If the wallet is drained or compromised, the next 5 minutes matter more than any later window. Disconnect every dApp. Move remaining funds to a fresh wallet on a clean device. Open Revoke.cash and revoke approvals. Blofin data shows this saves about 80% of remaining balances. The first hour locks down the rest; 24 hours covers multi-chain revoke and reporting.
What you'll learn
How to know your wallet is compromised
The 5-minute emergency response that saves remaining funds
How to do a proper revoke audit on Revoke.cash
How to avoid the fake "revoke service" scams that prey on drained users
How to set up a new wallet cleanly after compromise
How to do a multi-chain revoke audit (the chain most users forget)
How to report and what comes next
How do you know your wallet is compromised, and what counts as compromised?
Three signals. Unauthorized transactions in your history. Approvals on Revoke.cash you did not grant. The seed phrase exposed anywhere (typed into a site, photographed, shared, copied to a connected device). Any one means the wallet is compromised and permanently unsafe. Migration to a fresh wallet on a clean device is the only durable fix.
The "seed phrase exposed" condition matters even when no funds have moved yet. If you ever typed the seed into a website, even one that "looked like" the real wallet, treat the wallet as compromised. The attacker may be waiting for the balance to grow before sweeping. Some drainer operations stage attacks weeks after the original seed leak. The defense is not "wait and see." It is "migrate now."
Three signs the wallet is compromised
Signal | What you see | What it means |
|---|---|---|
Unauthorized transactions | Transactions in your history you did not sign | Attacker has private key or active approval |
Unknown approvals | Revoke.cash shows approvals you did not grant | Attacker has approval-based access; drain may not have happened yet |
Seed phrase exposed | You typed, photographed, or shared the seed phrase anywhere | Attacker has full access; sweep may be staged for later |
For the broader recovery decision tree that frames this article, see lost crypto what to do.
What should you do in the first 5 minutes?
Disconnect the wallet from every dApp. Move any remaining funds to a fresh wallet on a clean device. Open Revoke.cash and revoke suspicious approvals. From Blofin's support data, users who execute the first 5 minutes correctly save the rest about 80% of the time. Delay or a panic-search usually ends at a fake "revoke service" that drains what's left.
5-minute emergency checklist
Minute | Action |
|---|---|
0 | Stop. Do not click anything that arrived after the drain notification |
0-1 | Disconnect the wallet from every dApp via wallet menu (MetaMask: Connected Sites → disconnect all) (source: MetaMask Help: Disconnect wallet from a dapp) |
1-3 | Move any remaining tokens and NFTs to a fresh wallet on a clean device |
3-5 | Open Revoke.cash (typed URL directly, not from search). Connect read-only. Revoke unlimited approvals to unknown contracts |
The most expensive mistake in the first 5 minutes is using a search-result link for Revoke.cash (source: Revoke.cash token approval tool). Fake revoke sites flood the SERP the moment a major drain becomes public. Type the URL directly. Bookmark it now before you ever need it.
How do you do a proper revoke audit?
Open Revoke.cash. Connect the compromised wallet read-only. Filter for "Unlimited" approvals and any to contracts you do not recognize. Revoke each one. Each revoke costs a small gas fee but breaks the drainer's claim on those tokens. Repeat for every chain you ever used the wallet on.
Revoke audit procedure
Open Revoke.cash (typed URL directly)
Connect the compromised wallet
Switch to the chain you want to audit
Filter for "Unlimited" approvals
Review each approval; revoke any to contracts you do not recognize
Confirm each revoke transaction (small gas fee)
Repeat for every chain you ever used the wallet on (see H2.6 multi-chain section)
The gas cost adds up if there are many approvals. On Ethereum mainnet, 10 revokes typically cost a few dollars total at 2026 baseline gas, rising into the $20-$100 range during congestion spikes (source: Coinspeaker: Revoke crypto permissions in 2026). On L2s and BNB Smart Chain, the cost is much lower. Prioritize Ethereum mainnet revokes if funds remain there. If you prefer chain-native tools, Etherscan and BscScan have their own approval checkers (source: Etherscan Token Approval Checker). The cost is rounding error vs the potential drain.
How do you avoid the fake "revoke service" scams?
Fake revoke sites flood search results and DMs the moment a wallet drain becomes public. They impersonate Revoke.cash, MetaMask Support, and named individuals like ZachXBT. They ask for seed phrases or signing prompts that drain what's left. Real revoke happens at Revoke.cash through the typed-in URL only. Real support never asks for seed phrases.
