My IP Help

How to Report a Hackers IP Address

Network Security | | 9 min read
0:00
0:00

Report hacker IP addresses to the FBI IC3 (ic3.gov), the attacker's ISP abuse desk (found via WHOIS/RDAP), and community platforms like AbuseIPDB. Collect IP addresses, timestamps, screenshots, and impact documentation before filing. The FBI's Recovery Asset Team froze $679 million in stolen funds in 2025 with a 58% success rate. For financial crimes, report within 48 hours for the best chance of fund recovery.
Security and privacy dashboard showing protection status indicators for cybercrime reporting
Photo by Zulfugar Karimov on Unsplash

The FBI’s Internet Crime Complaint Center received over 1 million cybercrime complaints in 2025, with losses totaling $20.9 billion — a 26% increase from the previous year (FBI IC3, 2026). Yet fewer than 25% of cybercrimes are ever reported to law enforcement (Cybersecurity Ventures, 2025). That’s millions of attacks where the attacker faces zero consequences.

If someone’s targeted you — whether it’s a DDoS attack, unauthorized access, or persistent harassment — reporting their IP address is one of the most concrete steps you can take. This guide walks through exactly where to report, what evidence you need, and what realistically happens after you file.

TL;DR: Report hacker IP addresses to the FBI’s IC3 (ic3.gov), your ISP’s abuse desk (find the contact via WHOIS), and community platforms like AbuseIPDB. Collect IP addresses, timestamps, and screenshots before filing. The FBI’s Recovery Asset Team froze $679 million in stolen funds in 2025 with a 58% success rate (FBI IC3, 2026).

What Evidence Should You Collect Before Reporting?

Digital evidence plays a role in approximately 90% of criminal cases, and nearly half of investigators encounter it “almost always” (NIH/PMC, 2023). The quality of your report directly affects whether anyone acts on it. Before you contact anyone, gather everything you can.

Start with the IP address itself. If you’re dealing with server logs, the attacker’s IP is right there. For email-based attacks, you’ll need to extract it from the email headers — our email header analyzer makes this straightforward. For DDoS attacks, your hosting provider or router logs will have the source IPs.

Timestamps matter enormously. Law enforcement needs to know exactly when the attack happened so they can request ISP records before they’re purged. Most ISPs retain connection logs for 90 days to a year, so time is genuinely critical. Write down dates and times in UTC if possible.

Screenshots and log exports round out your evidence package. Capture everything: error messages, threatening communications, unauthorized access notifications, firewall alerts. Save raw log files alongside screenshots. If you can, run a quick IP lookup on the attacker’s address and screenshot the results — it captures their ISP, location, and ASN in one snapshot that investigators can immediately use.

Also document the impact. Financial losses, downtime duration, data exposed, emotional distress — be specific with numbers. “My website was down for 6 hours costing approximately $2,400 in lost revenue” is infinitely more useful than “they attacked my site.”

FBI IC3: Complaints Up 27%, Losses Up 400% Dual-axis chart. Complaints (bars): 792K in 2020, 847K in 2021, 801K in 2022, 880K in 2023, 860K in 2024, 1.01M in 2025. Losses (line): $4.2B in 2020 rising to $20.9B in 2025. FBI IC3: Complaints Up 27%, Losses Up 400% 2020-2025 | Complaints (bars) vs Losses (line) 0 300K 600K 900K 1.2M $0B $5B $10B $15B $20B 792K 847K 801K 880K 860K 1.01M 2020 2021 2022 2023 2024 2025 $4.2B $6.9B $10.3B $12.5B $16.6B $20.9B Complaints Losses (USD) Source: FBI Internet Crime Complaint Center Annual Reports (2020-2025)
Chart showing FBI IC3 complaints growing from 792K to 1.01M and losses from 4.2B to 20.9B between 2020-2025

How Do You Report to the FBI’s IC3?

The FBI’s Recovery Asset Team processed nearly 3,900 incidents in 2025 involving $1.16 billion in attempted theft, successfully freezing $679 million — a 58% success rate (FBI IC3, 2026). Those numbers only exist because someone filed a report. Here’s how to do it.

Go to ic3.gov and click “File a Complaint.” You don’t need an account. The form asks for your contact information, details about the incident, and information about the suspect (this is where the IP address goes). Fill in every field you can — the more detail, the better your chance of action.

IC3 is the right choice for any internet-enabled crime: hacking, unauthorized access, ransomware, online fraud, identity theft, and DDoS attacks. They’re particularly effective when financial loss is involved, since the Recovery Asset Team can work with banks to freeze funds. For ransomware specifically, also report to CISA at cisa.gov/report.

