Where to Report Cryptocurrency Theft in the Philippines

Cryptocurrency theft in the Philippines is not reported to just one office. In practice, it is handled through a combination of criminal, cybercrime, regulatory, and platform-level reporting. The correct reporting path depends on how the loss happened: whether the crypto was taken through hacking, phishing, wallet compromise, social engineering, insider abuse, unauthorized transfers on an exchange, investment fraud, or a fake crypto scheme disguised as a legitimate product.

In Philippine practice, victims usually need to do several things at once: preserve evidence, notify the exchange or wallet provider, report to law enforcement, and in appropriate cases notify regulators or privacy authorities. Delay is costly. Crypto can move across wallets in minutes, and once mixed, swapped, or bridged, tracing becomes much harder.

This article explains the Philippine reporting framework, the agencies that matter, the laws commonly involved, the practical evidence to gather, and the legal limits victims should understand.

I. What “cryptocurrency theft” means in Philippine legal terms

Philippine law does not usually treat every crypto loss under a single label. “Crypto theft” is a practical description, but the legal classification depends on the facts.

A crypto loss may legally fall under one or more of the following:

Theft or unlawful taking. If a person took control of digital assets without consent, traditional property concepts may still be argued by analogy, but prosecutors usually frame the case through more specific cybercrime or fraud statutes when the conduct happened through electronic systems.

Estafa or swindling. This is common where the victim was deceived into sending crypto voluntarily because of false representations, fake investments, impersonation, romance scams, bogus mining schemes, fake recovery agents, or fraudulent token sales.

Unauthorized access or hacking. If a wallet, exchange account, email, phone, SIM, or authenticator was compromised, the conduct may implicate the Cybercrime Prevention Act and other computer-related offenses.

Identity theft, phishing, or access-device misuse. Where login credentials, OTPs, recovery phrases, passwords, API keys, or linked bank/card details were misused, other laws may also apply.

Securities or investment fraud. If the scheme involved soliciting funds from the public, promising profits, or operating an unregistered investment structure, securities regulation may become relevant in addition to criminal enforcement.

Because of this overlap, victims should not spend too much time trying to “name” the offense before reporting. The better approach is to report the facts, preserve the evidence, and let investigators and prosecutors characterize the violations.

II. The main places to report cryptocurrency theft in the Philippines

In Philippine context, the most important reporting channels are the following:

1. The crypto exchange or wallet provider itself

If the stolen assets passed through a centralized exchange or a custodial wallet provider, this is often the first urgent step. The goal is not merely to complain. The goal is to trigger internal fraud controls, freeze or restrict suspicious withdrawals where possible, document the incident, and obtain an official case or ticket number.

This is especially important when:

  • the theft happened on a Philippine-facing exchange account;
  • a local or foreign exchange can still identify the receiving account;
  • the unauthorized transfer is recent;
  • your account was accessed without authorization;
  • KYC-linked accounts may be identifiable.

Ask for a written acknowledgment, the incident reference number, the exact transaction hashes, the wallet addresses involved, timestamps, IP/device logs if available, and whether the destination account is within the same platform or an external wallet. If the destination is another user within the same platform, speed matters even more.

2. The National Bureau of Investigation Cybercrime Division

For serious cyber-enabled theft, hacking, phishing, investment fraud, and digital tracing concerns, the NBI’s cybercrime unit is one of the primary law-enforcement channels. This is often the strongest option where the case involves technical compromise, complex fraud, multiple victims, or cross-border movement of digital assets.

NBI reporting is especially suitable when:

  • your exchange account, wallet, email, or phone was hacked;
  • there was phishing, malware, remote access, SIM-related compromise, or fake support;
  • blockchain tracing and digital forensics may be needed;
  • the perpetrators used false identities or multiple digital channels.

3. The Philippine National Police Anti-Cybercrime Group

The PNP Anti-Cybercrime Group is another principal law-enforcement channel for online fraud, account compromise, unauthorized electronic transactions, and cyber-enabled theft. In practice, some victims report first to the local police for blotter purposes and then proceed to the PNP-ACG for the cybercrime component. Others go straight to cybercrime investigators.

Where there is urgent risk, a police blotter can still be useful as an early formal record, but a blotter alone is not the same as a full cybercrime complaint.

