The First Hour After a Wallet Drain: MetaMask, Phantom, Trust Wallet
A drained MetaMask, Phantom, or Trust Wallet usually means a malicious approval transaction. What you do in the first hour determines whether you can save what is left in connected accounts and what your recovery options are.
A wallet drain — tokens you owned, gone, while you did not authorise the transfer — almost always traces back to a single malicious smart-contract approval the user signed at some point in the past, often days or weeks before the drain itself. This guide is what to do in the first 60 minutes after noticing.
The pattern applies to MetaMask (Ethereum, BSC, EVM-compatible chains), Phantom (Solana), Trust Wallet (multi-chain), and most browser-based self-custody wallets. The order of operations matters because some of the steps prevent further loss, others preserve evidence, and a few of them can accidentally make the situation worse if you do them in the wrong sequence.
Minute 0 to 10: Stop further loss
If you have other tokens, NFTs, or stablecoins on the drained wallet that have not yet been taken, they are still at risk. Most drain operators wait for valuable tokens to accumulate before triggering the drain, but they can come back any time. You need to move the remaining assets to a new, freshly-created wallet immediately.
- Create a brand-new wallet (new seed phrase) in a separate browser or on a separate device. Do NOT import the compromised seed into a new app. The compromise is at the approval level, not the seed level, but creating a fresh seed eliminates uncertainty.
- From the compromised wallet, transfer remaining tokens to the new wallet. Use the native transfer (send) for each asset. Note the gas fees: if the wallet has no native chain token (ETH on Ethereum, SOL on Solana) to pay gas, you may need to send a tiny amount from another wallet first.
- Do NOT just revoke approvals from the compromised wallet and leave funds there. The cost-benefit of revocation versus moving funds favours moving funds, because revocation can fail if the wallet is being monitored by the drain operator who can sandwich your revocation.
Minute 10 to 30: Find the malicious approval
Now go back to the compromised wallet and identify which approval transaction caused the drain. This evidence is critical for investigators and regulatory filings.
- Open Etherscan (for Ethereum) or the equivalent block explorer for your chain. Search for your wallet address.
- Find the "drain" transaction: the one where tokens left your wallet to an address you did not authorise. The "From" is your wallet; the "To" is the drain operator. Note the transaction hash.
- Look at the transaction details: the "Interacted With" field shows which smart contract executed the drain. This is usually the contract you previously approved.
- Search your wallet history (or use revoke.cash) for "Approve" transactions involving that contract address. There will be one or more. Note the date, the token approved, and the spender contract.
This evidence package — original approval transaction, drain transaction, malicious contract address, destination address, list of all assets taken — is what an investigator needs to begin a trace.
Minute 30 to 60: Preserve, report, plan
- Export your wallet transaction history. MetaMask: Settings > Advanced > Download Activity Logs. Phantom: similar export option. This is your record of what you signed.
- File at IC3.gov (US) or ActionFraud.police.uk (UK) or your local equivalent. Note the transaction hashes and approval evidence. These reports are free and required by many exchanges before they will engage on a freeze request.
- Contact the exchanges where you originally bought the drained tokens. They cannot recover what is already moved, but they can flag the destination address on their internal compliance systems.
What CryptoLeek can do beyond hour 1
Wallet drain investigation is a specific subset of our work. We trace the drained tokens across blockchain hops, identify the destination exchange or off-ramp, and coordinate with the receiving exchange (and where applicable, civil counsel) to freeze and recover the funds. Recovery odds depend heavily on where the drained tokens landed: a regulated US/EU exchange is realistic, a privacy mixer or a Russian/Iranian-jurisdiction exchange is not.
Free 24-hour case review. We tell you honestly whether your specific drain is recoverable before quoting any retainer.