Forensic Standards: Chain-of-custody · Verifiable on-chain trail · Regulator-ready packets
12 cases under review
1330 wallets traced this month
Free Case Evaluation →
Forensic Standards: chain-of-custody · verifiable on-chain trail · regulator-ready packets data sources: Etherscan · SlowMist · CertiK
12cases under forensic review 1330wallets traced this month Submit Wallet for Trace →

Written by

cryptoandcode

in

cac-forensics ~ trace –case CAC-2026-042 –chain btc,eth –priority high

Case File // CAC-2026-042 // Operator: Amadeus Markets

36 Hours After the SIM Swap: Recovering £163,000 From an Amadeus Markets Account

A small-business owner in Manchester held her crypto in an account with Amadeus Markets. She lost cell signal on a Tuesday evening and assumed it was a network outage. It was an attacker holding her phone number long enough to reset the account password and withdraw the balance. Speed is what saved most of it.

OperatorAmadeus Markets →
VectorSIM-swap / account takeover
InstrumentCarrier port → SMS-2FA intercept → withdrawal
ChainBitcoin + Ethereum
Reported loss£163,000
Exposure window36 hours
Recovered81% (£132,030)

The Entry Point

The attacker never touched her devices. They called her mobile carrier, posed as her with a few harvested personal details, and ported the number to a SIM in their possession. Her phone dropped to “No Service.”

With the number in hand, they triggered a password reset on her Amadeus Markets account. The reset code arrived by SMS — to their device, not hers. Within the hour they had moved her Bitcoin and Ethereum out in three withdrawals.

Where It Broke

The single point of failure was SMS-based two-factor authentication on a six-figure account. Once the number was ported, every control that relied on a text message belonged to the attacker.

The delay that cost her was human and understandable: several hours passed before “No Service” registered as an attack rather than a dead zone. We started the clock from the first unauthorized withdrawal and worked backward.

My phone showed “No Service.” I thought it was the network. It was someone holding my number while they emptied the account.

The Trace

  1. Timestamped the withdrawals

    Three outbound transactions inside a 90-minute window, all from her verified Amadeus Markets withdrawal address — consistent with full account control.

  2. Mapped the destination clusters

    Two of the three paths used short peel chains before consolidating; one BTC hop went straight to a no-KYC swap service.

  3. Caught the funds at a regulated venue

    Within 30 hours, the two larger paths deposited to a compliant exchange. The narrow window made a freeze viable.

  4. Filed the freeze and the carrier referral

    We packaged the on-chain trace for the exchange and helped route a law-enforcement request to the carrier for port-authorization logs.

  5. Returned the held balance

    After identity confirmation and a police reference number, the exchange released the frozen funds to her control.

Outcome

81% recovered

£132,030 of £163,000 was frozen and returned. The single BTC hop that reached a no-KYC swap within the first hour was lost. The difference between this outcome and a total loss was measured in hours — which is why the first call matters more than the perfect call.

Red Flags in the Code

  • A high-value account secured only by SMS two-factor — move to an authenticator app or hardware key.
  • Sudden, unexplained loss of cell service can be a port-out in progress.
  • A password-reset email arrived in the middle of the night.
  • The account had no withdrawal address whitelist or time-lock enabled.
  • The carrier authorized the port without strong identity verification.

Recognise this pattern?

If your loss looks like this one, send us the transactions and the platform. We’ll tell you honestly whether the chain still holds a trail worth following.

Request a Forensic Review

More posts