4. The Securities and Exchange Commission, if the “theft” was part of an investment or token scheme

Not every crypto loss is simple theft. Many Philippine cases are really investment scams. If you lost money because you were induced to buy tokens, join a staking or yield program, invest in a managed crypto fund, or recruit others into a profit scheme, the SEC may be relevant.

The SEC is not the usual agency to recover stolen tokens from a hacked wallet. But it matters when the incident involves:

  • sale of unregistered securities or investment contracts;
  • public solicitation of investments;
  • Ponzi-type returns;
  • fake exchanges or fake brokers;
  • entities operating without the required authority.

In those cases, a report to the SEC may supplement, not replace, a criminal complaint.

5. The Bangko Sentral ng Pilipinas, if a regulated virtual asset service provider is involved

If the incident involves a BSP-supervised or BSP-facing virtual asset service provider, exchange, or electronic money/payment interface, a complaint to the institution itself should usually come first, followed by escalation through the institution’s consumer-assistance process and, where appropriate, a BSP complaint channel.

This is relevant where the issue includes:

  • failure of the platform to respond to unauthorized activity;
  • suspicious account handling;
  • defective security controls in a custodial setting;
  • complaints involving onboarding, withdrawals, transaction holds, or account access.

BSP intervention is generally about regulated conduct and consumer protection concerns, not direct criminal prosecution. It does not replace police or NBI reporting.

6. The National Privacy Commission, if personal data was breached or misused

Many crypto theft cases are also data-breach cases. If your personal information, IDs, selfie verification data, login credentials, phone number, or account-recovery data were compromised, the National Privacy Commission may become relevant, particularly where a platform or service provider suffered a reportable breach or mishandled personal data.

This is not the core forum for tracing stolen crypto, but it matters if identity theft or personal-data compromise was part of the incident.

7. Anti-money laundering channels, indirectly and institutionally

Victims do not usually “file” a standard theft complaint directly with the anti-money laundering system in the way they would with police. But anti-money laundering consequences may become relevant where stolen assets flow through exchanges, bank rails, or covered institutions. In practical terms, this means the police, NBI, prosecutors, regulated exchanges, and financial institutions may generate the reports and coordination that matter for freezing, suspicious transaction review, and financial tracing.

For a victim, the operational point is this: report early to any regulated platform involved, clearly identify the suspicious wallet addresses and transaction hashes, and state that the transaction is unauthorized or fraud-related. That helps trigger escalation on the institutional side.

III. Which office should receive the complaint first

There is no single mandatory sequence, but the best Philippine practice is usually this:

First, secure your accounts and notify the exchange or wallet provider immediately.

Second, file with either the NBI cybercrime unit or the PNP Anti-Cybercrime Group, depending on access, urgency, and case complexity.

Third, add the regulator that fits the case: SEC for investment-scam structures, BSP-related consumer channels for supervised institutions, NPC for personal-data compromise.

That combination is more effective than choosing only one.

IV. Immediate actions before or while reporting

Before any legal filing, the victim should stop further loss and preserve digital evidence. This is part of building a prosecutable case.

1. Secure all linked systems

Change passwords for the exchange account, primary email, backup email, cloud storage, mobile wallet, device passcode, and two-factor authentication. Revoke active sessions, regenerate API keys, and delink suspicious devices. If the phone number may have been compromised, contact the telecom provider and document the event.

2. Preserve the recovery phrase issue correctly

If a seed phrase or private key was exposed, the wallet is effectively compromised. Move remaining assets, if any, to a fresh wallet generated on a clean device. Do not keep using the exposed wallet merely because the thief has not yet drained everything.

3. Capture evidence in a forensically sensible way

Take screenshots, but do not rely on screenshots alone. Save raw records too. The ideal evidence set includes:

  • transaction hashes;
  • wallet addresses;
  • timestamps with time zone;
  • exchange ticket numbers;
  • email headers;
  • SMS messages;
  • Telegram, Viber, WhatsApp, Discord, Facebook, or X communications;
  • phishing links;
  • website URLs;
  • account statements;
  • device logs if available;
  • IP alerts from the exchange;
  • KYC details you gave to the platform;
  • proof of ownership of the sending wallet or exchange account;
  • proof of source of funds.

