Wallet drained, seed stolen, account taken over?
SEAL 911 replies in ~8 minutes. Free. 24/7.
If your wallet was drained, your seed phrase stolen, or your account taken over — follow this field-tested sequence. Every second counts. Don't pay "recovery" services. Don't share your seed. The fastest path to help is the green button below.
Real responders. Real chain analysts. ~8 min reply.
SEAL 911 is the war-room hotline of the Security Alliance — a coalition of top web3 security teams that triages live incidents, coordinates with exchanges, and helps trace funds. Free, volunteer-run, no recovery fees.
5-step emergency sequence
Open SEAL 911 — get a human on the line
Before anything else, message the SEAL 911 bot. Give them the basics (chain, drained wallet, drainer wallet, tx hash if known). They reply in ~8 minutes and stay with you while you work the rest of this checklist.
- If you suspect malware on your device → also open securityalliance.org/go/malware
- SEAL coordinates with chain analysts, exchanges, registrars — they have channels you don't
Move what's left — burn the wallet
If any tokens or NFTs remain, transfer them to a fresh, never-connected wallet generated on a clean device. Treat the compromised seed as public knowledge from now on. Do not reuse it.
- Generate new seed offline (Trezor, Ledger, or air-gapped MetaMask)
- Send native gas first, then highest-value tokens, then dust last
- If gas is sniped by sweep-bots → use Flashbots Protect RPC to bypass mempool
Revoke every approval — chain by chain
Approvals you signed weeks ago can drain you tomorrow. Use revoke.cash to revoke all token approvals on every chain you've used. setApprovalForAll, Permit2, and unlimited allowances are the dangerous ones.
Report to the community — make the attack public
Tag the drainer wallet on Chainabuse, MetaSleuth, Reddit r/CryptoScams, X (cc @zachxbt). Public attribution makes it harder for the attacker to cash out at exchanges and warns the next victim. This is your most important contribution to the ecosystem.
- Submit drainer wallet to Chainabuse — feeds 30+ vendors
- Post tx + drainer addr on Reddit r/CryptoScams and X with screenshots
- Tag @zachxbt on X if loss is significant — he triages serious cases
- Report the phishing URL to PhishDestroy so we kill the domain
File with law enforcement — preserve evidence
File a police report. The case number unlocks insurance claims, tax write-offs, and CEX compliance freezes. Capture evidence first: screenshots, browser extensions list, every tx hash with UTC timestamps. Never reformat the affected machine until evidence is offsite.
- US: FBI IC3 at ic3.gov · UK: Action Fraud · EU: national CERT
- Save evidence to clean USB or encrypted Proton Drive — not the affected machine
- Forward case number back to SEAL — they use it to escalate exchange freezes
How recovery scammers find you
Anyone offering paid recovery is a scammer4 patterns to recognize · always block & report
"I can reverse the transaction"
Public chains are immutable. No "white-hat hacker", flashbots service, or insider can reverse a confirmed tx. Anyone claiming this is selling you fiction.
DMs from "recovery agents"
Scammers monitor X, Reddit, Telegram for victim posts. Within hours of you posting, you'll get DMs from "MetaMask support", "USDT recovery", "blockchain forensics". All scams, every time.
"Send 10% upfront / gas fee"
The classic. They take your fee, ghost you, or come back asking for more. Real responders (SEAL, PhishDestroy, ZachXBT) never ask for money.
Fake testimonials & screenshots
Their site has glowing 5-star reviews and "trustpilot" badges. They paid for those. Cross-check any "recovery firm" name with public scam-reporting forums first.
Report to community — break the silence
Multi-vendor abuse registry. Reports propagate to Trust Wallet, MetaMask, Coinbase, and 30+ partners.
Public on-chain investigation tool. Flag the wallet, visualize fund flow, share the case URL.
Post the phishing URL, drainer wallet, and tx hash. Subreddit indexes well in Google for future searches.
Public thread with screenshots and addresses. Gets attention from chain analysts and protocol teams.
Submit the malicious URL — we route it to the registrar, hosting provider, browsers, and 30+ wallet vendors for blocklist.
