When crypto works, the promise is that you have full control of your own money. But when something goes wrong and your crypto is stolen, there is no bank todddd call, no button to reverse the charge, and no “undo” option on the blockchain.
If you are reading this because your crypto was stolen just now, here is what you need to know: what you do in the first few hours changes everything. Most people panic, rush, and make the situation worse. This guide explains exactly what to do if your crypto is stolen — step by step — what works, what doesn’t, and how to avoid being targeted a second time.
How a Phishing Attack Drains Your Crypto Wallet
Phishing succeeds because it appears to be routine‚ mimicking brands people already trust and mimicking wallet prompts while pressuring the user to approve requests․ Once signed‚ a malicious request has the exact needed permissions to move assets․
Fake crypto website or fake wallet app
The fake site is sometimes a nearly identical clone of MetaMask‚ Trust Wallet or a popular exchange site․ The URL may be one character off‚ found through a sponsored ad‚ or trick the user into signing a harmless-looking message enabling the wallet to transfer tokens․ Seconds later‚ the drainer script runs․
A phishing email from MetaMask or your exchange
Attacks usually consist of a security alert or a KYC problem email in an urgent tone to the victims‚ directing them to a phishing website that poses as a login page‚ and then move to the assets․ The Federal Trade Commission reports that cryptocurrency phishing through fake brand messages has steadily increased․
Malicious token approval (wallet drainer malware)
Many DeFi apps ask for token approvals․ An “unlimited approval” is common but looks suspicious on a phishing site․ In practice‚ it allows a hacker contract to withdraw your tokens at any time․ This is the most common method of “wallet drained by phishing” because the user recognizes the approval screen․

Seed phrase harvesting scam
A fake chat or pop up says you need to “verify” your wallet․ You enter your seed phrase in the official-looking form․ Using the seed‚ the attacker imports your wallet and sweeps every single asset without your interaction․
What to Do Immediately After Your Crypto Wallet Is Drained
If a crypto wallet is emptied‚ then the following steps should be taken immediately․ Never return to the phishing site or approve any additional requests from the compromised device․
Step 1: Disconnect the compromised device from the network
You can then close the drainer page and disconnect from the session‚ by disabling your Wifi and unplugging your Ethernet․ Don’t turn your device back on until you have completed the rest of these steps on a fresh device․
Step 2: Disconnect all wallet permissions instantly
From a safe device‚ connect your wallet to a trusted token approval manager and revoke all your token approvals to stop any further transfer that relies on unlimited token approvals․ If there is no accessible manager for the contract‚ create a new wallet and revoke and shift any remaining assets․
Step 3: Secure your email‚ exchange accounts‚ and other wallets
Change your email and exchange passwords․ Enable hardware-based two-factor authentication․ If you see any other logins‚ it is possible that an attacker used your wallet to access your email to reset your exchange passwords․
Step 4: Collect TX IDs‚ wallet addresses‚ and screenshots
Take screenshots of transaction IDs‚ timestamps‚ wallets used‚ and screenshots of the phishing page before they are lost to time․ This is useful for exchange freeze requests and reports․
Step 5: Use a blockchain explorer to track the stolen funds
Using a public block explorer such as Etherscan‚ follow the funds across all hops‚ and if they had been deposited to a known exchange deposit address‚ you may still request a freeze․
Step 6: Approach the exchanges where the funds went and attempt to freeze them
If you see deposits to Binance‚ Coinbase or Kraken‚ file an emergency ticket with evidence as exchanges generally freeze accounts when funds are linked to theft and reports are timely․

How to Report Crypto Phishing Attempts to Law Enforcement
Such data in official reports is taken seriously by exchanges and investigators‚ and enables agencies to track phishing infrastructure and provide warnings․
USA: FBI IC3‚ FTC‚ your state attorney general
File complaints with the Internet Crime Complaint Center (IC3) and the Federal Trade Commission including TXIDs and wallet addresses․ Some state attorney general offices accept cybercrime reports and work with cryptocurrency exchanges․
UK: Action Fraud and the FCA
UK-based victims should report the scam to Action Fraud‚ and review the Financial Conduct Authority’s guidance on crypto scams․
Other countries: national cybercrime units
Almost every country has a cybercrime unit․ Search for the national police unit and submit the evidence package to them․ Information interchange benefits cross-border tracing efforts․
Can you recover a crypto wallet drained by phishing?
Your success depends on where the money has moved and how quickly you act․
If recovery is possible (the funds reached an exchange)
Centralized exchanges can freeze stolen funds‚ having KYC data and authority to block accounts during investigations․ This strengthens requests for freezing if stolen funds are deposited or sent to an exchange․
When recovery is unlikely (funds mixed or bridged)
However‚ if the opponent uses mixing‚ bridges‚ or privacy chains‚ the problem becomes more difficult․ Although it is still possible to map the flows‚ recovery rates plummet after mixing․
Warning: how to spot a fake crypto recovery service
Scammers will promise to help you and “guarantee recovery”․ They request payment or remote access to your computer․ Real investigators do not guarantee recovery or ask for your seed phrase․
How to Protect Your Wallet from Phishing Attacks in Future
Prevention is less expensive‚ and often takes seconds or minutes․
A hardware wallet is for large amounts
A hardware wallet like Ledger or Trezor will often ask for confirmation to send transactions; it can serve as an obstacle to drainers when you open their phishing link․
Revoke unused token approvals regularly
Schedule time once a month or so to review the things you’ve approved․ Routinely remove things that are no longer needed to prevent drainers from utilizing an “unlimited approval”․
Never click on email links․ Bookmark your wallet website․
Typing URLs directly or bookmarking sites is recommended․ Avoid sponsored ads for wallets․ Phishing often starts with a click on a convincing link․