Keep the files in original format where possible. Export chats. Download PDFs of statements. Preserve URLs. Do not edit images in ways that remove metadata.

4. Build a transaction timeline

Prepare a one-page chronology:

  • when you acquired the crypto;
  • where it was stored;
  • when suspicious activity began;
  • what messages or prompts you received;
  • what addresses received the funds;
  • whether fiat cash-in or cash-out occurred;
  • what steps you took immediately after discovery.

Investigators work faster when a timeline exists.

V. How to classify the incident before reporting

Correct factual framing improves the complaint.

A. Exchange account hacked

Typical indicators: password reset you did not request, new device login, bypassed 2FA, withdrawal confirmation you did not authorize, changes to trusted addresses.

Primary reporting: exchange, NBI cybercrime, PNP-ACG.

Possible legal theories: unauthorized access, illegal interception or computer-related offenses, estafa if deception was involved, misuse of access credentials, data privacy issues if platform-side compromise occurred.

B. Wallet drained after seed phrase exposure

Typical indicators: you entered your seed phrase on a site, shared it with fake support, stored it in cloud notes, or approved malicious transactions.

Primary reporting: NBI cybercrime or PNP-ACG, plus any platform touched by onward transfers.

Legal theories: estafa, phishing-related cybercrime, fraudulent inducement, and possibly computer-related offenses depending on the method.

C. Fake investment or managed trading scheme

Typical indicators: guaranteed returns, recruitment bonuses, locked staking with unbelievable yields, “account managers,” copy-trading scams, or “withdrawal tax” demands.

Primary reporting: NBI/PNP-ACG and SEC.

Legal theories: estafa, securities violations, syndicated fraud theories where facts support them.

D. Romance or impersonation scam paid in crypto

Typical indicators: long social-media grooming, emotional pressure, fake emergencies, fake celebrity or executive impersonation, fabricated exchange dashboards.

Primary reporting: NBI/PNP-ACG; possibly SEC if packaged as investment solicitation.

Legal theory: estafa, cyber-enabled fraud, identity-related offenses.

E. Insider or platform abuse

Typical indicators: suspicious account restrictions followed by missing assets, unexplained internal transfers, customer-service irregularities, inconsistent platform logs.

Primary reporting: the platform, then NBI/PNP-ACG, and potentially BSP complaint routes if a supervised institution is involved.

VI. The core laws commonly invoked in the Philippines

The exact charges depend on the prosecutor’s evaluation, but these are the legal frameworks most often relevant.

1. Cybercrime Prevention Act of 2012 (Republic Act No. 10175)

This is the central cybercrime statute. It commonly applies where the theft involved unauthorized access, interference with data or systems, computer-related fraud, or related digital conduct. For many crypto theft cases, this is the anchor law because the conduct usually happens through electronic systems rather than physical taking.

2. Revised Penal Code, especially estafa-related concepts

Where the victim was deceived into sending crypto, investing funds, or surrendering credentials, estafa is often a natural fit. Many “crypto theft” cases are really fraud cases because the victim transferred the assets voluntarily, but based on lies.

3. Access Devices Regulation Act (Republic Act No. 8484)

This may be relevant if cards, electronic access instruments, payment credentials, or related access mechanisms were misused as part of the theft. It is not a crypto-specific law, but it can matter in mixed fiat-crypto cases.

4. Electronic Commerce Act (Republic Act No. 8792)

This may support aspects of electronic evidence, digital documents, and online conduct, depending on the case theory.

5. Data Privacy Act of 2012 (Republic Act No. 10173)

This becomes relevant where personal data was unlawfully accessed, processed, leaked, or mishandled in connection with the theft. It matters particularly where KYC data, account credentials, phone numbers, or identity documents were exposed.

6. Securities regulation

Where the “theft” occurred through an investment solicitation, token sale, pooled-profit venture, or unregistered scheme, securities laws may enter the picture. This is why SEC reporting is often necessary in scam-investment cases.

The practical point is that one case may involve several laws at once. A fake crypto investment that steals personal data and induces wallet transfers can trigger fraud, cybercrime, privacy, and securities issues simultaneously.

VII. Where the complaint should physically or procedurally go

A Philippine victim should think in terms of three separate tracks.

