Frozen / Locked BitGo Account — Unfreeze and 2FA Reset Procedures

Problem

Customers report that their BitGo account is "frozen" or "locked" and they cannot log in. In the vast majority of cases the freeze was triggered automatically because the user made too many failed attempts to reset their Two-Factor Authentication (2FA) — often during the self-service ID-photo verification step. This affects both individual (retail/FTX creditor) accounts and enterprise accounts. The customer typically sees an on-screen message stating the account is frozen, sometimes accompanied by an alphanumeric error ID (e.g. cm5twsvvf22pg0eziej9zf5w7, cm6ydeyz408160e15dbtw3h24, cmbz66zvn0pjf0e2hd4mk6q05). Until the freeze is removed and 2FA is reset, the customer cannot access their wallet or withdraw funds. A separate freeze reason is non-payment: enterprise accounts may be frozen by the AR/billing team due to outstanding invoices; these cases must be routed to ar@bitgo.com rather than handled through the standard unfreeze flow.

Diagnostics

• Confirm the account exists. Look up the customer's registered email in the admin tool (bga user lookup). If no account is found, the customer may be contacting from a non-registered email — ask them to email from the address registered on BitGo.
• Check frozen status. In the admin tool output, verify the isFrozen field. The diagnostics notes in tickets consistently record: Frozen Status: Frozen and Reason: BitGo froze your account due to too many failed attempts to reset your 2FA.
• Check freeze reason. Distinguish between a 2FA-related freeze and a billing/non-payment freeze. If the freeze reason indicates non-payment or is linked to a billing hold, do not proceed with the standard unfreeze flow — route to ar@bitgo.com instead.
• Identify user signup date. Use the admin tool or MongoDB to find the createTime / userSignup timestamp and the IP address. This is the ground-truth value that the customer's "email verification date" must match.
• Check wallet balance. Note the Go Account wallet balance (often $0.00 for FTX creditor accounts that have not yet received a distribution). This is one of the verification data points.
• Distinguish individual vs. enterprise account. Enterprise unfreeze requests require a video conference for identity verification. Individual/retail accounts can be unfrozen via email-based verification.
• Rule out phishing / fraudulent platform. If the customer's screenshot shows a URL other than https://app.bitgo.com/web/auth/login or https://www.bitgo.com/, the customer may be interacting with a fraudulent site. Check the domain carefully (e.g., bitgoopebs.com is not BitGo).

Resolution

---

Scenario: frozen-unfreeze-freeze-account#individual-2fa-freeze

Trigger: An individual (non-enterprise) user's account is frozen due to too many failed 2FA reset attempts.

Signals: account frozen, locked, 2FA, too many failed attempts, unfreeze, individual account, FTX creditor, error ID

Steps:

1. Confirm the account is frozen in the admin tool (isFrozen: true).
2. Request ownership verification from the customer via email. Ask for all of the following:
   • Date of BitGo email verification (instruct the customer: search for "Your BitGo Email Verification" in inbox).
   • 3 transaction hashes either to or from their wallet. If the customer does not have transaction hashes, they must contact the exchange from which they originally sent bitcoin and request the TXIDs. If they have not made any transactions to or from a BitGo wallet, they should state that.
   • Wallet balance in cryptocurrency (ask them to provide the name of the wallet). If they haven't created wallets, they should state that.
   • Alternatively, if they cannot provide the above, accept the first 8 characters and the last 8 characters of the BitGo Public Key from their keycard. Ask for the name of the wallet the keycard info applies to.
3. Compare the customer-provided information against the records in the admin tool:
   • Match the email verification date against the createTime / userSignup timestamp. If the date does not match, reply asking them to double-check. Customers frequently provide the wrong date on first attempt.
   • Match wallet balance and/or transaction hashes or keycard public key characters.
4. Once verified, run the unfreeze and OTP reset commands:
   • bga user freeze 0 (to unfreeze)
   • bga user resetotp (to reset 2FA)
5. Notify the customer that their 2FA has been reset and their account has been unfrozen. Instruct them to:
   • Log back into their account.
   • Download the Google Authenticator app on their mobile device.
   • Select Add 2-Factor Authentication (2FA).
   • Scan the QR code using Google Authenticator.
   • Enter the newly generated 6-digit code in the 2FA code section.
   • Name the 2FA using the 2FA label section (this is a custom name for their reference, e.g. "BitGo") and click continue.
6. If the customer reports an "invalid otp" error after reset (e.g., error ID bg-ui-5a324d0efb29a117959ec2d140c33411), confirm they are entering the current 6-digit code from Google Authenticator (not the label or old code). Clarify that the 2FA label is just a custom name for identification, not a code.