Federal complaint. Generates a case number that unlocks CEX compliance freezes and insurance leverage.
On-chain monitoring networks. Flagging the wallet here triggers warnings inside wallets and explorers globally.
Reply or quote-post with case details if loss is significant. He triages serious cases and has CEX channels.
Do this · Don't do this
✓Do — every time
- Open SEAL 911 first — get a human responder before you do anything else.
- Generate a fresh seed on a hardware wallet or fully clean device.
- Revoke approvals on every chain you've ever bridged to — not just the active one.
- Capture evidence first — screenshots, tx hashes, browser state, drainer URL.
- Report drainer wallet publicly on Chainabuse + Reddit + X. Public attribution matters.
- File IC3 / Action Fraud / national CERT if loss exceeds $10k. Adds legal leverage.
✕Don't — ever
- Don't pay "recovery agents" who DM you offering to retrieve funds. 100% scam.
- Don't import the compromised seed into anything new — even a hardware wallet.
- Don't reset the affected machine until you've captured the extensions list and logs.
- Don't trust "MetaMask support" / "Trezor support" DMs — official teams never DM first.
- Don't reuse passwords tied to the wallet email — drainers harvest them in parallel.
- Don't delete the phishing tab before screenshots — preserve the URL bar in evidence.
PhishDestroy and SEAL — different jobs, same fight
We kill phishing sites
Submit a URL — we get the domain suspended at the registrar, blocklisted across browsers and 30+ wallets. We don't do incident response.
They respond to live incidents
Got drained? Need exchange freezes, fund tracing, malware triage? SEAL has chain analysts and security teams on call. ~8 min reply, free.
Common questions, answered fast
Will I get my funds back?
Honest answer: usually no. Recovery happens in less than 8% of cases — and only when funds hit a KYC'd exchange before laundering. Speed is your only leverage. Every minute lowers the odds.
Anyone who DMs you offering "guaranteed recovery" is a scammer targeting your second loss. SEAL, PhishDestroy, and ZachXBT are all volunteer-run and never charge.
What if I think there's malware on my device?
Open the SEAL malware playbook: securityalliance.org/go/malware. It walks you through isolating the device, capturing the infection, rotating credentials from a clean machine, and avoiding cross-contamination.
Common signs: clipboard-paste replaces your address with a different one; a wallet extension you don't remember installing; transactions you didn't initiate; "MFA" requests you didn't trigger.
Should I import my seed into a new wallet "just to check"?
No. Never. The seed is public to the attacker. Any wallet you import it into — including a hardware wallet — is already drained or scheduled to be. Sweep bots monitor known compromised seeds 24/7.
Why public reporting? Why not just file with police?
Police reports are slow. Public reporting on Chainabuse, MetaSleuth, X, and Reddit is fast — and it stays in Google. Three reasons it matters: (1) the attacker can't cash out at major exchanges if the wallet is publicly tagged, (2) the next victim Googles the address before signing and walks away, (3) chain analysts pick up the trail quicker. Always do both.
What's the difference between PhishDestroy and SEAL 911?
PhishDestroy takes phishing domains down — we work the registrar, hosting, browser, and wallet-blocklist side. We don't run incident response.
SEAL 911 is the war-room hotline of the Security Alliance — chain analysts, exchange contacts, malware experts, and protocol teams. If you're in an active incident, they're who you want on the phone. securityalliance.org
I see "pending" transactions. Can I cancel them?
If your tx is still pending and the attacker's hasn't confirmed yet, you can race them with a higher-gas replacement. Use cancel in MetaMask or speed-up via Flashbots Protect. If the attacker controls the wallet, you are racing their bot's gas — you usually lose. SEAL can sometimes coordinate Flashbots-protected sweep helps; ask in the bot.
How long should I keep evidence?
At least 5 years. Civil suits, tax write-offs, insurance claims, and law-enforcement chain-of-custody all need original screenshots, tx hashes, and timestamps. Store on encrypted offline media — never on the affected machine.
Stop reading. Open SEAL 911.
If you got this far and you haven't messaged the bot yet, do it now. They will guide you through everything above in real time. Free, 24/7, ~8 minute reply.