The criminal track

This goes to the NBI cybercrime unit or the PNP Anti-Cybercrime Group, and later to the prosecutor’s office if the case moves to preliminary investigation.

The platform or institution track

This goes to the exchange, wallet custodian, bank, e-money issuer, telecom provider, email provider, or app service involved. This track is essential for freezing risk, preserving logs, and identifying counterparties.

The regulatory track

This goes to the SEC, BSP-related complaint channels, or NPC when the facts justify it.

A strong case often uses all three.

VIII. What to include in the complaint affidavit or report

A bare statement that “my crypto was stolen” is not enough. The complaint should contain:

Your full identity and contact details.

A statement of ownership or control over the stolen assets.

The exact cryptocurrency involved and approximate value at the time of loss.

The wallet addresses or exchange account details.

The exact date and time of the unauthorized transfer or fraudulent inducement.

A detailed narration of how the loss happened.

The identities, usernames, phone numbers, email addresses, social-media handles, websites, and wallet addresses of the suspect, if known.

All transaction hashes and platform ticket numbers.

A statement of the immediate actions you took after discovery.

A request for investigation, preservation of electronic evidence, and coordination with relevant institutions.

Where multiple wallets were used, attach a wallet-flow diagram if possible.

IX. Can stolen cryptocurrency be frozen or recovered

Recovery is possible, but far from guaranteed. The odds depend heavily on speed, custodial touchpoints, and whether the assets pass through identifiable service providers.

Recovery is more realistic when:

  • the transfer is recent;
  • the receiving account is on a centralized exchange;
  • the platform has KYC information;
  • law enforcement acts before cash-out;
  • the thief reused known wallets;
  • the stolen funds moved through institutions that maintain logs.

Recovery is much harder when:

  • the assets were sent to self-custody and quickly split;
  • mixers, privacy tools, chain-hopping, bridges, or DEXs were used;
  • the victim delayed reporting;
  • the evidence set is incomplete;
  • the funds moved across multiple foreign platforms.

Victims should understand that reporting is still worthwhile even when immediate recovery seems unlikely. Criminal identification, account suspension, platform blacklisting, and later tracing may still happen.

X. What blockchain evidence can and cannot prove

Blockchain records are powerful but not self-executing.

They can often prove:

  • that a transfer occurred;
  • the exact wallet addresses;
  • the time and amount;
  • the movement path across wallets and chains.

They do not automatically prove:

  • who controlled a wallet;
  • the legal identity of the recipient;
  • the victim’s original consent or lack of consent;
  • the platform account tied to the address.

That is why platform records, KYC information, login logs, communications, and device evidence matter just as much as on-chain data.

XI. The importance of proving ownership

A recurring legal problem in crypto cases is not just proving that funds moved, but proving that the complainant owned or controlled them before the loss.

Useful ownership evidence includes:

  • exchange account statements;
  • wallet screenshots tied to your device and timing;
  • transaction history showing acquisition and custody;
  • purchase records;
  • seed phrase custody narrative, if relevant;
  • correspondence showing you controlled the wallet before compromise.

Without ownership evidence, the case becomes weaker even if the blockchain clearly shows outflows.

XII. Jurisdiction issues in Philippine crypto theft cases

Crypto theft often has cross-border elements. The suspect may be abroad, the platform may be foreign, the wallet infrastructure global, and the communications made through international services. Philippine authorities can still be relevant when the victim is in the Philippines, the fraudulent acts were directed here, local institutions were used, or parts of the conduct occurred within Philippine jurisdiction.

The practical challenge is not only jurisdiction in principle, but evidence access in practice. Foreign exchanges may require law-enforcement requests in specific forms. Some may respond only to official preservation or disclosure requests. That is another reason to report early and through proper agencies.

XIII. When the case is really a civil dispute instead of theft

Not every crypto loss is a crime. Some cases are failed investments, breached partnership arrangements, botched informal trading mandates, or private lending disputes. These may still involve fraud, but sometimes the real issue is a civil obligation.

Warning signs of a civil-commercial dispute include:

  • you knowingly handed over funds to a business partner or trader;
  • there was an agreed but risky trading arrangement;
  • losses are blamed on volatility without clear proof of deception;
  • there is poor documentation and no obvious hacking or misrepresentation.