Don’t skip your local police department either. You’ll need a police report number for insurance claims and some financial recovery processes. Many local departments now have cybercrime units, and they can coordinate with federal agencies. File locally even if the attack crossed state lines — jurisdictional routing is their problem, not yours. You can check whether the IP you’re reporting has prior complaints using our IP reputation checker.

How Do You Report to Your ISP’s Abuse Desk?

ISPs with automated abuse reporting systems reduced their response time by 70% compared to those processing reports manually, though the worst-performing abuse desks still averaged over 10 days to react (abuse.ch). Reporting to the attacker’s ISP is often the fastest way to get an attack stopped, since they can directly suspend the offending account or null-route the traffic.

Police car with flashing lights at night representing law enforcement response to cybercrime reports
Photo by Joey Zhou on Unsplash

To find the right abuse desk, you need to know who owns the IP address. Run a WHOIS lookup on the attacker’s IP — the results will include an abuse contact email, usually formatted as [email protected]. Our IP abuse report checker can pull this information directly through the RDAP protocol, which is more reliable than WHOIS for abuse contacts.

When you email the abuse desk, include: the offending IP address, exact timestamps (with timezone), what the IP did (attack type, affected services), log excerpts showing the activity, and your contact information. Keep it factual and concise. Abuse desks process hundreds of reports daily — a clear, evidence-backed report gets prioritized over vague complaints.

If the IP belongs to a cloud provider (AWS, Google Cloud, Azure, DigitalOcean), they typically have dedicated abuse portals with faster response times than traditional ISPs. A quick ASN lookup will tell you whether the IP belongs to a major cloud provider.

How Do You Report to AbuseIPDB and Other Platforms?

Cloudflare mitigated 47.1 million DDoS attacks in 2025 — averaging 5,376 attacks per hour (Cloudflare, 2026). At that scale, community-driven threat intelligence databases like AbuseIPDB are invaluable. When you report an IP there, you’re protecting everyone who checks it next.

AbuseIPDB is the largest community-driven IP abuse database. Create a free account, then report the IP with the attack category (SSH brute force, DDoS, web spam, port scan, etc.), a description, and log evidence. Other administrators and security tools that check IPs against AbuseIPDB will immediately see your report.

Other platforms worth reporting to include Spamhaus (for spam and botnet IPs), Project Honey Pot (for harvesters and comment spammers), and Shodan’s honeypot network. Each database feeds into different security tools, so reporting across multiple platforms maximizes the impact.

Before reporting, verify the IP hasn’t already been flagged extensively. Use our IP blacklist checker to see if it’s already listed across major threat databases. If it is, your report adds weight. If it isn’t, you might be the first to flag it.

Where Should You Report Based on Attack Type?

Stolen credentials were the most common initial access vector in 2025 at 22%, followed by exploited vulnerabilities at 20% and phishing at 16% (Verizon DBIR, 2025). Different attack types have different optimal reporting channels. Here’s a quick reference.

Purple and pink abstract security illustration representing multiple cybercrime reporting platforms
Photo by FlyD on Unsplash

Hacking or unauthorized access: FBI IC3 (primary), local police, and the attacker’s ISP abuse desk. If you have the IP, include it in all three reports.

DDoS attacks: Your own ISP first (they can implement upstream filtering), then the attacker’s ISP abuse desk, FBI IC3, and AbuseIPDB. DDoS source IPs are often spoofed or part of a botnet, so the IPs you see may not be the actual attacker — but report them anyway.

Phishing and email scams: FTC at reportfraud.ftc.gov, FBI IC3, and the email provider’s abuse team. Forward the phishing email to the Anti-Phishing Working Group at [email protected] as well.

Ransomware: FBI IC3 and CISA (cisa.gov/report) simultaneously. Contact your local FBI field office if losses exceed $50,000. Don’t pay the ransom — 64% of victims in 2025 refused to pay, and the median payout dropped to $115,000 (Verizon DBIR, 2025).

Online fraud or financial scams: FBI IC3, FTC, your bank or payment provider, and local police for a report number. Speed matters here — the FBI’s Recovery Asset Team works with financial institutions to freeze funds, but only if you report quickly.

