How to Report a Cybercriminal to the IC3 (FBI): What to Put in Your Complaint

Quick answer: File your report at ic3.gov → “File a Complaint.” It is free, online-only (there is no phone hotline for filing), and the FBI accepts complaints from anyone, including victims outside the United States who were targeted from US infrastructure. Write a clear, dated timeline and paste every piece of evidence directly into the form, because IC3 does not accept file attachments. That means full email headers, IP addresses, WHOIS records, and file hashes go in as text. If money moved, contact your bank and file with the IC3 at the same time so the transfer can be flagged for a freeze.

What to do in 3 steps

1. If money moved, call your bank or card issuer now. Ask them to recall or freeze the transfer and to flag it as fraud. Speed matters more than anything else here. The window to claw back a wire is measured in hours, not days.
2. Preserve the evidence before you touch anything. Do not delete the email, message, or file. Save the original email with its full headers, screenshot the messages, note the IP addresses and any WHOIS lookups you ran, and record file names and hashes. Keep the malware sample isolated; do not run it again.
3. File at ic3.gov. Use “File a Complaint,” tell the story in order with dates and your time zone, and paste your technical findings into the description. Save the complaint number you receive at the end.

Where to file (and who can file)

The IC3, the FBI’s Internet Crime Complaint Center, takes reports only through its website, ic3.gov. There is no call-in number for filing; the web form is the official channel. Filing is free, and you do not need to be a US citizen or resident. If you were targeted from US-based servers or a US company’s infrastructure, which is exactly what your IP and WHOIS lookups suggest, the IC3 is the right destination, because the FBI has jurisdiction over the US-hosted side of the activity.

What to put in the complaint

The complaint form is mostly free text, and IC3 does not let you upload files. Everything has to be pasted as text into the form, so the quality of your report depends on what you write. Keep your original files and emails; investigators can ask for them later if a case opens. Include, as cleanly as you can:

• A dated timeline. When you received the message, when you opened or analysed the file, and every event since, each with the date, time, and your time zone (for example, “14:32 EDT”). Time zones matter when the FBI correlates your report with server logs.
• The full email headers. If it arrived by email, open the message’s full headers (the “Show original” / “View source” option) and paste them in, not just the visible text. Headers carry the sending servers and IPs that make a report actionable.
• IP addresses and WHOIS. List the IPs you found, what each one was doing (command-and-control, hosting, sender), and the WHOIS / hosting-provider details. Note how you obtained them.
• File details and hashes. The malware’s file name, size, and a hash (SHA-256 if you have it). Do not attach the live malware itself; describe it and keep the sample preserved in case investigators ask.
• Screenshots. Of the message, any payment page, profile, or wallet address involved.
• Identifiers of the sender. Usernames, email addresses, phone numbers, social or platform handles, crypto wallet addresses, and any name they used.
• Financial details, if any. Amounts, dates, the accounts or wallets money went to, and your bank’s fraud reference number.

Write the narrative plainly and factually. You do not need to prove the case or name a suspect. You need to hand investigators clean, verifiable leads.

What not to do

• Do not contact, “hack back,” or bait the attacker. It can be illegal, it tips them off, and it can taint the evidence.
• Do not run or “test” the malware again on a machine you care about. Preserve it; do not poke it.
• Do not pay anyone who promises to trace the IPs or recover your money for a fee. Fraudsters hunt people who were just targeted, so be wary: see our guide on the “second scam.”
• Do not file ten copies. One thorough complaint with your contact details beats several thin ones.

What happens after you file

You will get a complaint number on screen, so keep it. From there, the IC3 does not work like a 911 dispatcher: it does not open an individual case for every complaint or send an investigator to your door. Complaints are aggregated, analysed, and routed to the FBI field office or partner agency best placed to act, and your report may become one data point that links a larger pattern. You may never hear back, and that does not mean it was wasted.

The one part that is fast and individual is money. If a fraudulent transfer is fresh, the IC3’s Recovery Asset Team can launch the Financial Fraud Kill Chain to ask the receiving bank to freeze the funds, though the process is built around acting within roughly 72 hours of the transfer. It is not automatic, though: you have to both file the IC3 complaint and have your own bank engage with the FBI’s local field office. In 2025 the team froze about $679 million this way, on a little over half the cases it took on. That is why contacting your bank and filing quickly matters far more than writing a perfect narrative.

Realistic expectations

Reporting to the IC3 is worth doing even when nothing was stolen: your IPs, headers, and hashes may be exactly what ties a scattered set of complaints into a chargeable case. But set expectations honestly. The value is collective and slow, recovery is only likely when money is caught early, and most reporters do not get a personal update. For the full picture of US reporting channels beyond the IC3, see our guide to reporting cybercrime in the United States.

If you have been targeted, you are not alone. See our country-by-country cybercrime help hub for step-by-step reporting and recovery guides.

Image: FBI Headquarters (J. Edgar Hoover Building), Washington, D.C. Photo by the FBI, public domain, via Wikimedia Commons.