The amount of stolen cryptocurrency equivalent funds in 2022 was a whopping . This casts a gloomy shadow over all cryptocurrencies and the platforms hosting them. The owners of the lost funds have little choice but to wallow after their wallets and exchanges are hacked, as neither law enforcement nor representatives of the affected platforms have the competencies to track down or recover the lost assets. However, independent investigative firms like AMLBot have the technical resources necessary to identify the path the suspected criminals have taken in their course of action and track down the final repository of the stolen funds. $3.8 billion This article explores the details of investigating a single case that resulted in the recovery of $197,000 USDT in one week. How Is Cryptocurrency Stolen? The arsenal of tools available to hackers and other dishonest players in the cryptocurrency market in their efforts to steal digital assets is quite diverse. Among the most accessible and common methods are direct hacker attacks, email spoofing, phishing schemes, and rug pulling. However, attackers sometimes face impenetrable security barriers and are forced to resort to sophisticated approaches that involve social engineering to trick and deceive their victims into handing over access to wallets on their own. The case involving the loss of $197,000 USDT was based on the belief of the victim in a fraudulent transaction that revolved around a business offer. Given the large amount involved and the complexity of the attack, the victim enlisted the help of professionals, knowing that time was of the essence and that the authorities would have few tools to recover the funds. The Investigation Process The first step in the investigation process was to immediately identify the wallet used by the suspected perpetrator. The next step was to alert all of the major exchanges in the market to the potential threat. They were asked to provide any real-time information regarding the movement of funds through the flagged address. This step was necessary to prevent the perpetrators from hiding the stolen funds in a chain of transactions that would effectively make them untraceable across the network. The first results were obtained fairly quickly. The stolen funds were identified on one of the exchanges, allowing them to be traced. Rather than using a personal wallet address, the attackers used a service address that would not be detected by standard blockchain explorers and analysis software suites, demonstrating the attackers' level of inventiveness. The Collaboration Strategy The only way to corner suspected criminals and return stolen funds in the cryptocurrency space is through timely and coordinated action. As such, our team contacted several third-party organizations. Then we requested a "stolen funds" attribution from investigative tools for the unidentified service address to which the victim's stolen assets were being transferred. The purpose of the request was to disrupt any interactions involving the address and force the responsible party to cooperate in order to withdraw the attribution. The desired result was achieved within hours, as the owners of the service address contacted us and agreed to cooperate in the process of returning the stolen funds. Further investigation revealed that the service in question was a cryptocurrency exchange called TotalCoin. The exchange cooperated fully and escalated the matter to its anti-money laundering (AML) department after reviewing the case report. The Recovery The TotalCoin exchange official responsible for Anti-Money Laundering compliance contacted our team with a proposition of commitment in exchange for complete cooperation and the return of the suspected funds. The exchange then proceeded to return the funds in full, thus completing an investigative process that took seven days.