What to Do if Your Crypto Wallet Is Hacked: An Emergency Response Guide

The State You're In (and Why It's Dangerous for Decision-Making)

Discovering that your crypto wallet has been compromised triggers a specific emotional state — a mixture of panic, disbelief, anger, and desperation — that is the worst possible state for making rapid, irreversible financial decisions. Most victims' instincts lead them to do the wrong things: freezing up, closing their browser to "think," or making random uncoordinated attempts that help the attacker more than themselves.

This guide exists so you can review it now, when you're calm, and internalize the correct response sequence. Knowing the protocol in advance means you can execute it under pressure without having to figure it out in real time.

Step 1: Assess in the First 60 Seconds

Open your wallet immediately and check:

• Is SOL balance still there or gone?
• Are your main token holdings still showing?
• Is the wallet still showing your expected holdings, or are they zeroed out?

If the wallet is already empty: move to the reporting and documentation steps. There is no recovery action available — your energy should focus on documentation for tax purposes and on securing any unaffected accounts.

If assets remain in the wallet: you may still be able to save some or all of them. Move immediately to Step 2.

Step 2: Transfer Remaining Assets Immediately (Speed is Critical)

If assets remain in a compromised wallet, you are in a race with the attacker. They may be monitoring the wallet and processing further transactions. Your goal is to move assets to a new, uncompromised wallet faster than they can drain them.

1. Create a completely new wallet right now — new seed phrase, new installation if possible, on a different device if available
2. In your compromised wallet, set transaction priority to maximum (Phantom: Settings → Transaction Speed → Turbo)
3. Transfer your largest holdings first — prioritize by dollar value. SOL first (also needed for fees), then largest token positions
4. Act quickly but accurately — triple-check the receiving address before confirming

Note: The compromised wallet may have been set up with a "sweeper bot" — an automated program that monitors the wallet and immediately drains any incoming transactions or moves. If every transfer attempt is being drained the instant you send, the sweeper prevents you from consolidating funds to send out. In this case, you can try to send a dust amount first to test, then immediately execute your full withdrawal in the same block if possible — but the sweeper likely wins this race.

Step 3: Secure All Related Accounts

After stabilizing your immediate crypto situation:

• Change passwords and rotate 2FA codes for all centralized exchange accounts
• Change your primary email password and 2FA
• Revoke all connected applications in any CEX accounts linked to the same email
• If the compromise came through a computer malware vector, scan your computer with multiple antivirus tools before using it for crypto again. Consider a full OS reinstall.
• If it came through a browser extension, audit and remove all browser extensions, then reinstall only essential ones from official sources

Step 4: Document Everything for Tax Purposes

In most jurisdictions, crypto theft losses can be treated as capital losses for tax purposes. To claim this:

• Save screenshots of the wallet showing zero balance after the drain
• Record the transaction hashes of all drain transactions (visible in wallet transaction history)
• Note the dollar value of losses at the time of the theft
• Consult a crypto-aware tax professional in your jurisdiction about how to report theft losses

Step 5: Report (Expecting Little, but Contributing to Patterns)

• Report to the FBI's IC3 (Internet Crime Complaint Center) if you're in the US — even though recovery is essentially impossible, pattern reporting helps law enforcement identify attacker networks
• Report the phishing site or scam to Phantom's security team via their official website
• Warn your community by posting about the specific attack vector (without sharing addresses or personal info) — this may prevent others from being victimized by the same attack

The Hardest Truth: Prevention Is the Only Real Protection

No emergency response guide can reverse what's already happened on the blockchain. The purpose of this guide is to limit further damage. The only real protection against wallet compromise is prevention — the habits and practices outlined throughout Hannisol's security article series. Review them when you're calm, implement them systematically, and share them with anyone new to crypto you know.