Emergency ยท Wallet Recovery ยท Incident Response

My Crypto Wallet Was Hacked: What to Do Right Now

If you're reading this because something just happened โ€” act first, read second. Every minute matters.

Immediate actions (do these now)

  1. 1.Open a different device โ€” phone if you were on computer, computer if you were on phone
  2. 2.Create a new wallet on the clean device with a fresh seed phrase
  3. 3.Transfer everything you can move from the compromised wallet to the new address
  4. 4.Revoke all active token approvals on the compromised wallet at revoke.cash
  5. 5.Disconnect from the internet on the compromised device after you finish

Do not panic-click through MetaMask or start signing random transactions trying to move funds. That can make things worse. Work through the list above in order.

Understand what happened before you can fix it

The response depends on what was actually compromised. Two different situations:

  • A.
    Your seed phrase was exposed

    This means the wallet is permanently compromised. The attacker can regenerate your wallet from anywhere at any time. Any funds you send to this address will likely be swept. You must move to a new wallet and never use this address again.

  • B.
    You signed a malicious approval

    Your seed phrase is still safe, but the drainer contract has permission to move specific tokens. Revoking that approval at revoke.cash stops the drain on those tokens. Check what was approved and revoke it immediately. Your other tokens that weren't covered by the approval are still safe.

The sweeper bot problem

If your seed phrase is compromised and the attacker has set up a sweeper bot on your address, any ETH you send in to cover gas will be taken within seconds โ€” before you can use it to move tokens. This is one of the most frustrating situations to be in.

The approach that sometimes works: use Flashbots Protect (flashbots.net/flashbots-protect) to submit a bundle that atomically deposits gas and moves the tokens in a single block. This prevents the bot from frontrunning because both actions happen simultaneously. It requires technical setup, but it's the main option for rescuing stranded tokens from a swept wallet.

After you've stabilized: figure out how it happened

Understanding the attack vector prevents it from happening again. Go through recent activity:

  • ?Did you enter your seed phrase anywhere recently? A recovery screen, a site that asked for it, a support chat?
  • ?Did you approve a transaction on a site you found through a Discord link, Twitter ad, or search result?
  • ?Did you download a wallet extension or app from anywhere other than the official browser web store or app store?
  • ?Is there any software on your machine you didn't install, or anything that happened before the drain?

If you suspect malware on your device, don't use it for crypto again until you've wiped and reinstalled the operating system. A compromised device will compromise any new wallet you create on it.

Frequently asked questions

Can I recover crypto that was stolen from my wallet?

Almost never. Blockchain transfers are irreversible. There's no dispute process, no freeze mechanism, no authority that can reverse it. Prevention is the only real protection.

Should I reuse my compromised wallet?

No โ€” if the seed phrase was exposed, the attacker can access it again anytime. Create a new wallet with a new seed phrase on a clean device and move everything there.

What is a sweeper bot and how do I deal with it?

A script watching your compromised address that takes any ETH the moment it arrives โ€” before you can use it for gas. Flashbots bundles that execute gas deposit and token transfer atomically in one block are the main workaround.

Stop attacks before they happen

GuardianAI explains every MetaMask transaction before you sign it โ€” catching the approvals and phishing attempts that lead to drained wallets in the first place. Free Chrome extension.

Get GuardianAI โ€” It's Free