Freezing and Seizing Crypto: From Exchange Request to Wallet Seizure

This guide offers general professional guidance for law enforcement officers, cybercrime investigators and analysts. It is not legal advice. Freezing, attaching and seizing virtual assets directly engages property rights, and every action described here must be taken only under proper legal authority in your jurisdiction, with prosecutorial and judicial oversight where your law requires it. Once you have traced funds to an account or wallet, the question becomes how to stop the money moving and bring it under lawful control before it is layered away.

The race against fast movement

Unlike a bank wire, a virtual-asset transfer settles in minutes and cannot be reversed. A suspect who senses an investigation can move balances from a hosted exchange account to self-custody, swap into a privacy coin, or push funds through a mixer within a single sitting. Your operational priority, the instant tracing lands on an identifiable account, is to interrupt that movement. In practice this means two parallel tracks: a freeze request to any custodial provider holding the funds, and, where you can lawfully reach the keys, physical seizure of self-custodied wallets before the holder is alerted.

Sequence the freeze ahead of any overt step. Arrests, search warrants executed at the wrong moment, or even a poorly timed account-verification call can tip off the holder and trigger a sweep of the wallet.

Freezing and disclosure at a VASP

A virtual-asset service provider (VASP), most commonly a centralised exchange, is a regulated intermediary that holds customer balances and knows who its customers are. Larger exchanges run dedicated law-enforcement compliance teams with secure intake portals and published response guidelines. Two distinct asks are usually in play:

• Freeze / hold: a request or order to lock the account so the balance cannot be withdrawn or traded pending legal process.
• Disclosure: production of know-your-customer (KYC) records, account-opening data, login and device logs, IP and session history, linked bank or card details, and the deposit and withdrawal ledger. This is the material that links a blockchain address to a real identity.

Under the FATF Travel Rule (Recommendation 16), VASPs are expected to collect and pass on originator and beneficiary identifying information for transfers above the USD/EUR 1,000 threshold, so a compliant counterparty exchange may also hold information about where funds came from or went next. Approach the compliance team through the official channel, cite the legal basis precisely, and specify the exact account identifiers, addresses and time window. Many providers will action an emergency preservation or temporary hold on a properly authenticated request while the formal order is prepared, but the binding freeze still depends on the legal instrument.

Legal instruments to compel a freeze

The instrument depends entirely on your jurisdiction and the stage of the case. Common categories, by function rather than by statute, are:

• Preservation / emergency hold requests: short-term, to stop dissipation while a court order is obtained.
• Production orders / subpoenas: to compel disclosure of KYC and account records.
• Freezing, restraint or attachment orders: court-backed instruments that bind the asset pending forfeiture or trial.
• Seizure warrants: authority to take the asset into law-enforcement control, including moving on-exchange balances to a government wallet.

India. Virtual digital asset service providers were brought under the Prevention of Money Laundering Act, 2002 (PMLA) as reporting entities by a March 2023 Finance Ministry notification, so they must maintain KYC and file suspicious-transaction reports, and they must be registered with the Financial Intelligence Unit (FIU-IND). The Enforcement Directorate uses its PMLA provisional-attachment and search-and-seizure powers against crypto held as suspected proceeds of crime; it has, for example, provisionally attached crypto worth thousands of crore in money-laundering investigations. State police additionally rely on the search and seizure powers in the criminal procedure code for predicate offences.

United States. Investigators use seizure warrants and the civil and criminal asset-forfeiture regimes. Many federal agencies can pursue administrative forfeiture for assets valued at or below USD 500,000 without going before a judge, giving notice to potential claimants; contested claims or higher-value assets proceed by civil or criminal forfeiture in court. When a seizure warrant is executed, the cryptocurrency is transferred to a wallet controlled by the government pending proceedings. The DOJ coordinates this work through its Digital Asset Coordinator network.

Seizing self-custodied wallets

Self-custody changes the problem completely. There is no provider to serve: control of the asset is control of the private key, usually represented by a 12 to 24 word seed phrase (recovery phrase). Anyone, anywhere, holding a copy of that seed can recreate the wallet and empty it, with no PIN and no physical access to the original device. Seizing the hardware is therefore not enough; you must assume a backup of the seed exists and act to defeat it.

1. At the scene, photograph and log every device, written note, metal seed plate, and password manager in place before anything is touched. Seed phrases are frequently written on paper, hidden in books, or stamped on metal.
2. Isolate seized phones and computers from networks (airplane mode, then a Faraday bag) to prevent a remote wipe of wallet apps, but preserve any live, unlocked session under forensic guidance.
3. Treat the recovered seed phrase or private key as the most sensitive exhibit in the case and document who handled it, when, and under what authority.
4. The decisive step is to move the assets to a law-enforcement-controlled wallet whose keys were generated offline and are held by the agency. Until funds sit at an address only you control, the seizure is not secure.
5. Generate the destination keys on an offline device, verify the receiving address out of band, send a small test transaction first where feasible, then transfer the balance and record the on-chain transaction hashes as part of the exhibit record.

Custodial vs self-custodied seizure

Custody, valuation and chain of custody

Once assets are under control, custody and valuation become the long tail of the case. Hold seized crypto in agency-controlled wallets with documented key management, ideally multi-signature or hardware-backed, so no single officer can move funds. Record an unbroken chain of custody for both the digital asset and the physical media: who recovered the seed, every transfer hash, and every person with access to the destination keys. For admissibility, be ready to show the court that the keys were handled in a way that excludes tampering and that the on-chain movements correspond exactly to your evidence log.

Crypto values swing sharply, so fix a valuation methodology and a timestamp (commonly the seizure date) and document the source. Many jurisdictions face the policy question of whether to hold seized assets in kind or liquidate them; follow your agency's standing policy and any court direction rather than improvising.

Cross-border funds

Crypto cases are cross-border by default. Funds frequently sit on an exchange incorporated in another country, and the address that received them may belong to a foreign VASP. Identify the host jurisdiction early, because that determines your route. A foreign provider may action an emergency preservation request voluntarily, but a binding freeze and the production of records usually require formal mutual legal assistance (an MLAT request) or the platform's law-enforcement portal, and sometimes a domestic order recognised abroad. Build the MLAT package in parallel with the preservation request so the formal order is ready before the temporary hold lapses, and coordinate with national central authorities and, where relevant, Interpol or regional cooperation channels.

Frequently asked questions

Can we freeze a private (non-custodial) wallet remotely? No. There is no operator to serve. The blockchain will execute any valid transaction signed with the key. The only way to stop movement is to obtain lawful control of the private key or seed and move the funds to a wallet you control.

Is seizing the hardware wallet enough? Not by itself. If a backup seed phrase exists anywhere, the wallet can be restored and drained from another device. Secure all written and digital copies of the seed and, where authorised, transfer the balance to an agency-controlled wallet.

How fast must a freeze request reach the exchange? Immediately on identifying a hosted account. Settlement is near-instant and irreversible, so the freeze or emergency hold should precede any overt investigative step that could alert the holder.

What is the Travel Rule and why does it matter to investigators? FATF Recommendation 16 requires VASPs to collect and pass on originator and beneficiary identifying information for transfers above USD/EUR 1,000. It means a compliant counterparty exchange may hold valuable identity and routing data about the transaction you are tracing.

This guide is part of our Guides for Investigators & Police reference series, covering Foundations, Mobile, Web & Social, Crypto, Cloud and AI.