If Your MetaMask Wallet Was Compromised

You opened MetaMask and noticed strange transactions. Or a friend messaged: “someone hacked my metamask wallet.” What now? Short answer: act fast, assume the account is controlled by someone else, and treat the wallet like a leaking pipeline — stop more water from flowing out and try to recover what's left.

I've handled a few real incidents. I paid attention to mempool race conditions once and lost a small amount because I hesitated. Learn from that.

Quick checklist — first 5 minutes

Stop using the compromised device. Close the extension/app and disconnect from public Wi‑Fi.
Don’t enter your seed phrase anywhere. Ever.
Check activity: copy suspicious transaction hashes and affected token contract addresses.
If large value is at immediate risk, prepare a new secure wallet (preferably hardware) to receive funds.

And take screenshots for evidence. But don’t panic — act.

Assess the breach: what was taken and how

Two common scenarios:

A dApp or malicious site got a token approval (token allowance) and drained tokens without stealing your private keys.
Your seed phrase/private keys were exposed and an attacker controls the account.

How to tell? Look at the activity. Approvals show up as on‑chain transactions calling approve/permit. Full control shows up when the attacker submits transfers from your address. (A screenshot of an approval transaction helps when reporting.)

Check the transaction list in MetaMask and on the block explorer. Compare the timestamp of approvals to transfers. That tells you whether an allowance was used.

Immediate damage control — revoke, disconnect, isolate

If the issue is a malicious dApp approval, revoking approvals can stop future drains. If the private key was stolen, revoking alone won't help because the attacker can reapprove or move funds.

Actions:

Revoke approvals after hack (see our detailed guide: [/revoke-approvals]).
Remove connected sites MetaMask: open the extension or mobile app > Settings > Connections / Connected Sites and remove any unknown sites. Also clear WalletConnect sessions (see [/walletconnect-and-mobile-browser]).
Lock the wallet and sign out from any synced devices.
If you used WalletConnect, check active sessions in whatever mobile dApp browser you used and disconnect.

Quick note: disconnecting a site locally does not remove on‑chain approvals. You must revoke allowances on chain.

Move funds: safe steps and race conditions

Can you transfer assets out of a compromised account? Possibly — but it’s a race. The attacker watches the mempool and can front‑run outgoing transactions.

A practical sequence I use:

Create a new wallet on a clean device. Prefer hardware for large amounts. (See [/hardware-wallets] and [/backup-and-recovery-options].)
Fund the compromised account with a tiny amount of native token if needed for gas (only if you control the account and the attacker doesn't). If the attacker controls it, skip — they'll intercept.
From the compromised account, send high‑priority transactions moving the highest‑value assets first (native token, stablecoins, then others). Increase priority fee to get mined sooner.
Transfer NFTs individually — they can be drained by the same approvals.

If you suspect the private key is compromised, the robust option is: create the new wallet first, move what you can immediately, and accept that some assets may be unrecoverable. Private keys cannot be revoked on chain. You cannot terminate MetaMask wallet once hacked — an address on the blockchain cannot be deleted.

When funds are already drained: tracing and reporting

If the attacker already drained funds you'll need two tracks: technical tracing and official reporting.

Technical:

Copy transaction hashes and follow the path on a block explorer. Note any deposit addresses at centralized exchanges.
If tokens were bridged, follow bridge contract transactions.

Reporting:

File reports with the exchanges that received funds (include tx hashes and timestamps).
File a local police report for significant losses — attach blockchain evidence.
Report phishing or malicious sites to the platform where you found them. See [/phishing-scams-and-email-frauds].

Recovery from a drain is rare. But when funds land at a KYC'd exchange, there’s a chance support will freeze assets with enough evidence.

Post-incident hardening: change the model

Don't just restore the same risk posture. Change it.

Move high-value holdings to a hardware wallet. See [/hardware-wallets] and [/how-to-connect-ledger].
Use multisig or smart-contract wallets for larger treasuries (see [/multisig-and-gnosis] and [/account-abstraction]).
Limit token allowances: approve small amounts or single-use approvals.
Use transaction simulation features and phishing detection tools in your workflow.

What I’ve found: setting allowances to minimal amounts and using a hardware wallet for signing reduces most casual exploits.

Quick comparison: immediate options

Action	Speed	Likelihood to stop further loss	When to use
Revoke approvals on‑chain	Fast (1 tx)	Moderate — only if keys safe	When a dApp approval is the issue (/revoke-approvals)
Move funds to new wallet	Fast but racey	Good if you can sign before attacker	When you still control keys and can prioritize txs
Create hardware wallet and migrate	Medium	High for future safety	After crisis to prevent repeat attacks (/hardware-wallets)
Contact exchanges & report	Slow	Low-to-moderate	When drained funds went to KYC exchange (/phishing-scams-and-email-frauds)

How to revoke approvals after a hack — step by step

Identify token contract addresses and approval txs from your wallet activity.
Open a trusted revoke tool or follow the guide on [/revoke-approvals].
Set allowance to zero or revoke the spender entry. Sign the revoke transaction from the compromised address.
Verify the allowance is zero on the block explorer.

If you don’t trust the device you're using, move to a clean device first. (Yes, that matters.)

FAQ

Q: Is it safe to keep crypto in a hot wallet?

A: Hot wallets are convenient for daily DeFi and swaps but expose you to phishing and approvals. For small, active balances they’re fine. For large holdings, use hardware or multisig. See [/security-best-practices].

Q: How do I revoke token approvals after a hack?

A: See the step‑by‑step above and our full guide at [/revoke-approvals]. Revoke on chain — disconnecting a site in MetaMask alone won't remove the on‑chain allowance.

Q: What happens if I lose my phone or seed phrase?

A: If you lose only the phone but the seed phrase is safe, restore on a new device via [/restore-wallet] and revoke old connections. If the seed phrase is compromised, assume loss and move funds to a new seed phrase (ideally on hardware). See [/backup-and-recovery-options].

Q: Can I terminate MetaMask wallet once hacked? How to prevent MetaMask wallet termination?

A: You cannot terminate an on‑chain address. You can only move funds away and revoke approvals where possible. To prevent future incidents, use hardware wallets, reduce token allowances, enable transaction simulation, and consider smart-contract wallets with session controls.

Conclusion and next steps

If your MetaMask wallet was compromised, quick triage matters: identify whether it’s an approval or a full key compromise, revoke approvals where possible, disconnect malicious dApps, and prepare a new secure wallet (hardware if funds matter). If funds were drained, gather tx hashes, trace flows, and report to exchanges and law enforcement.

For detailed, step‑by‑step instructions, see our guides on [/revoke-approvals], [/backup-and-recovery-options], and [/hardware-wallets]. If you want a checklist to follow right now, open our restore wallet tutorial and keep a calm head — decisive action beats panic every time.