Notes: - Many FTX creditor accounts have a $0 wallet balance and no transactions. This is expected — the account may have been created solely for FTX settlement distributions. Accept "no transactions" and "$0 balance" as valid answers when they match the admin tool records.

• If the customer cannot find the "Your BitGo Email Verification" email, an alternative verification method is to have them provide a screenshot of any recent BitGo email with full headers expanded (showing complete 'To' and 'From' addresses). Instruct them to click "Show details" to expand the email headers.
• Some customers provide the date of a password reset email or other notification rather than the original email verification. Guide them to search specifically for "Your BitGo Email Verification."
• FTX-related retail tickets that were confirmed already resolved by internal review (Michelle Liu confirmation) were bulk-closed by support. If a customer reopens one of these, verify current frozen status before taking action.

"We see your account is frozen due to too many failed attempts to reset your 2FA. Before we can initiate your 2FA reset and unfreeze your account, we need to verify your ownership of the account." "We require the following to unfreeze or reset 2FA for your account: Date of BitGo email verification (please search your inbox for an email titled 'Your BitGo Email Verification') and your BitGo Go Account wallet balance." "If you do not have the above information, we can also accept the First 8 characters and the Last 8 Characters of the BitGo Public Key from your keycard. Please provide the name of the wallet the keycard info applies to."

---

Scenario: frozen-unfreeze-freeze-account#enterprise-unfreeze

Trigger: An enterprise account needs to be unfrozen, typically after multiple signatory 2FA resets or an enterprise-level freeze.

Signals: enterprise, unfreeze enterprise, enterprise ID, video conference, Calendly, signatory, enterprise frozen

Steps:

1. Confirm the enterprise ID and its frozen status in the admin tool.
2. To unfreeze an enterprise, a video conference is required for identity verification. Send the customer the Calendly scheduling link: https://calendly.com/bitgo-client-delivery/videoid
3. Instruct the customer to:
   • Be ready to provide their government-issued photo ID during the meeting.
   • Reference their ticket number when scheduling the call.
4. During the video call, verify the requester's identity against their government-issued ID.
5. After successful verification, unfreeze the enterprise in the admin tool.
6. Notify the customer that the enterprise has been unfrozen.
7. If the customer also requests guidance on reorganizing their signatory/signing structure or policy engine best practices, provide the Policy Engine User Guide and BitGo User Guide documents.

Notes: - Enterprise unfreeze always requires the video conference step — email-based verification alone is not sufficient for enterprise accounts.

• If 2FA resets were completed for multiple signatories prior to the unfreeze request, confirm all resets were successful before proceeding with the enterprise unfreeze.

"To Unfreeze the enterprise we will need to schedule a video conference to verify your Identification. Please use the following link to schedule a time to meet with us and verify the request: https://calendly.com/bitgo-client-delivery/videoid" "Your request to unfreeze the Enterprise ID (5ad8f1765df5e53b078147678b04d118) has been successfully completed."

---

Scenario: frozen-unfreeze-freeze-account#account-locked-failed-logins

Trigger: The customer's account is locked (not frozen) due to too many failed login attempts, such as incorrect password entries.

Signals: locked, locked out, failed login, can't log in, password, account lock

Steps:

1. Confirm the account lock status in the admin tool. Note this is distinct from a "frozen" status — the account may not show isFrozen: true but rather a login lock.
2. Request ownership verification: ask for the Date of BitGo email verification (search for "Your BitGo Email Verification" in inbox).
3. Validate the provided date against the createTime / userSignup timestamp in the admin tool.
4. Once verified, remove the lock from the account.
5. Notify the customer that the lock has been removed and they can log in again.

