What To Do Immediately After a Crypto Compromise
Your wallet was compromised. The clock is ticking. This guide covers the first 60 minutes: what to move, what to revoke, who to contact, and what evidence to preserve. Honest about what's recoverable and what isn't.
The First 15 Minutes -Move and Revoke
Stop everything else. Assess what's compromised: is it a single wallet, your seed phrase, your email, your exchange account? If your seed phrase was exposed, EVERY wallet derived from it is compromised across all chains. Generate a new wallet immediately on a clean device -one that was not used when the compromise happened. Transfer all remaining assets from every address associated with the compromised seed to new addresses. Do this chain by chain, starting with the highest-value assets. Simultaneously, use revoke.cash to revoke all token approvals on the compromised wallet -even if funds are already gone, revoking prevents further drainage of any tokens you might receive (like pending airdrops or staking rewards).
Preserve Evidence
Before you do anything else, document everything. Screenshot all transaction hashes showing the theft. Note the exact timestamps. Save the attacker's addresses. If the compromise came through a phishing site, screenshot the URL and the page. If through email or DMs, screenshot those with full headers visible. Save browser history showing when you visited the malicious site. This evidence is critical for: filing a police report, requesting exchange account freezes, engaging blockchain analytics firms, and any potential legal action. Do not delete anything from the compromised device -it may contain forensic evidence about how the attack occurred.
Who To Contact
If stolen funds were sent to a centralized exchange (you can check by looking up the destination address on the explorer -known exchange addresses are labeled), contact that exchange's fraud department immediately with the transaction hashes and a police report number. Exchanges can freeze accounts, but only if they act before the attacker withdraws to a self-custody wallet. File a report with local law enforcement and with the FBI's IC3 (ic3.gov) if in the US. For large losses (six figures+), consider engaging a blockchain analytics firm (Chainalysis, CipherTrace) who can trace funds and work with law enforcement. Be wary of 'recovery services' that contact you unsolicited -the vast majority are scams targeting victims a second time.
What's Realistically Recoverable
Honest answer: most stolen crypto is not recovered. If funds were sent to a mixer (Tornado Cash), a cross-chain bridge to an unregulated chain, or a self-custody wallet in a jurisdiction that doesn't cooperate with your country's law enforcement, recovery is extremely unlikely. What IS sometimes recoverable: funds sitting on a regulated centralized exchange where law enforcement can compel a freeze, USDC/USDT that can be frozen by the issuer (Circle/Tether) with a law enforcement request, and funds stolen through exploits of major protocols where the protocol's treasury or insurance fund provides compensation. Set realistic expectations. Focus your energy on securing everything that wasn't compromised rather than chasing funds that are likely gone.