How to Recover From a Crypto Phishing Attack — The Anti-Loss Protocol for Damage Control
Published on 2026-06-12
You Have Seconds — Act Now, Read Later
This is the moment nobody prepares for. You signed something — a permit, an approval, a setApprovalForAll — and now your wallet is being drained. Maybe you can see the transactions pending. Maybe you already see the balance dropping. Your heart rate is up. Good. That urgency is what will save your remaining funds.
This guide is written for right now. Follow the steps in order. Do not skip ahead. Do not stop to research. Every second a malicious approval is active, the attacker can come back and drain more. The Anti-Loss Protocol for phishing recovery is a triage process: stop the bleeding, secure the patient, then investigate what happened.
After you've secured your funds, read the prevention section at the end. Because the best recovery is the one you never need.
Step 1: Revoke the Malicious Approval Immediately
The attacker doesn't have your private key. They have an approval — a permission you signed that lets their address transfer specific tokens (or all tokens) from your wallet. Revoke it, and they're locked out.
Option A: Use revoke.cash (Fastest)
- Go to revoke.cash immediately. Do not Google it — type the URL directly to avoid fake revoke sites.
- Connect the compromised wallet.
- Sort by "Unlimited" approvals first — these are the most dangerous.
- Look for any approval you don't recognize. Check the spender address on Etherscan (or the relevant chain explorer). If it's not a protocol you actively use, revoke it.
- Click "Revoke" and confirm the transaction. You'll pay a small gas fee — this is the cheapest insurance you'll ever buy.
Option B: Use Etherscan Token Approvals Tool
- Go to etherscan.io/tokenapprovalchecker (or the equivalent explorer for your chain).
- Enter your wallet address.
- Review all active approvals. Revoke any that look suspicious.
Option C: If the Drainer Is Actively Sweeping
If tokens are actively leaving your wallet right now, revoking the approval won't stop transactions already in the mempool. In this case:
- Immediately transfer remaining valuable tokens to a new, clean wallet. Use a higher gas price (set it 50-100% above current) to front-run the attacker's transactions. This is a "gas war" — your transfer needs to confirm before the drainer's next transaction.
- If you have ETH in the wallet, send it all to the new wallet first. The attacker can only drain tokens you've approved — but if they have a setApprovalForAll on your NFTs, move fast.
- After moving funds, go back and revoke all approvals from the compromised wallet.
Step 2: Create a New Wallet — The Old One Is Compromised
Even after revoking approvals, your compromised wallet has been "burned." The attacker knows the address, has your transaction history, and may have additional attack vectors prepared. Do not use this wallet for anything valuable ever again.
- Set up a brand new wallet with a new seed phrase. Use a hardware wallet (Ledger, Trezor, GridPlus) if possible.
- Generate the seed phrase offline — never on a computer that might be compromised. Write it on paper or stamp it in metal. Never store it digitally.
- Transfer all remaining funds from the compromised wallet to the new wallet. Use the gas-war strategy described above if the drainer is still active.
- Once the new wallet is funded, stop using the old wallet entirely. Consider it a sacrifice to the crypto gods.
Step 3: Identify the Attack Vector
After securing your funds, figure out how the attack happened. This prevents it from happening again. Common phishing vectors:
| Attack Vector | How It Works | What to Look For |
|---|---|---|
| Fake airdrop website | You connect wallet to "claim" an airdrop and sign a malicious permit | You visited a site promising free tokens and signed a transaction |
| Malicious NFT mint | You minted an NFT from a phishing link and the mint function was a drainer | You connected to a site shared on Discord/Twitter and paid gas to "mint" |
| Fake token approval | A dApp asked you to "approve" a token for trading, but the spender was the attacker | You approved a token on a site that looked like Uniswap, Curve, or a lending protocol |
| setApprovalForAll (NFTs) | You signed an "operator" approval giving an address access to ALL your NFTs | You signed something on an NFT marketplace or trading site — the approval had no spending limit |
| Permit signature (off-chain) | You signed a gasless message (EIP-2612 permit) that authorized token transfers | You signed a "signature request" in your wallet — no gas fee, no on-chain tx, but it gave transfer authority |
| Clipboard hijacker | Malware replaced the address you pasted with the attacker's address | You sent tokens to what you thought was your new wallet, but the address was swapped |
| Fake customer support | Someone posing as wallet/exchange support asked for your seed phrase or a "verification signature" | You shared your seed phrase or signed a message at someone's request via Discord/Telegram |
| Compromised wallet software | A fake wallet app or browser extension stole your keys | You downloaded MetaMask, Phantom, or another wallet from a non-official source |
Step 4: Check for Malware
If you entered your seed phrase on a website, downloaded a fake wallet, or installed a suspicious browser extension, your computer may be compromised. The attacker may have access to more than just the phished approval.
