Case Intake · Open 24/7
Home / Blog / The First Hour After a Wallet Drain: MetaMask, Phantom, Trust Wallet
Recovery Guides ·

The First Hour After a Wallet Drain: MetaMask, Phantom, Trust Wallet

A drained MetaMask, Phantom, or Trust Wallet usually means a malicious approval transaction. What you do in the first hour determines whether you can save what is left in connected accounts and what your recovery options are.

By
Michelle Lach
Founder & Lead Investigator

A wallet drain — tokens you owned, gone, while you did not authorise the transfer — almost always traces back to a single malicious smart-contract approval the user signed at some point in the past, often days or weeks before the drain itself. This guide is what to do in the first 60 minutes after noticing.

The pattern applies to MetaMask (Ethereum, BSC, EVM-compatible chains), Phantom (Solana), Trust Wallet (multi-chain), and most browser-based self-custody wallets. The order of operations matters because some of the steps prevent further loss, others preserve evidence, and a few of them can accidentally make the situation worse if you do them in the wrong sequence.

Minute 0 to 10: Stop further loss

If you have other tokens, NFTs, or stablecoins on the drained wallet that have not yet been taken, they are still at risk. Most drain operators wait for valuable tokens to accumulate before triggering the drain, but they can come back any time. You need to move the remaining assets to a new, freshly-created wallet immediately.

  • Create a brand-new wallet (new seed phrase) in a separate browser or on a separate device. Do NOT import the compromised seed into a new app. The compromise is at the approval level, not the seed level, but creating a fresh seed eliminates uncertainty.
  • From the compromised wallet, transfer remaining tokens to the new wallet. Use the native transfer (send) for each asset. Note the gas fees: if the wallet has no native chain token (ETH on Ethereum, SOL on Solana) to pay gas, you may need to send a tiny amount from another wallet first.
  • Do NOT just revoke approvals from the compromised wallet and leave funds there. The cost-benefit of revocation versus moving funds favours moving funds, because revocation can fail if the wallet is being monitored by the drain operator who can sandwich your revocation.

Minute 10 to 30: Find the malicious approval

Now go back to the compromised wallet and identify which approval transaction caused the drain. This evidence is critical for investigators and regulatory filings.

  • Open Etherscan (for Ethereum) or the equivalent block explorer for your chain. Search for your wallet address.
  • Find the "drain" transaction: the one where tokens left your wallet to an address you did not authorise. The "From" is your wallet; the "To" is the drain operator. Note the transaction hash.
  • Look at the transaction details: the "Interacted With" field shows which smart contract executed the drain. This is usually the contract you previously approved.
  • Search your wallet history (or use revoke.cash) for "Approve" transactions involving that contract address. There will be one or more. Note the date, the token approved, and the spender contract.

This evidence package — original approval transaction, drain transaction, malicious contract address, destination address, list of all assets taken — is what an investigator needs to begin a trace.

Minute 30 to 60: Preserve, report, plan

  • Export your wallet transaction history. MetaMask: Settings > Advanced > Download Activity Logs. Phantom: similar export option. This is your record of what you signed.
  • File at IC3.gov (US) or ActionFraud.police.uk (UK) or your local equivalent. Note the transaction hashes and approval evidence. These reports are free and required by many exchanges before they will engage on a freeze request.
  • Contact the exchanges where you originally bought the drained tokens. They cannot recover what is already moved, but they can flag the destination address on their internal compliance systems.

What CryptoLeek can do beyond hour 1

Wallet drain investigation is a specific subset of our work. We trace the drained tokens across blockchain hops, identify the destination exchange or off-ramp, and coordinate with the receiving exchange (and where applicable, civil counsel) to freeze and recover the funds. Recovery odds depend heavily on where the drained tokens landed: a regulated US/EU exchange is realistic, a privacy mixer or a Russian/Iranian-jurisdiction exchange is not.

Free 24-hour case review. We tell you honestly whether your specific drain is recoverable before quoting any retainer.

§ — · Frequently Asked

Related questions.

Can I recover crypto drained from my MetaMask wallet? +
Recovery depends on where the drained tokens ended up. If they landed at a regulated exchange before being moved further, freeze-and-recover via compliance channels or civil action is realistic in a meaningful percentage of cases. If they hit a privacy mixer (Tornado Cash, Wasabi) or were converted to Monero, recovery odds drop below 5%. A free 24-hour case review answers this for your specific case.
Should I revoke wallet approvals after a drain? +
Move remaining assets to a new wallet FIRST, then revoke approvals. Revocation alone is not enough because the drain operator can monitor your wallet and front-run a revocation transaction. Moving funds eliminates the asset; revocation eliminates the permission. Order: move, then revoke. Better yet, abandon the compromised wallet entirely and create fresh seed.
How do I find the malicious contract that drained my wallet? +
Use a block explorer (Etherscan for Ethereum, Solscan for Solana) and search your wallet address. Find the drain transaction (tokens leaving your wallet without your authorisation), note the "Interacted With" contract, then search your wallet history for Approve transactions involving that contract. The approval transaction is usually days or weeks before the drain itself.

Lost crypto and looking for help?

Free case review within 24 hours. We'll tell you honestly whether the case is recoverable.