My crypto wallet got drained. What do I do? (Step-by-step rescue guide)

If you are in panic mode right now, jump straight to the First 60 minutes section below. Every other section is context and cleanup for after the immediate triage is done. The goal in the first hour is simple: save what is still savable, stop what is still moving, and avoid making the situation worse with a rushed transaction. Once the bleeding has stopped, the rest of this guide walks you through the 24 hour checklist, the 7 day checklist, and how to make sure the next drain never happens.

How the drain actually happened

Knowing the vector matters, because it tells you what else on your device is compromised. In almost every case we see, the drain traces back to one of five root causes. Read these carefully, because the one that hit you also tells you how deep the cleanup needs to go.

1. You clicked a phishing link and signed a Permit2 approval. The site looked like Uniswap, OpenSea, a popular airdrop claim page, or a wallet login. The signature you approved was not a swap or a login. It granted the attacker unlimited spending on your tokens. No malware needed. The key itself never left your wallet, but the permission did.
2. You ran a ClickFix "captcha" PowerShell command. A fake Cloudflare or Google verification page told you to press Windows+R, paste a command, and hit Enter. That command downloaded an info-stealer that scraped your browser for wallet extensions, seed phrases stored in notes, and session tokens. Our ClickFix protection page covers this in detail.
3. You downloaded a fake wallet or hardware wallet app. A Google ad or a forum link pointed to a clone of MetaMask, Phantom, Trust Wallet, or Ledger Live. The installer looked legitimate and even worked at first. On setup it exfiltrated your seed, or silently swapped your destination address on every outgoing transaction.
4. You entered your seed on a fake recovery or sync page. A pop-up, a support DM, or a search ad told you your wallet was "out of sync" and asked for your 12 or 24 words. This includes the Ledger variant we broke down in the fake Ledger email warning. Real wallets never ask for your seed on a website.
5. You installed a malicious browser extension. It might have been a "wallet helper", a screenshot tool, a PDF reader, or an AI assistant. Once installed, it read clipboard contents, rewrote addresses on the fly, and in some cases injected transactions directly into your wallet sessions.

What is recoverable and what is not

Set expectations honestly, because the next bad decision usually comes from hoping for a recovery that is not possible.

• Not recoverable. Tokens that have already been swept and swapped. There is no reverse on a signed on-chain transaction. Bridged funds, mixed funds, and cashed-out funds are gone for retail purposes. Anyone telling you otherwise wants your money.
• Recoverable, sometimes. Staked positions, locked LP, future airdrop allocations tied to your address, NFTs the attacker did not list yet, vested team tokens. If you act before the attacker notices, you can move these to the new wallet.
• Partial, rare, expensive. On-chain forensics firms can sometimes trace funds to a centralized exchange and work with law enforcement on freezes. This is realistic only for six and seven figure losses, takes months, and costs a large retainer upfront.

The 24 hour checklist

Once the first hour is done and salvageable assets are in your new wallet, you have 24 hours to do the boring but critical cleanup. Work through this list before you sleep.

• Notify the exchange if tokens went through one. If the attacker moved funds to Binance, Coinbase, Kraken, Bybit, or any centralized exchange, contact their compliance team immediately with the transaction hash and the drainer address. Some chains and some exchanges will freeze funds pending investigation, especially if you are fast.
• File a report with Chainabuse. Tag the attacker wallet and describe the incident. This slows attacker cash-out because major exchanges and bridges read Chainabuse feeds. Your report helps you and also the next person who almost got hit.
• Check if the drainer wallet is already tagged. Run the attacker address through Chainalysis, TRM Labs, or the public labels on Etherscan and Solscan. A pre-tagged address can help your case with exchanges, insurance if you have it, and any police report you file.
• Change passwords on every non-crypto account. If the vector was malware or a fake installer, the attacker likely has your browser's saved passwords, your session cookies, and anything you had open. Email, bank, cloud storage, password manager master password, social media, and Steam or gaming accounts all need new unique passwords and fresh 2FA.
• File a report with local police and IC3 (US) or Action Fraud (UK). Not because they will recover funds, but because you will need the case number for taxes, insurance, and any exchange freeze request.

