MY WALLET GOT DRAINED! WHAT NOW?
My wallet got drained, what now?
This is a scenario we always hope nobody has to deal with. If this has happened to you, then you are on the right article which will provide you with all the resources you need to understand and mitigate the attack.
*THIS ARTICLE IS FOR SELF-CUSTODY WALLETS LIKE METAMASK, PHANTOM, LEDGER, ETC. - IF YOU HAVE YOUR ASSETS ON A CENTRALIZED EXCHANGE LIKE COINBASE OR BINANCE PLEASE CONTACT THEM DIRECTLY FOR ASSISTANCE*
Coinbase Support
https://help.coinbase.com
Binance Support
https://binance.com/support
Gemini Support
https://support.gemini.com
Kraken Support
https://support.kraken.com
1. How did it happen
The first step is to figure out how you got to this point. Given the concept that an attack can stem from multiple sources, it's important to retrace your steps. Ask yourself:
▸ If it happened out of the blue, for example, you have not made a transaction in your wallet recently and all of a sudden your assets are being taken out, then you may be dealing with a private key or seed phrase leak. Did you store your private key or seed phrase digitally (ex. as a file on your computer or smartphone, as a picture in your gallery, email it to yourself, etc.)? If so, the device or the account where you have this sensitive information stored may be compromised.
▸ If you just performed what you believe to be a mint, claim, swap, or signature and your assets were taken, then it most likely is tied to an approval you performed on the transaction. You may have inadvertently given access to the assets in your wallet with the signature or smart contract you were just interacting with, or the malicious interaction took advantage of exploited open approvals that you may have signed in the past, like on the old OpenSea or Blur contract that you never revoked.
▸ If you were told to give access to your device or to provide your seed phrase or private key to receive support, unlock assets, give you whitelist on a mint, install a game to test, download a .zip file with documents for an interview, etc. then there is no question that this is how your assets were compromised. You should NEVER give out your seed phrase or private key or open files from unknown sources. If someone has your seed phrase or private key or remote access to your device then they have the same access to your assets that you have. NEVER GIVE IT TO ANYONE OR TYPE IT ANYWHERE!
You should check Etherscan (https://etherscan.io) against your wallet address to see a list of transactions and everything you may have interacted with, whether the address or contract in the past was marked phishing or malicious, as an additional reference point to what interaction may have caused your wallet to get drained.
2. Perform a security audit
Depending on how it happened you have multiple options to perform a security audit (most ideally to perform them all), including:
▸ If you are concerned about your device being compromised, think of all the places you may have had your wallet or your seed phrase/private key accessible on, for example, your desktop, laptop, smartphone, significant others computer, etc. then choose to focus on performing an audit on those devices. If you proceed with the following steps we recommend saving a log of what you are removing (if anything was found) as a reference point as to what happened for reports you may file (if you are suspicious of a remote attacker on your device you should disconnect from the Internet before proceeding):
- Run a virus scan, for example with Malwarebytes (https://malwarebytes.com), to see if there is any malware or trojans that may have given an attacker access to your device and data (we recommend purchasing Malwarebytes Premium to receive proactive virus protection moving forward).
- Check your browser extensions to see if there are any to remove that appear suspicious or that you are not using.
- Review your recently installed and startup applications to remove any that appear suspicious or that you are not using.
▸ If you are concerned about your assets (NFTs, tokens, crypto) being compromised, you should immediately revoke approvals you may have given on your wallet to those assets and audit any other approvals you have. You can do this directly in the Wallet Guard Security Dashboard (https://walletguard.app/). Revoking on-chain approvals is NOT the same thing as disconnecting your wallet from a website (this is an action local to your device) which is why revoking approvals cost a minimal amount of gas to confirm on the blockchain.
▸ If you are concerned about your seed phrase being compromised, in any scenario it is best to create a new wallet with a new seed phrase. Keep in mind that creating a new wallet does not mean going to your existing wallet, for example, MetaMask, and clicking "Create wallet" - this creates a new wallet with a new private key under the SAME seed phrase which you may have compromised. Therefore, it is best to install a fresh instance of MetaMask to get a new seed phrase and new private keys for your wallets moving forward.
3. Report the incident
Based on how you were compromised, you should report the account/website/contract/address in question:
- Etherscan (https://info.etherscan.com/report-address/)
- Website domain registrar (you can find out the domain registrar from https://who.is)
- Website hosting provider (you can find out the hosting provider from https://who.is)
- Website DNS provider (you can find out the DNS provider from https://who.is)
- Social network (choose to report the post and account on the social network in question)
If your NFTs were stolen, you can have your NFTs flagged as stolen on popular exchanges like OpenSea (https://support.opensea.io/hc/en-us/requests/new). NFTs are assets on the blockchain, therefore it is up to centralized services like OpenSea to choose to mark them as stolen. For example, Blur, another popular exchange, does not mark assets as stolen, but will show you if they are marked as stolen elsewhere.
Submit formal reports to government and community based institutions:
IC3
https://www.ic3.gov/Home/FileComplaint
Chainabuse
https://www.chainabuse.com/report
Contact your local authorities to file a report. Be sure to consider the amount of what was stolen compared to the process you are going to take and if it is worth it.
Contact your accountant regarding the value of the assets that were stolen and how to proceed regarding filing the loss.
What now?
Moving forward be sure to:
- never store your seed phrase or private key digitally
- never give out your seed phrase or private key to anyone
- segregate your devices and browser profiles so that data you are dealing with stays isolated
- segregate your wallets so that assets you do not plan on selling are in their own cold storage (like a Ledger or Trezor)
- practice security hygiene including having an antivirus (Malwarebytes), ad blocker (uBlock Origin), and protecting your crypto (Wallet Guard)
- a password manager (BitWarden), authenticator (Authy) and VPN (Mullvad) go a long way too
Stay alert; nothing is 100%, but implementing these tips can get you as close to 100% as possible. Don't keep all your eggs in one basket; if you have all your favorite NFTs in the same wallet that your buying random coins or claiming random mints on, you're putting your assets at risk!
Wallet Guard detects wallet drainers, scams, phishing websites and bad signatures before they interact with your wallet of choice. It's a free open-source browser extension that is already helping secure over 50,000 wallets. Add it to your browser!
