Buy Tangem

How to Recover a Compromised Crypto Wallet: Emergency Response Guide

Post image

 

Your funds are moving, and you didn't authorize it. Or your balance just dropped to zero. Or someone told you your seed phrase was seen somewhere it shouldn't be.

Stop. Breathe. Here's what to do right now.

  1. Create a clean wallet on a device you trust.
  2. Move any remaining funds to the new address now.
  3. Revoke old wallet approvals where still possible.
  4. Freeze exchange accounts if exchange funds were touched.
  5. Never reuse the old seed phrase.

If you're in an active crisis, start at the top and work down in order.

Determine What Happened: Breach Analysis

Before you can recover, you need to know what was hit and how. The answer changes everything about your next step.

Check your transaction history

Use a block explorer to review recent transactions for your wallet address. Look for unauthorized outgoing transfers and token approvals you don't recognize.

Identify the attack vector

What you see in the transaction history points to how you were hit:

  • Tokens drained via an approve() call you didn't make. This is a phishing or wallet-drainer attack. The attacker got you to sign an approval granting unlimited token access to a malicious contract. Your seed phrase may still be intact. Review and revoke those approvals where still possible.
  • All funds sent to an unknown address in one transaction. Your seed phrase or private key may be compromised. Treat the old wallet as burned. Create a new wallet with a new seed on a clean device and never use the old address again.
  • Exchange account emptied, no on-chain wallet movement. This is a phishing, SIM swap, or credential attack on the exchange account itself, not your self-custodial wallet. Contact the exchange immediately to freeze the account and change your password and 2FA.
  • Small withdrawals over time. This pattern suggests a keylogger or remote-access malware on your device. Wipe the device entirely before doing anything else.

 

Here's the honest issue: a hot wallet's security is only as strong as the device it runs on. MetaMask, for instance, stores seed phrases and private keys locally in browser or device storage, and its browser extension environment increases exposure to phishing attacks and malicious extensions. Trust Wallet is non-custodial and generates keys locally, but it's still a hot wallet with no dedicated hardware security module. Once malware is on your device, both your device and your data are at risk.

 

Knowing your attack vector determines whether you're dealing with a revocable approval or a burned seed. These require completely different responses.

Full Recovery Roadmap

Work through these steps in order. Don't skip ahead.

Step 1: Create your new wallet on a clean device

Use a device that has not been used to access crypto. If you suspect malware, don't use the compromised device for anything crypto-related until it's been wiped.

 

Your options:

  • Best option: Order a hardware wallet and set it up when it arrives. This gives you a clean start with proper security from day one.
  • If you need access immediately, create a new MetaMask wallet on a clean device. Generate a brand-new seed phrase. Write it on paper immediately. Keep it separately from the device, not in any app, not in a cloud service, not in a photo.

 

The key point: a seed phrase is a sequence of 12 or 24 words that serves as the master key to the wallet. Anyone who has it controls the funds. Write it on paper, store it in a physically secure location, and never photograph it or type it into any website.

Step 2: Move remaining funds to the new wallet

If any assets remain in the compromised wallet, move them to your new address immediately. Do this before revoking approvals, before changing passwords, before anything else. Every second matters.

 

In most cases, a crypto transaction sent to a valid address is irreversible. Once funds leave the compromised wallet to an attacker, they're gone. So get them out of the compromised address first.

Step 3: Revoke all approvals on the old wallet

Even after moving funds, review and revoke outstanding approvals where still possible. WalletConnect phishing attacks can work by getting malicious dApps to request approvals that grant unlimited token access, and revoking closes that door. An unrevoked approval is an open door to tokens you receive at that address.

Step 4: Secure your digital environment

If you suspect a keylogger or remote-access malware:

  • Change passwords for email, Exchange accounts, and any account linked to crypto from a different, uncompromised device.
  • Run malware scanning on the compromised device. For severe infections, a full wipe and factory reset is the only reliable remedy. Partial scans can miss sophisticated crypto-targeting malware.
  • Enable two-factor authentication where supported.
  • Hot-wallet safety practices include strong, unique passwords, two-factor authentication when available, updated wallet apps and operating systems, and verifying URLs before connecting to any site.

Step 5: Report where it matters

Reporting rarely recovers your funds directly. But it matters.

  • Exchange funds taken: Contact the exchange immediately. They can flag the attacker's account and potentially freeze stolen funds if still on the platform.
  • Phishing site: Report to Google Safe Browsing and to PhishTank.
  • Cybercrime authority: File with IC3 in the USA or Action Fraud in the UK. Recovery is rare, but reports contribute to pattern analysis that helps others.

 

One firm warning: do not pay "recovery services" that contact you after a hack. These are almost universally scams targeting victims who are already in distress. Legitimate companies never request private keys, access codes, or wallet verification through unsolicited messages.

Rebuilding: Start Fresh With Hardware Security

You've contained the damage. Now the question is: how do you make sure this doesn't happen again?