Notes: - For simple account locks (vs. frozen accounts from 2FA failures), the verification requirement may be lighter — sometimes only the email verification date is needed, without transaction hashes or wallet balance.

• Customers sometimes submit to both support@bitgo.com and ftxcreditors@bitgo.com. Merge duplicate cases when identified.

"We require the following information to verify account ownership and remove the lock from the account: Date of BitGo email verification (search for 'Your BitGo Email Verification' in inbox)"

Scenario: frozen-unfreeze-freeze-account#non-payment-freeze

Trigger: The customer's account or enterprise has been frozen due to non-payment of their BitGo subscription or invoice (a billing-related freeze, not a 2FA or security freeze).

Signals: non-payment, billing, invoice, payment, subscription, account frozen due to non-payment, AR, accounts receivable

Steps:

1. Confirm the freeze reason in the admin tool. If the freeze is billing-related (non-payment) rather than a 2FA or security freeze, do not proceed with the standard unfreeze or 2FA reset flow.
2. Inform the customer that their account has been frozen due to a billing issue and that the support team cannot resolve billing-related freezes directly.
3. Direct the customer to contact the BitGo Accounts Receivable team at ar@bitgo.com for assistance with resolving the non-payment freeze.
4. Do not unfreeze the account or reset 2FA until the AR team has confirmed the billing issue is resolved.

Notes: - Non-payment freezes are initiated by the AR/billing team (see the Enterprise Account Closure article for the internal workflow). Support agents should not bypass this process by unfreezing the account directly.

• Once the AR team confirms the billing issue is resolved, the standard unfreeze process can proceed if needed.

---

Scenario: frozen-unfreeze-freeze-account#fraudulent-platform

Trigger: The customer's screenshot or description reveals they are interacting with a website that is not the official BitGo platform.

Signals: fraudulent, fake, scam, bitgoopebs.com, unofficial, not BitGo platform, phishing

Steps:

1. Examine any screenshots the customer provides. Compare the URL/domain against official BitGo properties.
2. If the domain is not an official BitGo site, inform the customer clearly:
   • BitGo Official site: https://www.bitgo.com/
   • BitGo Official Platform: https://app.bitgo.com/web/auth/login
   • BitGo Mobile Apps can only be downloaded on official Apple Store and Google Play Store.
3. State that BitGo has no association or relationship with the fraudulent domain.
4. Recommend the customer cease all communication or interaction with the fraudulent person or application.
5. Advise the customer: if they believe they are the victim of fraud or financial crime, contact their local authority. If located within the United States, they may file a complaint with the IC3 — https://www.ic3.gov/.
6. BCC risk@bitgo.com on the response.

Notes: - Do not perform any account actions in this scenario — the customer likely does not have a BitGo account at all.

• BitGo takes unauthorized use of the BitGo name and branding seriously and may take steps to stop fraudulent activity where possible.

"BitGo has no association or relationship in any capacity with bitgoopebs.com. BitGo recommends you cease all communication or interaction with the above person or application."

Scenario: frozen-unfreeze-freeze-account#no-account-found

Trigger: The customer contacts support but no BitGo account can be found for their email address.

Signals: unable to locate, no account, not registered, account not found

Steps:

1. Search for the customer's email in the admin tool.
2. If no account is found, reply: "We are unable to locate your user account on our platform, please send an email from your account which is registered on BitGo."
3. If the customer responds with a different email, search again.
4. If still not found, the customer may never have created a BitGo account or may be confusing BitGo with another platform.

Notes: - This scenario is distinct from the frozen/locked scenarios. Do not proceed with unfreeze steps if no account exists.

"We are unable to locate your user account on our platform, please send an email from your account which is registered on BitGo."

Related

• 2fa-reset-procedures — Overlapping process for 2FA resets outside the frozen-account context
• ftx-creditor-account-setup — Many frozen-account tickets originate from FTX creditors who created BitGo accounts for settlement distributions; see https://www.bitgo.com/ftx-faq
• enterprise-policy-engine-configuration — Enterprise customers requesting signatory reorganization after unfreeze may need Policy Engine guidance