My Wallet Got Drained: Emergency Steps to Limit the Damage
— By Tony Rabbit in Tutorials

Your wallet drained and you do not know what to do? Here is the exact emergency response: identify the malicious approval, revoke live allowances on every chain, rescue surviving assets ahead of sweeper bots, and abandon the seed for good.
If your wallet got drained and you are asking yourself what to do, a drained wallet means an attacker used a malicious token approval, a permit signature, or your leaked seed phrase to move your assets out without further consent from you. The clock matters: the difference between losing everything and saving part of your holdings is usually measured in minutes. This guide walks through the emergency response in order, from the first ten minutes to deciding what is realistically recoverable. Work fast, but follow the sequence, because the wrong move, like sending gas to a poisoned wallet, can hand the rest of your funds straight to a bot.
Key Takeaways
- Revoking one approval is not enough if a permit signature or a second-chain approval is still live.
- Move surviving assets to a brand new wallet before sweeper bots react to incoming gas.
- A compromised seed phrase is dead forever; never reuse it on any chain or account.
- Funding a drained wallet with gas is often intercepted, so never top it up.
First 10 minutes: identify what caused the drain
Before you click anything, find the transaction that emptied your wallet. Open a block explorer for the affected chain, paste your address, and look at the most recent outgoing transfers. You are trying to learn the mechanism, because the mechanism decides what is still dangerous. Common causes are a token approve you signed for a fake site, a gasless Permit or Permit2 signature that needs no on-chain transaction to authorize a transfer, or full seed compromise where the attacker simply has your keys.
Check whether the outflow was a single sweep or a stream of transfers across tokens. If only ERC-20 tokens left but your native coin remains, you are likely dealing with an approval or permit exploit rather than a stolen seed. If everything including the native balance is gone, assume the seed itself is compromised. Note the drainer address and the exact transaction hashes now, because you will need them later for revoking and tracing. For a broader checklist of immediate actions, our crypto wallet recovery immediate steps guide is a useful companion to this page.
Revoke remaining allowances across every chain
Drainers rarely use just one approval. They often hold multiple live allowances and, increasingly, an off-chain permit signature that can authorize a transfer the moment new value lands. Connect a revocation tool, or better, a wallet you have NOT compromised, and review every active allowance. Revoke the malicious spender contracts, and revoke any allowance set to the maximum (unlimited) amount, even ones you do not recognize.
The critical mistake is stopping at one chain. The same address exists on Ethereum, Arbitrum, Base, Polygon, BNB Chain, and more, and an attacker who phished you once may have planted approvals on several of them. Walk through each network where you ever held assets. Be aware that revoking an on-chain approve does NOT cancel a signed permit; a permit lives off-chain until it is used, so the only real defense is to remove the underlying balance the permit could touch. Our step-by-step walkthrough on how to revoke token approvals covers the exact mechanics per chain.
Rescue un-drained assets to a fresh wallet
If anything survived, get it out before automated sweeper bots react. First, create a brand new wallet with a brand new seed phrase on a clean device. Do not derive it from the compromised seed and do not reuse an old backup. Send the surviving assets, NFTs, staked positions, and any liquidity to this fresh address.
The trap here is gas. A drained wallet may have no native coin left to pay transaction fees, and your instinct is to send a little gas in. On a seed-compromised wallet, that incoming gas is almost always swept within seconds by a bot watching the address, so you fund the attacker instead of yourself. If the seed is compromised, do not send gas at all; the wallet is a loss. If only an approval was abused and your keys are still private, you can fund gas, but transfer the highest-value assets first and act in a single uninterrupted session.
Why a compromised seed must be abandoned permanently
A seed phrase is the master key to every account and chain it can derive. Once it has touched a malicious site, a fake wallet app, or a phishing prompt that captured it, you must treat it as public knowledge forever. There is no rotating, cleaning, or partially trusting a leaked seed. Attackers script their bots to monitor known-compromised addresses indefinitely, so even months later, any value that appears can be drained instantly.
This is why moving funds within the same wallet, or to another account derived from the same seed, solves nothing: the attacker derives those accounts too. The only safe path is a fresh seed generated offline on a clean device, ideally a hardware wallet. If you want to understand how these capture flows work in the first place, see our explainer on what a wallet drainer is and the deeper breakdown of wallet drainer attacks and how to recognize them.
Tracing the drainer address for reporting
You documented the drainer address in step one. Now follow it. Paste the address into a block explorer and watch where the stolen funds flow. Drainers typically route assets through a consolidation wallet, then into a mixer or a centralized exchange deposit address. If funds reach an exchange, that deposit address is the strongest lead, because a regulated venue can freeze it if law enforcement acts quickly.
Record the chain, the drainer address, the consolidation hops, every transaction hash, timestamps, and the approximate USD value lost. Report to the relevant exchange abuse channel, to your local cybercrime authority, and to wallet-drainer reporting databases that flag malicious addresses. Realistic expectations matter: tracing rarely returns your funds, but it builds an evidence trail, helps freeze exchange deposits, and protects the next victim by getting the address blacklisted.
What is and is not recoverable
Be honest with yourself about outcomes. On-chain transactions are final, so assets already moved by the attacker are gone unless they sit in an exchange account that gets frozen. What you can still save is everything the drainer has NOT yet touched, which is exactly why speed in the rescue step matters so much. Insurance, refunds, or "recovery services" promising to reverse a blockchain transfer are almost always scams that drain you a second time, so never pay an upfront fee to recover stolen crypto.
The durable lesson is prevention. After the emergency, harden your setup with a hardware wallet, a dedicated burner wallet for risky approvals, and routine allowance hygiene. Our guide on how to protect crypto from hackers lays out the long-term defenses so a single bad signature never empties your main wallet again.
This article is for educational purposes only and is not financial advice.