An ounce of prevention is worth a pound of cure, and most of your crypto security efforts should take place before an incident occurs. Good safety practices and healthy skepticism will prevent many attack vectors. But sometimes, despite our best efforts, the unthinkable happens. What do you do if you fall victim to a crypto scam?
What to do if you get scammed in crypto varies wildly depending on what happened and how you were compromised. Understanding your exact situation is key to a correct incident response. Jump to the relevant section here:
What To Do If You Get Scammed
I Visited A Malicious Website
If you visit a malicious website, you have the same risks as a web2 malicious site (malware, etc.), in addition to crypto-specific risks.
There are a whole host of attack vectors to worry about here. After you deal with any web3 threats, make sure you run detailed anti-virus scans or get an expert to determine if your computer is compromised.
What did you do on the malicious website?
… And Entered My Private Key/Seed Phrase
Your private key or seed phrase is compromised.
You have to take immediate action to move your assets from the compromised wallet(s), or you will lose your assets. See the private key compromise and seed phrase compromise sections.
… And Unlocked Metamask
You may have compromised your Metamask password, leading to private key compromise.
Malicious sites can spoof a Metamask lock screen popup. If you enter your password into the malicious mimic, the attacker can use your password to unlock your Metamask and reveal the private keys for any account. This leads to private key compromise.
Note this only applies to accounts for which Metamask holds the private keys – generated or imported. Hardware wallets connecting through Metamask do not expose their private keys to your computer.
What to do after a Metamask password compromise? Immediately transfer the assets from every account in that Metamask extension to a brand new wallet. Make sure your new wallet has a new, clean seed phrase! It cannot just be another account in that same compromised Metamask profile.
… And Signed a Transaction
You may have sent assets to a scammer, or approved transfer to a malicious address.
Your first priority is figuring out what you signed. If you signed a transfer, your assets are gone, permanently. Sorry to break it to you. If you signed an approval, you may be able to revoke the approval before the attacker steals your bags.
If you signed a message instead of sending a transaction, you could be at risk for attacks on Opensea or other platforms which allow trades to execute against signed offchain messages. In this case, revoke your approvals for these platforms immediately.
… And Downloaded a File
Any crypto activity on your computer is at risk.
If you download files, click links, or engage in other traditionally dangerous activities that can infect your computer with viruses, your security risks are essentially unlimited. Malware can find private keys where they’re stored on your PC, keylog your password, spoof windows, etc.
If this happens, you need to move your assets off that computer (you did write down your seed phrase, right?), professionally wipe the computer, and start over. Or get a new machine for crypto only. Don’t play around with hosting your assets on a compromised machine.
I Sent Tokens To a Scammer
Sorry anon, but if you already sent the tokens, they’re gone. Nothing you can do.
The next best thing to getting your money back is to report the scammer. Any social media accounts used by the attacker can be reported (with evidence). Certain assets like USDT and USDC have centralized bodies that can freeze assets, preventing the scammer from accessing his ill-gotten gains. Freezing is unlikely unless you have very strong proof you were scammed, and it still won’t get your money back.
I Approved a Malicious Address
You need to figure out what approval you performed, then revoke it immediately.
If the services are available, you can use Etherscan token approvals tool or revoke.cash to view and manage your approvals. In some incidents like a high-profile exploit, these services can bog down under the load and become unusable. In that event, you can manually revoke token approvals without Etherscan if you have a little technical savvy.
It is critical that you revoke all approvals to the malicious address as soon as possible! Your funds are at risk until you do so.
Also, don’t miss this key point: even if the attacker already stole your funds, you still have to revoke the approval. Otherwise, if you put any more of that token into your wallet, the approval will still be valid, and that attacker can take those tokens also!
I Signed a Malicious Message
You may have assets at risk on platforms which allow execution against signed offchain messages.
One example of this is Opensea sell orders. If Opensea has approval to transfer a token (which they may already have for legitimate reasons), the only other thing they need is a signed message.
Anyone can present a valid, signed, offchain message from you saying that you’re offering it for sale with X price and Y parameters, and execute that order. If you are tricked into signing a malicious Opensea order, an attacker could arrange a sale to his own address for a 0 price.
Your response here is to revoke approvals for all sites, and withdraw any staked assets that are at risk.
I Shared Screens With a scammer
Your private keys may be compromised.
A common tactic by scammers posing as some kind of support is to have you share your screen, and navigate through your Metamask to expose your private key. If you clicked on “Export Private Key” for any account, that private key is compromised.
If you did compromise a private key, read on to learn how to react. Even if you don’t think you compromised anything, it’s still best to move your assets to a new, safe, uncompromised wallet.
My Private Key Was Compromised
Anyone with your private key can execute any action as if they were you.
There’s no worrying about approvals or anything like that. They have full access to your account, just as if they were you. It does not matter if you had your keys on a hardware wallet. It does not matter if any of your electronic devices are connected to the internet. If someone gets your private keys, they get your coins. End of story.
After any private key compromise, you have to put your assets in a fresh wallet. Using the compromised wallet is extremely unsafe and can result in the immediate loss of anything you put back into it.
If your private key is compromised, your response depends on the state of your wallet. Are your assets already gone, is the hack in progress, or has the attacker laid a trap for you?
… And My Assets Are All Gone
If everything is already gone, there’s no getting it back.
All you can do at this point is mark that address as compromised, remove it from your address book, and never send any of your assets to it again. Don’t forget to burn the wallet in this manner, or you’ll lose it all again when you transfer something into the compromised account.
… And The Hacker Is Actively Transferring Items Out
If you can see the hacker working in real time, you can save some items – but you’re in a race.