The 7 day checklist

Assume your device is still compromised until you prove otherwise. A seed stealer does not uninstall itself after one payday. It waits for you to set up the next wallet.

• Set up a hardware wallet for the new seed. Ledger, Trezor, Keystone, or similar. Buy direct from the manufacturer, never from a third party marketplace. When it arrives, verify the seal and generate the seed on-device, not on the paper that came in the box.
• Full OS reinstall on every device that touched the old seed. Not a scan, not a Malwarebytes pass. A full wipe and clean install of Windows, macOS, or your phone. The malware families that steal seeds are designed to survive every common cleaner.
• Unique passwords and 2FA on every account that shared an email or password. Use a password manager, and use app-based or hardware 2FA instead of SMS wherever possible.
• Consider a fresh email address for crypto. Your old email is now on attacker target lists for phishing and credential stuffing. A dedicated crypto email with its own password and its own 2FA reduces your attack surface a lot.
• Review what the attacker saw. If the info-stealer ran, assume every file in Downloads, Desktop, and Documents was uploaded. Tax documents, ID scans, and any seed backup photos need to be treated as exposed.

Never again: what actually prevents the next drain

Drains repeat because the habits that caused the first one are still in place. Fix the habits, not just the wallet.

• Hardware wallet for anything above pocket change. If the amount would hurt to lose, it belongs on a hardware wallet. A cold signing device stops every info-stealer, every fake installer, and every browser extension attack in one move.
• Seeds stay offline, forever. Never type your seed into a website, a browser field, a phone app outside the official wallet setup, a password manager, a note taking app, a cloud drive, or a photo. Paper, metal backup plates, and a safe are the only correct places.
• Separate hot and vault wallets. Keep a small hot wallet for daily use and mints, and a vault wallet for savings. The vault wallet only signs on a hardware device and only when you deliberately move funds to the hot wallet.
• Block phishing and drainer sites before you click. A browser extension that checks the URL in real time is the cheapest insurance in crypto. See our wallet guard alternative guide for how pre-click blocking compares to transaction simulation.
• Read every signature prompt. Never blind-sign. If the prompt shows "Permit2", "SetApprovalForAll", or an unfamiliar contract, cancel and check the domain. Most drains need your click to land.
• Bookmark real wallet and dex sites. Never reach Uniswap, MetaMask, Phantom, or Ledger from a search engine ad. Search ads are the number one vector for wallet lookalikes.

Red flags you are about to drain yourself

These are the exact prompts people see right before they sign the bad transaction. If any of these show up, stop, close the tab, and verify through the wallet's official site.

• "Re-verify your wallet" or "your wallet is out of sync". No real wallet asks this. It is always a phishing page.
• A MetaMask or Phantom "update" prompt outside the wallet's own update flow. Updates happen through the browser store or the wallet settings, never through a webpage banner.
• A signature request for a contract you do not recognize. If you cannot read the function name and the tokens affected, do not sign. The two seconds of friction saves the wallet.
• Ledger support asking for your 24 words. Ledger support will never ask. No legitimate wallet maker ever will. The instant the word "seed" or "recovery phrase" comes up from support, you are talking to an attacker.
• A claim page that needs a signature to "verify eligibility". Eligibility checks are read-only. If a claim wants your signature before showing the amount, it is a drainer.

Common mistakes in recovery mode

Panic makes people do things that turn a bad day into a worse week. Watch for these.

• Panic-moving funds to another hot wallet on the same device. If your machine is infected, the new wallet is compromised the moment you set it up. Use a different device, ideally a hardware wallet.
• Entering a new seed into a "recovery service" website. There is no legitimate recovery service that needs your new seed. Every result of typing a new seed into a recovery form is a second drain.
• Paying "hackers" for recovery. The Telegram and X accounts that DM you minutes after a drain, offering recovery for a fee or a percentage, are either the original attacker or a second scammer. Block and move on.
• Sharing your seed with "support" to help you recover. Real support never needs your seed. Not for MetaMask, not for Ledger, not for Trezor, not for Phantom, not for any exchange. A request for your seed is proof you are being scammed.
• Ignoring the device. People focus on the wallet and forget the laptop. If the root cause was malware and you do not wipe the machine, the next seed dies the same way.