You opened MetaMask and noticed strange transactions. Or a friend messaged: “someone hacked my metamask wallet.” What now? Short answer: act fast, assume the account is controlled by someone else, and treat the wallet like a leaking pipeline — stop more water from flowing out and try to recover what's left.
I've handled a few real incidents. I paid attention to mempool race conditions once and lost a small amount because I hesitated. Learn from that.
And take screenshots for evidence. But don’t panic — act.
Two common scenarios:
How to tell? Look at the activity. Approvals show up as on‑chain transactions calling approve/permit. Full control shows up when the attacker submits transfers from your address. (A screenshot of an approval transaction helps when reporting.)
Check the transaction list in MetaMask and on the block explorer. Compare the timestamp of approvals to transfers. That tells you whether an allowance was used.
If the issue is a malicious dApp approval, revoking approvals can stop future drains. If the private key was stolen, revoking alone won't help because the attacker can reapprove or move funds.
Actions:
Quick note: disconnecting a site locally does not remove on‑chain approvals. You must revoke allowances on chain.
Can you transfer assets out of a compromised account? Possibly — but it’s a race. The attacker watches the mempool and can front‑run outgoing transactions.
A practical sequence I use:
If you suspect the private key is compromised, the robust option is: create the new wallet first, move what you can immediately, and accept that some assets may be unrecoverable. Private keys cannot be revoked on chain. You cannot terminate MetaMask wallet once hacked — an address on the blockchain cannot be deleted.
If the attacker already drained funds you'll need two tracks: technical tracing and official reporting.
Technical:
Reporting:
Recovery from a drain is rare. But when funds land at a KYC'd exchange, there’s a chance support will freeze assets with enough evidence.
Don't just restore the same risk posture. Change it.
What I’ve found: setting allowances to minimal amounts and using a hardware wallet for signing reduces most casual exploits.
| Action | Speed | Likelihood to stop further loss | When to use |
|---|---|---|---|
| Revoke approvals on‑chain | Fast (1 tx) | Moderate — only if keys safe | When a dApp approval is the issue (/revoke-approvals) |
| Move funds to new wallet | Fast but racey | Good if you can sign before attacker | When you still control keys and can prioritize txs |
| Create hardware wallet and migrate | Medium | High for future safety | After crisis to prevent repeat attacks (/hardware-wallets) |
| Contact exchanges & report | Slow | Low-to-moderate | When drained funds went to KYC exchange (/phishing-scams-and-email-frauds) |
If you don’t trust the device you're using, move to a clean device first. (Yes, that matters.)
Q: Is it safe to keep crypto in a hot wallet?
A: Hot wallets are convenient for daily DeFi and swaps but expose you to phishing and approvals. For small, active balances they’re fine. For large holdings, use hardware or multisig. See [/security-best-practices].
Q: How do I revoke token approvals after a hack?
A: See the step‑by‑step above and our full guide at [/revoke-approvals]. Revoke on chain — disconnecting a site in MetaMask alone won't remove the on‑chain allowance.
Q: What happens if I lose my phone or seed phrase?
A: If you lose only the phone but the seed phrase is safe, restore on a new device via [/restore-wallet] and revoke old connections. If the seed phrase is compromised, assume loss and move funds to a new seed phrase (ideally on hardware). See [/backup-and-recovery-options].
Q: Can I terminate MetaMask wallet once hacked? How to prevent MetaMask wallet termination?
A: You cannot terminate an on‑chain address. You can only move funds away and revoke approvals where possible. To prevent future incidents, use hardware wallets, reduce token allowances, enable transaction simulation, and consider smart-contract wallets with session controls.
If your MetaMask wallet was compromised, quick triage matters: identify whether it’s an approval or a full key compromise, revoke approvals where possible, disconnect malicious dApps, and prepare a new secure wallet (hardware if funds matter). If funds were drained, gather tx hashes, trace flows, and report to exchanges and law enforcement.
For detailed, step‑by‑step instructions, see our guides on [/revoke-approvals], [/backup-and-recovery-options], and [/hardware-wallets]. If you want a checklist to follow right now, open our restore wallet tutorial and keep a calm head — decisive action beats panic every time.