Compromised Wallet: What to Do in the First 30 Minutes

If you suspect your wallet is compromised, speed matters — but so does discipline. The goal is containment, safe migration, and evidence preservation.

Key Takeaways

What to Do (First 30 Minutes)

  1. Disconnect and isolate potentially infected devices from the internet.
  2. Assess immediate risk — check for pending transactions or attacker activity on a blockchain explorer.
  3. Prepare a clean environment — use a verified device with updated security software.
  4. Plan migration to a new wallet — generate a fresh seed phrase on the clean device.
  5. Preserve evidence — save transaction IDs, screenshots, timestamps, and attacker addresses.

What to Avoid

Technical Explanation (Simplified)

Compromise can come from malware, phishing approvals (EVM), seed exposure, or clipboard hijacking. Containment focuses on cutting off signing capability and moving assets to a clean wallet.

On Ethereum/EVM chains, revoking token approvals may be part of the response (use tools like Revoke.cash on a clean device). For Bitcoin, creating a new wallet with a fresh seed and transferring remaining funds is the primary containment method.

Time is critical: attackers often monitor wallets and may attempt to move funds once they detect activity.

Non-Custodial & Privacy

When Professional Help Matters

More effective when you act quickly and still control signing capability. Early detection and rapid response significantly improve containment outcomes.

More challenging when the attacker has already moved most funds, seed phrase is fully exposed, or significant time has passed since the compromise.

Emergency Response Available

If you are currently experiencing a wallet compromise, contact us immediately for guided emergency containment.

Contact Emergency Support

Or WhatsApp: +44 7835 822143