Even then, criminal and civil theories can overlap. The facts must be assessed carefully.

XIV. Common mistakes victims make

The first mistake is waiting too long to report because of embarrassment or hope that the scammer will return the funds.

The second is deleting chats, emails, or social-media messages after getting angry.

The third is relying only on screenshots without saving the underlying electronic records.

The fourth is contacting “recovery experts” who demand crypto upfront. Many are secondary scammers.

The fifth is failing to report to the actual platform that can still preserve logs or restrict accounts.

The sixth is describing the incident too vaguely. Precision matters: dates, addresses, hashes, login events, device changes, and payment routes.

XV. Special note on fake “legal recovery” and “asset tracing” services

Victims of crypto theft are frequently targeted again by impostors claiming they can recover funds through a lawyer, regulator, hacker, exchange insider, or blockchain investigator. In many cases, these are advance-fee frauds. The Philippines is not immune to this pattern.

Be cautious if someone:

  • guarantees recovery;
  • claims secret access to the exchange;
  • asks for “gas fees,” “unlock fees,” “court release fees,” or “tax clearance” in crypto;
  • contacts you out of nowhere saying your wallet has been located;
  • uses official logos but communicates only through private messaging apps.

Legitimate reporting does not require paying a stranger in crypto to “release” your own funds.

XVI. What law enforcement will usually need from you

Investigators commonly need a clean, organized packet:

A government ID.

Your affidavit or written complaint.

Proof of account ownership.

The transaction hashes.

The wallet addresses.

Screenshots and exported records of chats and emails.

Exchange or wallet incident ticket numbers.

A summary chronology.

Proof of valuations or amounts lost.

If possible, a spreadsheet or table showing each transfer.

A victim who presents an organized packet makes the case easier to evaluate and escalate.

XVII. If the theft involved a local bank, e-wallet, or telecom account before the crypto transfer

Many crypto thefts start in fiat. The attacker may compromise an email, SIM, bank account, or e-wallet, then use that to take over the exchange account or fund fraudulent purchases. In these mixed cases, the victim should also report immediately to the bank, e-wallet provider, or telecom provider involved. Those records may explain the crypto loss and provide stronger identity traces than the blockchain alone.

XVIII. Children, vulnerable adults, and elder victims

Where the victim is elderly, emotionally manipulated, or pressured by a family or care relationship, the case may present heightened evidentiary and safeguarding concerns. Family members often help compile records. That can be useful, but the reporting should still preserve the direct account of the victim as much as possible.

XIX. Can the victim sue privately

Yes, potentially, depending on the facts. Aside from criminal prosecution, the victim may explore civil claims for damages, restitution, or recovery where the defendant is identifiable and jurisdictionally reachable. But in many crypto theft cases, the immediate practical obstacle is identifying the wrongdoer and locating attachable assets. That is why criminal and investigative channels usually come first.

XX. A practical Philippine reporting roadmap

For most victims in the Philippines, the most effective path is this:

Notify the exchange or wallet provider immediately and demand preservation of records.

Secure all linked accounts and move remaining assets to safe custody.

Prepare a documentary packet with hashes, addresses, logs, chats, and a timeline.

Report to the NBI cybercrime unit or the PNP Anti-Cybercrime Group.

Add the SEC if the loss arose from an investment or token-solicitation scheme.

Add BSP-related complaint escalation if a supervised virtual asset service provider or related regulated institution is involved.

Add the National Privacy Commission if personal data compromise or breach is part of the incident.

This is the practical answer to where to report cryptocurrency theft in the Philippines: report to the platform, report to cybercrime law enforcement, and report to the regulator that matches the structure of the loss.

XXI. Final legal takeaway

In Philippine context, cryptocurrency theft is rarely just a “crypto problem.” It is usually a cybercrime problem, a fraud problem, an evidence problem, and sometimes a regulatory problem all at once. The right response is layered. Victims should not choose between exchange reporting, police reporting, and regulator reporting as though only one can be correct. In serious cases, all may be necessary.

The single most important legal reality is this: the sooner the report is made, the better the chance of preserving evidence, identifying counterparties, and stopping further dissipation of assets. Delay is the thief’s ally.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login