top of page
Search

How Crypto Users Get Hacked — and Exactly What to Do About It

Updated: Nov 10

Posted by AEM Algorithm

ree

A practical, non-judgmental guide for beginners and advanced users.


This guide covers common MetaMask attack vectors, why multisig Safes help, a full post-hack workflow (technical triage → reporting → law enforcement → AML/exchange escalation), plus monitoring, prevention, and useful tools.


1. Common MetaMask & Wallet Failure Modes (What Actually Goes Wrong)


Most losses happen because a secret was leaked or a malicious actor gained on-chain approval.


Main causes

  • Phishing & Fake UI:

    • Fake websites imitating dApps, exchanges, or MetaMask prompts trick users into signing malicious messages or revealing seed phrases.

    • Popup overlays replicate wallet UIs and ask for “recovery” or “re-login.”

  • Malicious or Compromised RPC / VPN / Proxy Nodes:

    • Third-party VPNs or proxy configs can route traffic through malicious exits that inject or alter pages.

    • Tampered config files can let attackers redirect or intercept your connection.

  • Malicious Browser Extensions & Injected Scripts:

    • Compromised or overly-permissive extensions can modify transaction details before you sign.

  • Malicious Token Approvals (“Infinite Allowance” Trick):

    • Granting unlimited token approvals allows contracts to drain holdings later.

    • Often occurs via airdrops, “claim,” or swap UIs.

  • Seed Phrase / Private Key Exposure:

    • Seeds stored in cloud backups, notes, or screenshots are easily stolen.

    • Keyloggers or clipboard malware can capture seeds and wallet addresses.

  • Social Engineering / Account Takeover:

    • Attackers trick users or compromise linked email/password manager accounts.


2. How a Malicious VPN or Bad Proxy Configuration Makes Things Worse


VPNs can provide a false sense of safety.

  • Untrusted exit nodes can see unencrypted traffic and inject fake pages.

  • Many community proxy clients accept remote config URLs—if compromised, they redirect traffic through attacker infrastructure.

  • Unofficial or pirated installers may contain spyware or keyloggers.


Best practice:Use reputable, audited VPNs (commercial providers) and avoid community subscription files you don’t control.


3. Why Multisig Safes (e.g., Gnosis Safe) Matter — Benefits and Caveats


Multisig isn’t magic—it just raises the cost for attackers and gives you time to react.


Benefits

  • No single point of failure: one compromised key can’t move funds alone.

  • Operational control: require multiple, geographically separate signers or hardware wallets.

  • Audit trail: every transaction is on-chain and verifiable.


Caveats

  • Poor threshold design (e.g., 1-of-2 or 2-of-2) can cause lockout or risk.

  • If attackers gain majority keys, they can still move funds.

  • Social engineering of co-signers remains a risk.


Best practice: use hardware signers, diversify devices/locations, and prefer 2-of-3 multisig for balance between redundancy and security.


4. Full Process After You Suspect a Hack — Step-by-Step


Act fast and be methodical.


A. Immediate Containment (First 0–60 Minutes)

  • Stop using the compromised wallet.

  • Disconnect from the internet or power down.

  • For multisig, don’t co-sign anything until verified safe.

  • Take screenshots of balances and transactions.


B. Evidence Collection (Same Day)

  • On a clean device, gather wallet URLs and transaction hashes from Etherscan/Polygonscan.

  • Record timestamps, tokens, and receiving addresses.

  • Save CSV exports and screenshots.


C. Technical Forensics (Within 24–48 Hours)

  • Scan devices using Malwarebytes, Bitdefender, or Intego.

  • Reinstall OS if malware is found.

  • Revoke token approvals using Revoke.cash from a clean wallet.

  • Create new wallets—prefer hardware devices.


D. Reporting & Escalation (Same Day → Next Few Days)

  • Contact exchanges that received stolen funds (include TX links, wallet addresses, police report ID).

  • Report to AMLBot, TRM, or Chainalysis via their “report address” portals.

  • File a police report (e.g., ReportCyber in Australia).

  • Keep reference numbers and all correspondence.


E. Legal / Recovery Paths

  • Some exchanges may freeze funds if deposits remain linked to verified IDs.

  • Attach all evidence and case IDs to law-enforcement and exchange reports.


5. What to Include When Contacting an Exchange or AML Vendor


Provide these details clearly:

  • Victim wallet address.

  • Transaction hashes (full URLs).

  • Attacker/deposit addresses.

  • Amounts, tokens, UTC timestamps.

  • Police report ID and agency contact.

  • Screenshots of before/after balances.

  • Statement: “Unauthorized transfer. I did not approve these withdrawals.”


6. Recommended Tools & Antivirus Software

  • Malwarebytes: Fast scans for common malware.

  • Bitdefender: Deep scanning for macOS/Windows.

  • Intego: macOS-focused protection.

  • ESET / Windows Defender Offline: Rootkit detection.


If infections persist, reinstall your OS from a clean image or bootable USB.


7. Revoking Approvals & Cleaning On-Chain Exposure

  • Use revoke.cash or Etherscan’s Token Approval tool.

  • Remove unlimited allowances from untrusted contracts.

  • Avoid “Approve unlimited” by default—choose exact spend limits.


8. Monitoring & Alerting Setup

  • Enable alerts on Etherscan, Zapper, or Blocknative.

  • Use AML monitors (AMLBOT, TRM, CipherTrace).

  • Set up custom email/SMS alerts for outgoing transfers or unusual approvals.


9. Wallet Hygiene & Preventive Best Practices

  • Never store seed phrases in cloud services or screenshots.

  • Use hardware wallets for large holdings.

  • Maintain multisig Safes for team or treasury funds (2-of-3 preferred).

  • Limit and review token approvals regularly.

  • Bookmark official dApps and avoid DM links.

  • Keep OS and browser updated; isolate crypto activity in a separate browser profile.

  • Avoid public or untrusted VPN configurations.


10. Advanced Mitigations (For Power Users)

  • Use account abstraction or wallet-factory patterns to separate hot and signing keys.

  • Implement timelock modules for large transfers.

  • Air-gapped cold storage for high-value transactions.

  • On-chain alert bots for auto-freeze or co-signer notifications.


11. How to Write a Police Report or Exchange Ticket


Example statement:

“My wallet [address] was compromised on [date/time UTC], and unauthorized transfers occurred to [attacker addresses]. I’ve attached transaction links, screenshots, and antivirus scans. Police case ID will be provided.”

Attach your evidence, police report, and request immediate preservation/freeze.


12. Final Reality Check & Mindset


Successful recoveries depend on speed, evidence, and cooperation.The earlier you act and the more complete your documentation, the higher the chance of recovery.

Prevention beats recovery:Hardware wallets + multisig + minimal approvals + cautious online behavior will stop most hacks.


ree

Quick Checklist — What to Do Right Now


✅ Don’t reuse the compromised wallet.

✅ Gather TX URLs, screenshots, and timestamps on a clean device.

✅ File a police report and get a case ID.

✅ Send evidence and case ID to exchanges and AML providers.

✅ Scan and, if necessary, reinstall OS on compromised devices.

✅ Create new hardware wallets and migrate funds.

✅ Revoke old token approvals safely.



Logo_AEMledger_fina_whitel-01.png

© 2020 by AEM LEDGER.

bottom of page