The Blockaid team documented the fake-revoke pattern across 2025 (source: Blockaid: How wallet drainers use fake revoke sites). The fake sites use letter-swap domains (revoke-cash.com, revoke.cash.io, secure-revoke.io). They use sponsored search ads above the real Revoke.cash result. They appear in DMs from accounts impersonating support staff. The fake site UI is convincing. The output is the opposite of what the user thinks: instead of revoking approvals, it grants new ones to the attacker.
Fake revoke red flags
Flag | What you see | What it means |
|---|---|---|
URL is not exactly revoke.cash | Letter-swap domain, .io / .net / .co variants | Fake site |
Sponsored ad above the real result | Google Ads slot showing slightly different URL | Likely fake |
Site asks for seed phrase | "Enter your seed phrase to revoke" | Always fake |
Support DM offers to help revoke | "I saw your drain, let me help" | Always fake |
Site asks you to sign a transaction labeled "approval revoke" | Signing prompt that does not match a revoke pattern | Fake |
Recently registered domain | Whois shows registration < 30 days old | Likely fake |
For the broader phishing context that pairs with this, see crypto phishing attacks.
How do you set up a new wallet correctly after a compromise?
Use a clean device that has never seen the compromised seed phrase. Generate a new seed and back it up on paper or metal. Never reuse the same device, email, or 2FA recovery path the original wallet touched. Treat the compromised seed as public knowledge. Burn it. Never enter it into any wallet again.
The reason the device must be clean is that some clipboard malware and screen-recording malware that compromised the original wallet may still be on the device. Reinstalling the wallet on the same device just sets up a new wallet that the same malware can compromise. Use a different physical device for the new wallet. Ideally a hardware wallet that you initialize on a freshly-imaged computer.
New-wallet clean setup checklist
Step | What to do |
|---|---|
1 | Get a different physical device (new hardware wallet ideal; freshly-imaged laptop also ok) |
2 | Install the wallet from the official source (typed URL, not search) |
3 | Generate a brand-new seed phrase on the new device (do not restore the old seed) |
4 | Back up the new seed phrase properly per how to back up a seed phrase |
5 | Use a different email and different 2FA app from the compromised setup |
6 | Send a small test transaction to confirm the new wallet works |
7 | Migrate any remaining old-wallet balance to the new wallet |
For the canonical hardware wallet setup that pairs with this, see how to set up a hardware wallet.
What does the multi-chain revoke audit look like?
Most drained users miss chains. They revoke on Ethereum and forget Polygon, Arbitrum, BNB Smart Chain, Optimism, Base, Avalanche. Attackers sweep the forgotten chains hours or days later. The revoke audit has to cover every chain the compromised wallet ever touched.
The pattern that surprises users is how many chains they bridged to that they forgot about. We see drainer cleanup tickets where the user revoked approvals on Ethereum but missed Polygon, Arbitrum, BNB Smart Chain, and a few L2s. The attacker swept the forgotten chains over the next 72 hours. The revoke audit has to cover every chain you ever touched, not just the one where the loss happened.
Multi-chain revoke checklist (early 2026 active chains)
Chain | Why check it |
|---|---|
Ethereum mainnet | Most approvals live here; highest-value target |
Polygon | Common destination via Polygon Bridge; many approvals |
Arbitrum | Major L2; many DeFi approvals |
Optimism | Major L2 |
Base | Growing 2024-2026; many memecoin-related approvals |
BNB Smart Chain | High retail volume; many memecoin approvals |
Avalanche | DeFi exposure |
Solana | Different model but check token-account permissions if you used Phantom or Solflare |
Linea / Scroll / zkSync | Newer L2s; users often forget about them |
Revoke.cash supports multi-chain mode in 2026 (source: Magic Eden: How to revoke token approvals on Ethereum, Solana, Base, Polygon). The cleanest approach is to use the multi-chain selector and revoke across all chains in one session. Some chains require small gas fees per revoke; budget for this. Free chains and L2s with sub-cent gas fees should still be cleared.
For the broader send/receive context that frames the chain inventory, see how to send and receive crypto.
How do you report and what comes next?
Tag the drainer wallet on Chainabuse, MetaSleuth, Reddit r/CryptoScams, and X. Public attribution makes cash-out harder and warns the next victim. File a police report. The case number unlocks insurance claims, tax write-offs, and exchange compliance freezes. File with FBI IC3 (US) or your jurisdiction equivalent. Engage SEAL 911 if the loss is large.