- Run a full antivirus scan — Malwarebytes (free tier) is effective against crypto-stealing malware.
- Check your browser extensions — Remove any extensions you don't recognize or didn't install yourself. Even legitimate extensions can be compromised through supply-chain attacks.
- Check for clipboard hijackers — These replace crypto addresses you copy with the attacker's address. Before pasting any address, verify the first and last 6 characters match what you copied.
- If you entered your seed phrase anywhere online — assume the wallet is permanently compromised. Move all funds to a new wallet immediately, even if you haven't seen any unauthorized transactions yet.
Step 5: Report the Attack
Reporting won't recover your funds (crypto transactions are irreversible), but it helps protect others and may assist law enforcement in tracking the attacker.
- Report the phishing URL to Google Safe Browsing (safebrowsing.google.com) and the hosting provider.
- Report the attacker's address to Chainalysis, Etherscan (flag the address), and the relevant chain's explorer.
- File a report with the FBI's IC3 (ic3.gov) if you're in the US, or your country's cybercrime unit. Include transaction hashes, the attacker's address, and the phishing URL.
- Post in relevant communities — r/CryptoCurrency, the project's official Discord (if the attack impersonated a project), and Twitter/X. Warn others before more people fall for the same scam.
Step 6: Document Everything for Tax Purposes
In many jurisdictions, stolen or scammed crypto is a realized loss for tax purposes. You may be able to deduct the loss on your tax return.
- Record the date, time, and USD value of the stolen assets at the time of the theft.
- Save the transaction hashes showing the unauthorized transfers.
- Keep a record of the attacker's address and the phishing URL.
- Consult a crypto-savvy tax professional. In the US, theft losses on investment property may be deductible (subject to limitations). The rules vary by country.
The Anti-Loss Protocol: Preventing Future Phishing Attacks
Recovery is painful. Prevention is free. Here's the Anti-Loss Protocol for making sure this never happens again:
Rule 1: Use Tiered Wallets
Never keep all your funds in one wallet. Use a tiered structure:
| Wallet Tier | Purpose | Funds Level | Risk Exposure |
|---|---|---|---|
| Hot Wallet (Tier 1) | Daily interactions, new dApps, minting, airdrops | Small ($100-$1,000) | High — this wallet WILL get phished eventually |
| Warm Wallet (Tier 2) | DeFi trading, staking on known protocols | Medium ($1,000-$50,000) | Medium — only interacts with audited protocols |
| Cold Wallet (Tier 3) | Long-term holdings, savings | Large ($50,000+) | Minimal — hardware wallet, never connects to dApps |
When your hot wallet gets phished (and it will), you lose $500 — not your life savings. This is the single most effective security strategy in crypto.
Rule 2: Read Every Signature Before Signing
Your wallet shows you what you're signing. Read it. Look for:
- setApprovalForAll — This gives an address access to ALL your NFTs. Only sign this on marketplaces you trust (OpenSea, Blur, LooksRare). Never sign it on a random site.
- permit or permit2 — These are gasless signatures that authorize token transfers. Verify the spender address matches the protocol you're using.
- Increased spending limit — If a signature requests unlimited approval, change it to the exact amount you need.
Rule 3: Use Transaction Simulation
Tools like Fire (browser extension), WalletGuard, and Pocket Universe simulate transactions before you sign them. They show you exactly what will happen: "This transaction will transfer 1.5 ETH to 0x..." or "This will give [attractor address] access to all your NFTs." If the simulation looks wrong, don't sign.
