Cover photo

What To Do if Your Web3 Wallet Is Hacked

Seven Tips Plus Practical Advice if the Unthinkable Happens

Article and Cover Art by Trewkat | Edited by Hiro Kennelly

That sinking feeling in the pit of your stomach. That slow, then face-slapping realisation that tokens have disappeared from your crypto wallet.

No doubt, if you’ve had this happen to you, you’ve cycled through despair, horror, shame, disbelief, and self-recrimination in the space of five minutes after noticing you’ve been tricked.

There’s a tonne of information online about how to avoid being scammed or hacked. Safe habits include never sharing your seed phrase, using a separate wallet address to access unknown connections, and maintaining awareness about which permissions are in place and revoking these if necessary.

This is all helpful, and hopefully preventative, but if you become a target despite your best intentions, what should you do in the hours following an attack to minimise the impact on yourself and others?

Here are some practical steps you should take if your web3 wallet is hacked — to protect your other assets or potentially even recover lost funds.

  1. Check your transaction history on Etherscan and any linked accounts (such as exchange accounts) to determine the extent of the hack and which assets have been stolen. If there are any assets that you care about left in the wallet, transfer these to a wallet with a different seed phrase for safe keeping.

  2. Identify the attack vector. Did you sign a transaction after connecting to an unknown website? Did you download an unsolicited file that someone sent to you? Did you attempt to claim an airdrop without cross-checking the legitimacy of the event?

  3. Revoke any/all untrusted wallet permissions to prevent any further transactions. You can read more about this crucial step below. 

  4. Change your passwords: Change the password for your crypto wallet and any other accounts that may be connected to it, such as your email or exchange account. Use strong and unique passwords, and consider using a password manager to generate and store them securely.

  5. Notify any relevant exchanges or platforms that the stolen assets were transferred to, as well as any relevant authorities (such as the police or financial regulators) to report the theft.

  6. Consider contacting the relevant blockchain’s community or development team, who may be able to assist with recovering the funds or tracking the stolen assets on the blockchain.

  7. Secure your computer and any other devices used to access your crypto wallet. Install antivirus software, use a firewall, and in future, avoid suspicious links and unconfirmed windfalls.

Revoke, Revoke, Revoke

The following slide from Bankless Academy’s Web3 Security lesson has great advice for those in this unenviable position:

Bankless Academy: Web3 Security

Notice the instruction to visit Etherscan’s Ethereum Token Approval Tool to review and revoke your token approvals for any dApp. This is a key step because if you leave the smart-contract permission in place, it’s akin to leaving the door unlocked for the thief to visit you again. One of the cool aspects of Etherscan’s tool is the ability to see the date and time the token approval was granted — this might help you work out the perpetrator of your attack. is another tool which allows you to check, sort, and undo wallet permissions. While this process is essential in the aftermath of an attack to prevent further loss, it’s good practice to do this regularly. According to the website:

Prevention is better than mitigation. The browser extension warns you when you’re about to sign something potentially harmful. This can save you from phishing scams by making you think twice about what you’re doing.

Revoke also has a great infographic which helps you identify the possible cause of your loss and actions you should take.

How To Avoid a Repeat Attack

Educate yourself about blockchain security and how to protect your assets. This includes understanding the basics of how blockchain works, how to secure your private keys, and how to recognise and avoid potential scams.

Phishing and social engineering attacks, in which hackers use malicious links to gain access to personal information or steal funds, are a common scam tactic used by cybercriminals. While you can take smart steps to protect yourself by being cautious about clicking links and not providing personal information to unfamiliar sources, it’s not possible to completely eliminate the risk of falling victim to these types of attacks unless you go and live back in 1985.

Hackers are constantly coming up with new ways to trick people into clicking links, making it challenging for individuals to stay informed and vigilant. Unethical people are often willing to play a long game; they will groom you, gain your trust, and then strike, so it’s crucial that you cross-check and verify all approaches and opportunities before you decide to engage.

While you may be tempted to post the details of your experience on Twitter or another social media site, you should only do so once you have addressed the risk of further loss, and be prepared for an onslaught of fake support messages in the replies, especially if your post mentions MetaMask or OpenSea. Don’t fall for these!!

Live and Learn

If you have fallen victim to a scammer, don’t beat yourself up, but do take the right steps to minimise the fallout and prevent it from happening again.

Author/Designer Bio

Trewkat is a writer, editor, and designer at BanklessDAO. She’s interested in learning about crypto and NFTs, with a particular focus on how best to communicate this knowledge to others.

Editor Bio

Hiro Kennelly is a writer, editor, and coordinator at BanklessDAO, an Associate at Bankless Consulting, and is still a DAOpunk.

BanklessDAO is an education and media engine dedicated to helping individuals achieve financial independence.

This post does not contain financial advice, only educational information. By reading this article, you agree and affirm the above, as well as that you are not being solicited to make a financial decision, and that you in no way are receiving any fiduciary projection, promise, or tacit inference of your ability to achieve financial gains.

Bankless Publishing is always accepting submissions for publication. We’d love to read your work, so please submit your article here!

More Like This

Ultimate NFT Red Flag Check List by kalex1138.eth

Why #NFA #DYOR Doesn’t Cut It by lawpanda

Web3 Privacy Begins With Your RPC by Hiro Kennelly

Collect this post to permanently own it.
IndyPen CryptoMedia logo
Subscribe to IndyPen CryptoMedia and never miss a post.