 

The attack that compromised your old wallet almost certainly exploited one of three things: seed phrase exposure (phishing, screenshots, cloud backups), malware (keyloggers, screen captures, clipboard hijacking), or a malicious approval from a drainer phishing site.

 

Here's why each of those is a structural problem with hot wallets.

 

A hot wallet is internet-connected and stores the private keys needed to authorize transactions. In a hot-wallet setup, security is only as strong as the device it runs on. Every software wallet shares the same fundamental vulnerability: your private key lives on a device connected to the internet. That means it's always one compromised phone, one phishing click, or one data breach away from being stolen.

 

Cold storage keeps private keys completely offline, away from internet-connected devices, reducing the risk of theft from online attack vectors. The core principle: private keys never touch the internet.

 

Hardware wallets are physical devices designed to generate and store private keys offline. They sign transactions internally and transmit signed transactions without exposing private keys to an internet-connected environment. These devices address online-wallet risk by keeping keys in an isolated environment, away from hacking, phishing, malware, and platform failures. For most users, this is the practical cold-storage option because it balances security and usability.

Why Tangem fits this moment

When you're rebuilding after a compromise, the last thing you want is another seed phrase to manage. That's where Tangem's design is specifically relevant. Tangem generates the private key inside the chip during activation. The key never exists as text anywhere. Tangem's default seedless setup eliminates the seed phrase as an attack surface.

 

Every transaction requires a physical tap of an NFC card within a range of 0 to 5 cm. For Tangem hardware wallets, a physical card tap is always required for transaction signing, regardless of biometric settings. Tangem's WalletConnect integration includes Blockaid-powered transaction simulation that flags suspicious dApps before you sign.

 

The secure element has EAL6+ Common Criteria certification. Independent audits by Kudelski Security in 2018 and Riscure in 2023 confirmed that no vulnerabilities were found. The firmware is factory-installed and non-updatable, which eliminates remote exploit vectors based on malicious firmware updates. A 2-card set costs $54.90. Setup takes 1 to 3 minutes.

 

One honest caveat: if all backup cards are lost or destroyed, fund recovery is impossible. No entity, including Tangem, can recover the funds. This is the trade-off for seedless security. Store your backup card somewhere physically separate from your primary card: a safety deposit box, a trusted person, a fireproof location.

 

Fresh start: when Tangem generates a new wallet, there is no old seed phrase to worry about. The attack is contained to your old wallet address. Your new address starts clean.

FAQ

  • In most cases, no. Blockchain transactions are irreversible. Once tokens are transferred out of your wallet, recovery is extremely unlikely. If the attacker deposited to a known exchange, contact that exchange. They can sometimes freeze stolen funds if the funds haven't moved off-platform yet. Otherwise, report the incident to IC3 or Action Fraud and accept the loss. Do not pay for "recovery services."

  • No. If your seed phrase has been compromised, that seed is burned forever. Those 12 or 24 words can regenerate every associated key and restore wallet access from any device. Anyone who has it controls every account derived from it, permanently. Create a completely new wallet with a new seed phrase on a clean device. Never use the compromised seed again.

  • If you suspect malware, such as a keylogger, remote-access trojan, or anything that could have captured keystrokes or clipboard data, wiping the device is the only reliable option. Running antivirus software is a partial measure. Sophisticated crypto-targeting malware can evade detection. For a device suspected of compromise, a factory reset or complete OS reinstall is the safe path before using it for crypto again.

  • You may not know with certainty. The clearest signal: the attacker had full control of all accounts (not just approved tokens), meaning they imported the wallet rather than exploiting a single approval. If you ever took a photo of your seed phrase, stored it digitally in Google Drive, iCloud, email, or a notes app, pasted it into any website, or used it on a device that later showed malware signs, assume it's compromised. MetaMask's own guidance confirms that anyone with the Secret Recovery Phrase can access every account derived from it. Start fresh.

  • A seed phrase compromise means the attacker imported your wallet and controls every account derived from that seed, permanently. With an approval drain, a malicious smart contract was granted permission to move specific tokens. The attacker doesn't have your keys, but they do have permission to pull certain tokens. Approval drains are containable: revoke the approvals where still possible and move remaining funds. A burned seed is not containable. The old wallet address is permanently under the attacker's control, regardless of what device you use.

  • Being careful helps, but it doesn't change the fundamental architecture. A hot wallet's private key lives on an internet-connected device. That's the attack surface. Hardware wallets keep keys in an isolated environment away from hacking, phishing, malware, and platform failures. The standard practice is to keep a small spending amount in a hot wallet for active use and move the bulk of holdings to cold storage. After a compromise, rebuilding on hardware security is the correct structural response.

Ask AI whether Tangem is a good fit for your needs

Research Tangem wallet with AI to learn whether our security and usability fits your unique use cases

ChatGPT Ask ChatGPT Claude Ask Claude Perplexity Ask Perplexity
Author logo
Reviewed byPatrick Dike-Ndulue

Senior editor covering crypto, onchain equities, and technology.

Don't miss these

Other articles