Skip to content
AllowanceGuard
Back to Blog
SecurityApril 14, 2026 · 8 min read

I Think I’ve Been Scammed — Now What?

A step-by-step playbook for the first hour after a wallet compromise.

incident-responsescamsrecoveryplaybooksecurity

You signed something you shouldn’t have. You approved a malicious contract. You connected to a phishing site. You’re staring at your wallet wondering how much you just lost.

Stop. Breathe. Read this carefully. Every minute matters.

Minute 0–5: Assess, Don’t Panic

First question: has anything actually been taken, or are you worried it might be? Open your wallet and check token balances. Check NFT holdings. Check open approvals. If nothing has moved yet, you have time.

If funds are already gone, your immediate goal is to prevent more from being taken. Attackers often drain in waves — large-value tokens first, then smaller positions, then NFTs. The longer your approvals stay active, the more they take.

Minute 5–15: Revoke Every Approval You Can

Scan your wallet with an approval checker. Revoke everything non-essential. Specifically:

  • Every approval to a contract you don’t recognise
  • Every unlimited approval, regardless of the spender
  • Every setApprovalForAll on your NFTs
  • Every Permit2 approval on tokens with significant value

Do this on every chain your wallet has ever used. Not just the chain where you think the scam happened. Attackers often have standing approvals they collected previously.

Minute 15–30: Move What You Can

If a wallet is actively being drained, you need to get assets out before approvals can be used. Priority:

  1. High-value tokens first. Move large stablecoin, ETH, or WBTC positions to a fresh wallet with no approvals.
  2. NFTs next. Transfer valuable NFTs to a clean wallet. Note: if setApprovalForAll is already granted on the collection to a malicious contract, the attacker can still transfer NFTs from the destination wallet back to themselves unless you move to a wallet the attacker has no approvals on.
  3. Check for claimed airdrops. Some scam contracts masquerade as airdrops and drain tokens when the user "claims." Do not claim anything.

Use a wallet you’ve never connected to any dApp. A hardware wallet initialised for this purpose is ideal.

Minute 30–60: Document Everything

While the drain is fresh, collect evidence:

  • The transaction hash of the malicious signature or transaction
  • The contract address that drained you
  • The URL of the site that tricked you (screenshot, don’t revisit)
  • The time and date
  • Your wallet address

This evidence is necessary for any future investigation, chain analysis, insurance claim, or law enforcement report.

Hour 1+: Report and Recover

Report the scam. File reports with:

  • Chainabuse — shared database of malicious addresses
  • IC3 (FBI) — if you’re in the US
  • Your local police cyber crime unit
  • The protocol or marketplace whose brand was impersonated (OpenSea, Uniswap, etc. all have security teams)

Do not pay recovery scammers. After any public scam report, you will be contacted by people claiming they can "recover your funds for a fee." They are scammers preying on scam victims. Real recovery, when it happens, comes through law enforcement or chain analytics firms working with exchanges — never through DMs.

Check if you’re covered. Some wallets and platforms offer limited insurance or reimbursement for specific scam types. Coinbase, MetaMask, and some hardware wallet vendors have recovery programmes. Check the terms.

After the Incident

The wallet that was compromised should be considered burned. Even after you revoke every visible approval, there may be signatures you signed that haven’t been submitted yet. Treat the wallet as untrusted permanently.

Do not move large assets back into it. Do not treat it as a long-term holding address. If it still holds value you can’t easily move (e.g., locked tokens, staked positions), plan to migrate everything out as soon as the lock expires.

The Hardest Rule

Most scam victims are embarrassed. They don’t report. They don’t tell friends. They try to move on quietly. This is exactly what scammers rely on — silence lets the same attack work on the next person.

If you’ve been scammed, talk about it. Post on social media. File the reports. Add the attacker address to abuse databases. Your experience is the one thing that might stop the next person from losing the same way.

Getting scammed isn’t a reflection of your intelligence. Web3 is a hostile environment by design, and even experienced users get hit. What matters is what you do in the first hour after — and what you do with the story afterwards.

Take control of your approvals.

AllowanceGuard scans your wallet for risky token permissions and helps you revoke them — free, open source, non-custodial.

Join the waitlistRead the docs
Allowance Guard