Sophisticated hackers will plug your private key into a script that will immediately loot anything that’s not nailed down. By the time you notice one of these attacks it’s probably all over.
Less sophisticated attackers, however, may transfer your assets out manually. In this case, your objective is simple: send all your assets to a safe wallet before the attacker can send them to his.
Start with your most valuable items, and bump up your gas for faster transactions. Metamask “Instant” setting is recommended. Remember the attacker is also prioritizing your most valuable items, so your transactions need to execute quickly.
If your situation is desperate and you have friends you can trust, you can reveal your private key to them and have them help race the hacker to transfer your items out. Five people manually transferring items will beat one person manually transferring. One major NFT collector did this to mitigate his losses when a wallet containing hundreds of valuable NFTs was compromised. Be absolutely sure that you trust anyone you do this with, however, or you’ll be out of the frying pan and into the fire.
… And There Are Valuables Left But No ETH For Gas
This is a trap.
Some attackers will leave valuable items in a compromised wallet, but take all the ETH. Without any gas to pay for transactions, you’re forced to send ETH to your wallet before rescuing your assets. The attackers will watch for your incoming transaction, and transfer the ETH out instantly as soon as it lands.
The end result: They get more ETH out of you, and then when you’ve given up they’ll transfer the bait out too.
Luckily, there is a way around the trap. It requires combining the ETH transfer and the rescue transaction into a single transaction bundle, and submitting that bundle to Flashbots. Flashbots is a protocol of Ethereum miners that allow you to submit bundles of transactions. All the transactions in a bundle will be atomically included in the same block, in your specified order.
By submitting a bundle, you provide the gas and rescue the bait assets in one fell swoop, without allowing the attacker time to respond.
If you’re not technically savvy, you can go to whitehat.flashbots.net and receive assistance with the rescue. Note: they only help with recoveries of > $1,000. If you are code-proficient, you can execute the maneuver yourself using the resources here, and here.
My Seed Phrase Was Compromised
All accounts using that seed phrase is compromised. Move your assets to a totally new wallet.
Quick background: One seed phrase can generate multiple private keys. This is how Metamask allows you to have one seed phrase, but multiple accounts with their own private keys. If you have access to the seed phrase, generating the other accounts with it is a much easier cryptographic task, and it’s only a matter of time before your specific accounts are compromised.
To save your assets, you have to first create a new wallet with a different seed phrase. In an emergency, you can open a fresh Metamask on another computer and create a new wallet. Make sure you’re not just generating an account, but an entirely new seed phrase! Next, generate an account or accounts on the new wallet, and migrate all your assets from the compromised accounts.
What To Do After An Attack Is Over
Secure Your Assets
Make sure no more of your assets are at risk. Did you revoke all malicious approvals? Are there any funds left in an exposed wallet? If your private key or seed phrase was exposed, make sure everything is moved to a new, safe location. Even if you don’t think a particular account was breached, better safe than sorry. Why play with fire?
Do A Post-Mortem
After the dust settles and you’re sure no more of your assets are at risk, it’s time to take a step back and do a post-mortem analysis. There are several important questions to ask yourself.
- Exactly what happened?
- What actions did you take that led to the attack?
- Were there any security measures you could have taken that would have prevented the attack?
Exactly what happened? If you don’t understand what happened, you can’t draw the right conclusions, or protect yourself against future attacks.
What did you do that led to the attack? This question can be as simple as “I clicked on a malicious Google ad instead of bookmarking my DEX”, or it can be an opportunity to dig deeper. A 5 Why analysis or a similar tool can help get to the root cause. Make sure you understand, at least, the proximate root cause, like clicking the phishing link, or entering your seed phrase to win a giveaway.
Would any security measures have prevented the attack? If you had Discord DMs blocked, maybe the convincing giveaway scam wouldn’t have gotten through. If you had a hardware wallet, your private keys wouldn’t have been exposed. Etc.
Improve Your Security
After you understand the issues that led to your loss, implement the security fixes you identified. DeFi Education has an excellent detailed guide, BowTiedBull has more (part 1, part 2, part 3) and here’s some quick best practices.
- Use a hardware wallet for any account holding more value than you would carry in your pocket
- Never leave your hardware wallet connected while it’s not in use
- Use a dedicated computer for crypto use (cheapo Ebay laptops work fine)
- Always back up your seed phrases in a secure location
- Make sure your Discord DMs are closed by default
- Learn how accounts, approvals, and private keys work, so you know what exploits are possible
- Bookmark your sites so you don’t have to Google to navigate to them.
- Double check transactions before signing them
- Don’t sign anything if you don’t know exactly what it does
Make sure to approach everything with a healthy dose of skepticism. Until thoroughly proven otherwise: DMs are scams. Giveaways are scams. Free stuff is a scam. No one legitimate will ever ask for your seed phrase, private keys, or password. That isn’t the founder messaging you.
Report The Scammer
While a long shot, you can report criminal activity to the authorities. US-based users can submit a report to the Internet Crime Complaint Center. Be aware that this will link your wallet to your identity, so make sure you’ve paid your taxes and such.
If you want to report, be prepared to provide all the information you have regarding the scam, the scammer, and the relevant transactions.
The odds of ever seeing your money again are pretty low. But you may help prevent others from falling prey to the same attacker.
Keep an Eye On Your Mental Health
Finally, on a serious note: if you lose money to a scam, don’t beat yourself up about it. Money can be re-earned. Even if you lost everything, you can come back smarter and stronger. If you find yourself struggling with depression or suicidal thoughts, please seek help. No amount of money is worth your life.
It can be tough to admit you were victimized, but don’t suffer in silence. Your friends and family can’t support you and look out for you if they don’t know what you’re going through.
Stay safe out there, anon.