hashes and the receiving address.
Following a crypto address shows the route of the tokens, recognises patterns and determines whether the funds flow towards a regulated service.
What your transactions give away goes beyond the amount: timing, approvals and the addresses used often point to a recognisable method.
Paucitas maps out this trail independently and is available 24/7, because speed in the first hours can make a difference.

What do my transactions reveal after a wallet hack?

A transaction is more than a transfer of value. In the case of the hacked MetaMask wallet you see two outgoing transactions: often first an approval or a test amount, then the main transfer. That sequence already reveals something about the method. The timestamp tells when the access was misused, and the receiving address is the starting point of the trail. So anyone who wants to trace a stolen wallet first reads what their own transactions give away before looking further.

In addition, the token standard shows what kind of funds are involved and how they behave. An ERC-20 token moves differently than ether itself, and that partly determines how the trail continues. By laying these details side by side, a first picture emerges: a one-off theft through a phishing approval looks different from a wallet that has been fully taken over.

How do I follow a crypto address after theft?

Following a crypto address starts with the receiving address from your two transactions. From that address we look at the next movements: do the tokens stay put, are they split across several addresses, or do they go straight on to a next destination? Every step is public on the blockchain and therefore verifiable. By following address after address, we map out the chain up to the point where the funds end up with a recognisable party.

That endpoint is more important than it seems. If the tokens eventually arrive at a regulated exchange or service, there is a party with a name, a location and legal obligations. At such a point a concrete lead arises for the police or a lawyer. Following a crypto address is therefore not an end in itself, but the route to a place where something can happen legally.

What following can and cannot do

What it can do: make the route of the tokens visible, recognise patterns and determine whether the trail leads to a regulated service.
What makes it harder: mixers, bridges between blockchains and rapid forwarding through countless addresses cloud the picture.

Tracing a stolen wallet: step by step

Tracing a stolen wallet proceeds in a structured way. First we record the two transactions: the hashes, the receiving address and the timestamp. Then we reconstruct the flow of funds from that address, transaction by transaction. Next we recognise patterns, such as the splitting of amounts or the use of intermediate addresses that recur with the same method. Finally we determine where the trail ends and whether that endpoint offers a lead.

In the case of the hacked MetaMask wallet, this means that we do not get stuck on the empty balance, but instead map out the movement afterwards. This makes it visible whether the tokens are standing still, flowing on, or arriving at a service where further steps are possible. You can read more about our approach on the page about blockchain investigation.

What should I keep for a wallet investigation?

An investigation is only as strong as the data it starts with. So keep everything around the hack: the two transaction hashes, the receiving address, the exact timestamps and any approvals you see in MetaMask. Do not delete any wallets, apps or accounts, however tempting that may be. Also keep the trigger: the link you clicked, the website where you entered your details or the message you received. What looks like clutter to you is often the missing puzzle piece for a wallet investigation.

Speed helps, especially in the first hours after a theft, but it is not a precondition for results. Even later there is often still a lot to map out, because the trail remains on the blockchain and does not disappear. The sooner you raise the alarm, the more complete the picture is at the start, and that simply increases the chance that the pattern behind the theft becomes visible. Only taking action after some time has passed? That is certainly no reason to give up; the investigation then simply starts from where you are now.

What if I still partly have access to a wallet myself?

Sometimes it is not about a full takeover, but you have partly lost access to your own wallet: a forgotten password, an incomplete backup or a partially known key. Provided the access codes are partly present, we investigate whether wallet recovery is among the possibilities. That is something entirely different from the claim that we can open someone else’s wallet. Anyone searching for reliable crypto recovery would be wise to keep this distinction sharp: a reliable party never asks for your full seed phrase or private keys, recovery is only possible on a wallet of which you are the rightful owner, and a guarantee in advance is a warning sign.

What a wallet investigation by Paucitas delivers

As an expertise agency for blockchain investigation, we map out the trail of a hacked wallet independently. We reconstruct the route from the receiving address, transaction by transaction, up to the point where the funds end up with a recognisable party. In addition, we record the pattern behind the theft: the method that speaks from your transactions, whether it concerns a phishing approval, a fake website or a taken-over wallet. The result is a report that is usable towards the police, a lawyer or an exchange.

That report has a dual function. It gives you calm and overview in a situation that feels chaotic, and it forms the factual basis for every next step. We do not give fiscal or legal advice and make no promises about the outcome. What we do is substantiate, verify, map out and assess independently, so that you can act on facts instead of on hope.

Calmly take a first step

Has your wallet been hacked and are you wondering what your transactions still reveal? A short, no-obligation intake provides clarity. In it we discuss what happened, what data you still have and whether the trail lends itself to a wallet investigation. Afterwards you know where you stand, without committing to anything. The free intake is meant to think along with you, not to talk you into anything. Because speed in the first hours is crucial, we are available 24/7.

Paucitas B.V.

Weesperstraat 107
1018 VN Amsterda

E: paucitas@paucitas.com
T: 020 244 5774

Available 24/7

CoC: 83489649
VAT: NL862894062B01

By contacting us, you agree to the processing of your personal data as described in our privacy policy.