Rule 4: Bookmark Official URLs
Never click links from Discord, Telegram, Twitter/X, or Google search results to access DeFi protocols. Phishing sites look identical to real ones. Bookmark the official URLs for every protocol you use. Verify the URL character-by-character before connecting your wallet. Use Crypto Network Guide to find verified links for bridges, DEXs, and dApps across every network.
Rule 5: Revoke Approvals Monthly
Set a calendar reminder to visit revoke.cash on the first of every month. Revoke any approvals you no longer need. This limits the window of vulnerability — even if you accidentally approve a malicious contract, revoking monthly means the attacker has a limited time to exploit it.
Rule 6: Never Share Your Seed Phrase
No legitimate project, exchange, wallet, or support agent will ever ask for your seed phrase. Not for "verification." Not for "wallet recovery." Not for any reason. If someone asks for your seed phrase, they are stealing from you. Period.
Rule 7: Use a Hardware Wallet for Significant Holdings
Hardware wallets (Ledger, Trezor, GridPlus) keep your private key offline. Even if your computer is infected with malware, the attacker cannot sign transactions without physically pressing the button on the device. For any wallet holding more than $1,000, a hardware wallet is non-negotiable.
Real-World Phishing Recovery Cases
Case 1: The Uniswap Phish (March 2025). A user clicked a Google ad that looked like Uniswap but routed to "uniswap-aird[.]rop." They signed a permit2 approval. The attacker drained $47,000 in USDC and ETH within 90 seconds. The user had no other wallets — everything was in one MetaMask. Lesson: Tier your wallets. A hot wallet with $500 would have limited the loss to $500.
Case 2: The NFT Mint Drainer (January 2026). An NFT collector connected to a fake mint site shared in a Discord "allowlist" channel. The site asked for setApprovalForAll on their entire NFT collection. The attacker swept 14 NFTs worth $82,000 over the next 3 hours. The collector didn't notice until the next morning. Lesson: Use a separate "minting" wallet with no valuable NFTs. Never connect your main collection wallet to unknown sites.
Case 3: The Seed Phrase Harvest (August 2025). A user received an email that appeared to be from Ledger: "Your firmware is outdated. Enter your recovery phrase to update." They entered their seed phrase on the phishing site. The attacker swept the wallet 4 hours later. Lesson: Hardware wallet companies will NEVER ask for your seed phrase. Ever. Not by email, not by popup, not by any channel.
Can You Get Your Funds Back?
Honest answer: almost never. Crypto transactions are irreversible by design. Once tokens leave your wallet and enter the attacker's address, there is no undo button, no customer service line, and no chargeback mechanism.
There are rare exceptions:
- Centralized exchange involvement: If the attacker sends funds to a KYC'd exchange (Coinbase, Binance, Kraken), law enforcement can subpoena the exchange to freeze the funds and identify the attacker. This requires a police report and cooperation from the exchange.
- Chainalysis tracing: Companies like Chainalysis and CipherTrace track stolen funds across chains. Some DeFi protocols and stablecoin issuers (like Circle for USDC) can freeze tokens sent to flagged addresses. This is more common with large-scale thefts ($100K+).
- White-hat negotiation: In rare cases, attackers have returned funds after public pressure or negotiation. This is not a strategy — it's a lottery ticket.
For most victims, the realistic outcome is: the funds are gone. The value of this guide is not in recovering what you lost — it's in protecting what you have left and preventing the next attack.
Bottom Line
If you've been phished, you're not alone — over $3 billion was lost to phishing and social engineering attacks in 2024-2025. The attacker exploited a moment of trust, urgency, or inattention. That's not a character flaw; it's a human one.
The Anti-Loss Protocol for phishing recovery is: revoke immediately, move funds to a new wallet, check for malware, report the attack, and document for taxes. Then rebuild with tiered wallets, transaction simulation, monthly approval revocation, and a hardware wallet for your main holdings.
The best time to set up these protections is before you get phished. The second-best time is right now. Start at Crypto Network Guide to verify the official URLs for every protocol and bridge you use — because the next phishing site is already live, and it's waiting for the next click.