That sinking feeling in the pit of your stomach. That slow, then face-slapping realisation that tokens have disappeared from your crypto wallet.
No doubt, if you’ve had this happen to you, you’ve cycled through despair, horror, shame, disbelief, and self-recrimination in the space of five minutes after noticing you’ve been tricked.
There’s a tonne of information online about how to avoid being scammed or hacked. Safe habits include never sharing your seed phrase, using a separate wallet address to access unknown connections, and maintaining awareness about which permissions are in place and revoking these if necessary.
This is all helpful, and hopefully preventative, but if you become a target despite your best intentions, what should you do in the hours following an attack to minimise the impact on yourself and others?
Here are some practical steps you should take if your web3 wallet is hacked — to protect your other assets or potentially even recover lost funds.
Check your transaction history on Etherscan and any linked accounts (such as exchange accounts) to determine the extent of the hack and which assets have been stolen. If there are any assets that you care about left in the wallet, transfer these to a wallet with a different seed phrase for safe keeping.
Identify the attack vector. Did you sign a transaction after connecting to an unknown website? Did you download an unsolicited file that someone sent to you? Did you attempt to claim an airdrop without cross-checking the legitimacy of the event?
Revoke any/all untrusted wallet permissions to prevent any further transactions. You can read more about this crucial step below.
Change your passwords: Change the password for your crypto wallet and any other accounts that may be connected to it, such as your email or exchange account. Use strong and unique passwords, and consider using a password manager to generate and store them securely.
Notify any relevant exchanges or platforms that the stolen assets were transferred to, as well as any relevant authorities (such as the police or financial regulators) to report the theft.
Consider contacting the relevant blockchain’s community or development team, who may be able to assist with recovering the funds or tracking the stolen assets on the blockchain.
Secure your computer and any other devices used to access your crypto wallet. Install antivirus software, use a firewall, and in future, avoid suspicious links and unconfirmed windfalls.
Revoke, Revoke, Revoke
The following slide from Bankless Academy’s Web3 Security lesson has great advice for those in this unenviable position:
Notice the instruction to visit Etherscan’s Ethereum Token Approval Tool to review and revoke your token approvals for any dApp. This is a key step because if you leave the smart-contract permission in place, it’s akin to leaving the door unlocked for the thief to visit you again. One of the cool aspects of Etherscan’s tool is the ability to see the date and time the token approval was granted — this might help you work out the perpetrator of your attack.
Revoke.cash is another tool which allows you to check, sort, and undo wallet permissions. While this process is essential in the aftermath of an attack to prevent further loss, it’s good practice to do this regularly. According to the Revoke.cash website:
Prevention is better than mitigation. The Revoke.cash browser extension warns you when you’re about to sign something potentially harmful. This can save you from phishing scams by making you think twice about what you’re doing.
Revoke also has a great infographic which helps you identify the possible cause of your loss and actions you should take.
How To Avoid a Repeat Attack
Educate yourself about blockchain security and how to protect your assets. This includes understanding the basics of how blockchain works, how to secure your private keys, and how to recognise and avoid potential scams.
Phishing and social engineering attacks, in which hackers use malicious links to gain access to personal information or steal funds, are a common scam tactic used by cybercriminals. While you can take smart steps to protect yourself by being cautious about clicking links and not providing personal information to unfamiliar sources, it’s not possible to completely eliminate the risk of falling victim to these types of attacks unless you go and live back in 1985.
Hackers are constantly coming up with new ways to trick people into clicking links, making it challenging for individuals to stay informed and vigilant. Unethical people are often willing to play a long game; they will groom you, gain your trust, and then strike, so it’s crucial that you cross-check and verify all approaches and opportunities before you decide to engage.
While you may be tempted to post the details of your experience on Twitter or another social media site, you should only do so once you have addressed the risk of further loss, and be prepared for an onslaught of fake support messages in the replies, especially if your post mentions MetaMask or OpenSea. Don’t fall for these!!
Live and Learn
If you have fallen victim to a scammer, don’t beat yourself up, but do take the right steps to minimise the fallout and prevent it from happening again.
Trewkat is a writer, editor, and designer at BanklessDAO. She’s interested in learning about crypto and NFTs, with a particular focus on how best to communicate this knowledge to others.
Hiro Kennelly is a writer, editor, and coordinator at BanklessDAO, an Associate at Bankless Consulting, and is still a DAOpunk.
BanklessDAO is an education and media engine dedicated to helping individuals achieve financial independence.
This post does not contain financial advice, only educational information. By reading this article, you agree and affirm the above, as well as that you are not being solicited to make a financial decision, and that you in no way are receiving any fiduciary projection, promise, or tacit inference of your ability to achieve financial gains.
More Like This
Ultimate NFT Red Flag Check List by kalex1138.eth
Why #NFA #DYOR Doesn’t Cut It by lawpanda
Web3 Privacy Begins With Your RPC by Hiro Kennelly