24-hour reporting checklist
Time | Action |
|---|---|
First 30 min | Message SEAL 911 bot (security incident response community); reply in ~8 minutes typically |
30-60 min | Tag the drainer wallet on Chainabuse with tx hash and timeline |
1-3 hours | File police report locally; obtain case number |
3-12 hours | File FBI IC3 (US) (source: FBI IC3) or jurisdiction equivalent: Report Fraud (UK; formerly Action Fraud, source: City of London Police rebrand announcement); ACSC Australia, etc. |
12-24 hours | Notify exchanges where you have accounts that the wallet was compromised |
Day 2-7 | Engage blockchain forensics firm if the loss justifies a $10K-$20K+ engagement minimum and you want active tracing |
Day 7-30 | Document for tax loss claim with a crypto-aware tax professional |
The reporting steps may not produce direct recovery. They do unlock downstream paths: insurance claims, tax deductions, compliance freezes, future law-enforcement action. Documentation is for the record and to help broader enforcement build cases. Most individual recoveries from compromised wallets happen at the exchange level (when the attacker tries to cash out at a regulated venue with frozen assets), not from the victim's individual investigation.
For the broader recovery path, see how to recover a crypto wallet.
Frequently asked questions
Can I reuse the compromised seed phrase if I revoke all approvals?
No. Once the seed phrase has been exposed anywhere, treat it as public. Even with all approvals revoked, the attacker still has the private key. They can sign new transactions any time. They can sweep any funds you re-deposit. The only safe path is to migrate to a new seed phrase on a clean device. The compromised seed is permanently burned.
What if I am not sure my wallet is compromised?
Treat ambiguity as compromise. If you typed the seed phrase anywhere, signed anything you did not understand, or see any unfamiliar approval on Revoke.cash, the wallet is compromised. The cost of migration is one afternoon of setup. The cost of being wrong about non-compromise is the full balance. Migrate when in doubt.
Do I need to tell my exchanges?
For balances you keep at exchanges or for accounts linked to the compromised email, yes. Open support tickets at each exchange you use. Mention the compromise. Request a withdrawal hold while you confirm the breadth of the breach. Major exchanges (Blofin, Coinbase, Binance, Kraken) have documented account-loss reporting channels; specific hold times vary by venue.
What is SEAL 911?
SEAL 911 is a community-organized security incident response service that operates a Telegram bot for emergency crypto-security help (source: Security Alliance: SEAL 911). They respond within minutes typically. They work pro bono on individual cases and consult on larger incidents. They are not a recovery service in the scam sense; they are volunteer security professionals. Reach via the SEAL 911 Telegram bot.
What is Chainabuse?
Chainabuse is a community-run blocklist of attacker addresses, with reports tagged by tx hash and incident description (source: TRM Labs: announcing the launch of Chainabuse). Tagging the drainer wallet there helps other users avoid it, makes laundering harder, and feeds enforcement attribution. Free to use. Run by TRM Labs and the broader crypto-security community.
Can I recover from a drained wallet?
Sometimes a small fraction. The recovery path runs through exchange compliance freezes (if the attacker tries to cash out at a regulated venue), law enforcement coordination, and blockchain forensics for large cases. The recovery rate across reported drains is under 5% (source: CoinLaw: phishing and wallet drainer incidents statistics 2026). The reporting still matters for the record and for broader enforcement.
Should I shame the attacker publicly on social media?
Public attribution helps when done with verifiable evidence (tx hashes, on-chain trail). It hurts when based on speculation. The right move is tagging the drainer wallet on Chainabuse and posting the tx hashes with documentation. Avoid naming individuals without strong evidence; that opens you to defamation risk and rarely helps recovery.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include PhishDestroy emergency action guide, Blockaid 2025 fake revoke site documentation, SEAL 911 community resources, FBI IC3 reporting guidelines, and Chainabuse community blocklist data. All facts independently checked against cited sources current as of May 2026.
This article is educational and does not constitute financial, legal, or security-consulting advice. Wallet compromise response depends on choices the user makes about clean-device setup, revoke discipline, and reporting follow-through. The recovery playbook reduces but does not eliminate downside. Blofin does not initiate contact about wallet compromise; any uninvited message claiming to be from Blofin support is a scam.