The Cybercrime Reporting Funnel Funnel chart showing dramatic drop-off. Estimated cybercrimes: over 4 million. Reported to IC3: 1,008,597. Recovery attempted: 3,900. Funds frozen: 2,262. Source: FBI IC3 2025. The Cybercrime Reporting Funnel From incident to recovery — most crimes are never reported ~4M+ estimated Crimes Committed 1.01M reported Reported to IC3 3,900 attempted Recovery Attempted 2,262 frozen Funds Frozen only ~25% reported 58% freeze rate Source: FBI IC3 2025 Annual Report, Cybersecurity Ventures
Funnel chart showing cybercrime reporting drop-off from 4M crimes to 2,262 fund freezes

What Happens After You File a Report?

Consumers reported losing more than $12.5 billion to fraud in 2024 — a 25% increase over 2023 — and 38% of fraud reporters lost money, up from 27% the year before (FTC, 2025). Filing a report doesn’t guarantee your money back or the attacker’s arrest. But it does matter, and here’s why.

IC3 triages reports by severity, financial impact, and pattern recognition. Your individual report might not trigger an investigation on its own. But when IC3 sees 50 reports pointing to the same IP range or attack infrastructure, that cluster becomes actionable intelligence. Plea bargaining resolves over 90% of criminal cases — meaning your evidence primarily influences outcomes through negotiation pressure, not dramatic courtroom revelations.

For financial crimes, the timeline is compressed. The Recovery Asset Team works with banks to freeze funds, but they can only act on recent transactions. This is why reporting within 48 hours of a financial loss dramatically improves your chances. The 58% success rate on the $1.16 billion they processed in 2025 proves the system works — when people actually use it.

ISP abuse desks typically respond faster than law enforcement. Expect 24-72 hours for major providers with automated systems, potentially 10+ days for smaller hosting companies. The response usually isn’t “we caught the hacker” — it’s “we’ve suspended the account” or “we’ve null-routed the IP.” That stops the immediate attack, even if the person behind it remains anonymous.

Frequently Asked Questions

Can police actually trace a hacker from an IP address?

Yes, but it requires a legal process. Police can subpoena the ISP that owns the IP address to reveal the subscriber’s identity. This works for residential IPs in most jurisdictions. However, if the attacker used a VPN, Tor, or compromised device, the IP traces back to an intermediary rather than the actual person. You can check whether an IP is behind a VPN using our VPN and proxy detector.

Is it worth reporting if I didn’t lose any money?

Absolutely. The FBI’s IC3 uses reports to identify attack patterns and infrastructure. Your report about a port scan today might be the data point that connects to a ransomware campaign tomorrow. Non-financial reports also help researchers track threat actor behavior and improve automated defenses. Every report contributes to a clearer picture of cybercrime activity.

How long does it take for IC3 to respond to a complaint?

IC3 doesn’t typically send individual responses or status updates. Reports are triaged and routed to appropriate law enforcement agencies based on severity and jurisdiction. For financial crimes involving recent losses, the Recovery Asset Team may act within hours. For pattern-based investigations, your report may contribute to cases that take months or years to develop. Don’t expect a callback — that’s normal.

Can I report hackers from other countries?

Yes. File with IC3 regardless of where the attacker appears to be located. The FBI coordinates with international law enforcement through Interpol, Europol, and bilateral agreements. For EU-based attacks, you can also report to Europol. For UK-based attacks, use Action Fraud. The IP’s geographic location (which you can check via IP lookup) helps determine jurisdiction.

What if the hacker’s IP address is behind a VPN?

Report it anyway. The VPN provider’s IP still has value — law enforcement can subpoena the VPN company for connection logs (many keep them despite “no-log” marketing claims). Additionally, the IP might be associated with other attacks where the attacker wasn’t using a VPN. Community databases like AbuseIPDB and our IP blacklist checker track VPN exit nodes used for abuse, which helps identify patterns.

Take Action Now

Reporting a hacker’s IP address isn’t going to put them in handcuffs overnight. But it does three things that matter: it creates a paper trail for law enforcement, it contributes to threat intelligence databases that protect others, and for financial crimes, it gives the FBI’s Recovery Asset Team a shot at freezing your stolen funds.

  • Collect evidence first — IP addresses, timestamps, screenshots, and impact documentation
  • Report to multiple channels — FBI IC3, ISP abuse desk, and community platforms like AbuseIPDB
  • Act quickly for financial crimes — the 58% fund recovery rate only works when reports are timely

Start by running a free IP lookup on the address in question. You’ll get the ISP, abuse contact information, geolocation, threat score, and whether it’s associated with a VPN or proxy — everything you need to file a comprehensive report.