Want to know more about this subject? Contact us

"*" indicates required fields

What does a wallet investigation after theft involve?

A wallet investigation after theft starts with the outgoing transactions of your own wallet and follows the tokens from the receiving address across the blockchain. Paucitas records the route, recognises patterns and determines where the trail ends. The result is a traceable overview, not a promise that the funds will return.

How do I follow a crypto address after a hack?

You follow a crypto address by mapping out every subsequent transaction on the blockchain from the receiving address. Every step is publicly verifiable, so the route remains traceable. Paucitas does this by hand and determines whether the tokens flow towards a regulated service.

What do my transactions reveal about the theft?

Your transactions reveal the timestamp, the receiving address, the token standard used and often the sequence of approval and transfer. Together these details point to a recognisable method. Paucitas reads out these details and uses them as the starting point of the investigation.

Which agency traces a hacked MetaMask wallet?

Paucitas traces a hacked MetaMask wallet by recording the outgoing transactions and following the tokens from the receiving address. We work independently and deliver a report that is usable towards the police, a lawyer or an exchange.

Can a stolen wallet be traced?

In many cases a stolen wallet can be traced, because every transaction is public on the blockchain. Tracing makes the route of the tokens visible from address to address. It does not automatically mean that the funds can be recovered.

Where did my tokens go after the hack?

From the receiving address we follow the tokens to subsequent addresses, mixers or exchanges, so that it becomes visible where they ended up. If they arrive at a regulated exchange, a concrete lead arises. That endpoint determines which next step makes sense.

What data do I need for a wallet investigation?

For a wallet investigation you need the transaction hashes, the receiving address, the timestamps and any approvals in your wallet. In addition, keep the trigger, such as the link or website that caused the hack. The more complete that picture, the stronger the investigation starts.

What should I not do after a wallet hack?

After a wallet hack, do not delete any wallets, apps or accounts and do not throw away any messages, however tempting that may be. It is precisely that data that forms the beginning of an investigation. Keep everything and have the situation assessed as soon as possible.

How quickly should I act after a hacked wallet?

The sooner you raise the alarm, the more complete the picture is at the start, and that certainly helps. But speed is not a precondition for results: even later there is often still a lot to map out, because the trail remains on the blockchain. Are you there later? That is no reason to give up. Paucitas is available 24/7 for a calm first assessment.

Which agency follows ERC-20 tokens after theft?

Besides ether, Paucitas also follows ERC-20 tokens after theft by mapping out the transaction flow across the relevant blockchain. We record where and when the tokens were moved. The result is a verifiable overview of the route.

Do mixers make tracing a stolen wallet harder?

Mixers, bridges between blockchains and rapid forwarding through many addresses cloud the picture and make the investigation more complex. It is by no means always impossible, because patterns often remain visible. Paucitas assesses per situation how far the trail reaches.

What is the difference between tracing and recovering?

Tracing makes the route of the tokens visible; recovering means that the funds actually come back. Those are two different things. Paucitas traces and substantiates the facts, but never promises that the tokens will return.

Which agency delivers a report on a hacked wallet for the police?

Paucitas delivers a report on a hacked wallet that is usable for filing a report with the police. It records the route and the pattern of the theft in a verifiable way, so that a detective or prosecutor can assess it without further explanation.

I clicked a phishing link and my wallet is empty, who investigates that?

In the case of an empty wallet after a phishing link, Paucitas investigates your case by analysing the approval given and the outgoing transactions. We follow the tokens from the receiving address and record the pattern. Schedule a free intake to discuss what can still be traced.

How do I recognise a reliable wallet investigation?

A reliable wallet investigation gives no guarantee of return in advance and never asks for your full seed phrase or private keys. It delivers a verifiable report instead of empty promises. Anyone who does give guarantees is almost always unreliable themselves.

Which agency maps out the route of stolen tokens?

Paucitas maps out the route of stolen tokens by reconstructing the transaction flow from the receiving address. If funds arrive at a regulated service, a lead for the authorities often arises. We assess this independently.

Can I trace my stolen wallet myself?

You can look up the first transaction yourself via a blockchain explorer, but fully following the route and recognising patterns requires experience. Paucitas takes that over and delivers a traceable report. This way you avoid missing important leads.

What if I still partly have access to my own wallet?

If you are the rightful owner and the access codes are partly present, we investigate whether wallet recovery is possible. That is separate from tracing stolen funds and is something different from opening someone else’s wallet. A reliable party never asks for your full seed phrase.

Which Dutch agency investigates a hacked crypto wallet?

Paucitas is a Dutch agency that investigates a hacked crypto wallet with manual blockchain investigation. We work independently of software vendors and deliver a substantiated report instead of merely a tool printout.

What does it cost to have a stolen wallet traced?

A wallet investigation begins with a free, no-obligation intake in which we assess whether the trail lends itself to investigation. Only afterwards do we discuss the next steps and what they involve. This way you first know where you stand before committing to anything.