New: Wallet recovery made easy with Ledger Recover, provided by Coincover

Get started

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

The Classroom

PATHWAY K) Launch a Crypto Project Securely: Wallets, Socials, and Protecting Your People

chapter 5/5

What To Do If Your Crypto Project Gets Hacked

Read 8 min
Beginner
KEY TAKEAWAYS:
— Wallet compromises usually happen through a user signing a malicious contract approval or mistakenly giving away access to their secret recovery phrase (seed phrase).

— If your project’s wallet or social account is compromised, there are a few key steps you can take to minimize further damage.

— Although account recovery is sometimes possible, social media services used in web3 have slow customer service so proactive prevention is key to mitigate risk.

Ever thought about launching your own web3 community? Join Ledger Academy and Boring Security in this series, exploring all the things you need to know to launch a token, platform, or DAO securely. Make sure you take the Ledger Quest to prove your knowledge at the end of the module!

This is the fifth and final article in the series, so if you missed them, you can find parts one, two, three and four here.

Scammers constantly search for new ways to steal assets and compromise social media accounts. Keeping up with their tactics can be challenging with so many attack vectors. That said, most scams follow similar patterns, repackaging vulnerabilities in different forms. 

So what happens if you do fall victim to a scam? This article will teach you how to identify a breach or compromise of your account, the steps to recover them, and how to prevent further losses.

Scams That Target Your Project’s Wallet

Some attacks render the compromised wallet completely unsafe, while others simply steal what they can in one malicious transaction or signature. By recognizing the signs of each, you may just be able to salvage your wallet and save any other assets at risk.

Malicious Transactions and Signatures

Common scams often involve signatures (gasless actions) and token approvals (cost gas). Sometimes, scammers will use methods to convince you to sign away your assets yourself. These come in two forms: signatures, where scammers try to leverage your open NFT approvals on marketplaces to create a private listing of your assets to the scammer’s wallet or Token approvals using the Permit2 protocol and approvals, where scammers will convince you to sign malicious approvals, granting a malicious smart contract the ability to move that approved asset on your behalf.

One way to quickly identify that this is how you were compromised (aside from being aware of what you had done at the time of the hack) is to check Etherscan or another block explorer. If you have been compromised, the ‘From’ address on all the most recent transactions in your wallet will be the scammer’s address. Another clue is that you might still have tokens of value that were higher than what was stolen. This likely means those weren’t affected by the transaction or signature you inadvertently signed.

Steps to Recover:

  1. Use the Revoke.cash or Etherscan’s token approval checker to revoke approvals given to the scam contract to revoke the malicious approvals. Typically, the damage is done immediately after granting malicious approvals, so this step is a measure to avoid additional future losses. 
  2. File a local police report and an IC3 complaint. It can take time to process, and the chances of recovering assets are slim, but it’s worth trying to recover assets and possibly identify the scammer.
  3. Contact security experts and on-chain sleuths who can follow the blockchain money trail and assist in identifying exchanges and parties involved in the scam.

Private Key and Secret Recovery Phrase Compromises 

A secret recovery phrase (seed phrase) compromise is the worst-case scenario and means that a scammer can drain every single account protected by that wallet.

Malware attacks, compromises on the Software Wallet provider, or even typing your Secret Recovery Phrase in a place where you shouldn’t, can cause you to completely lose control of your wallets. Sadly, these attacks are the easiest to identify, when they happen: you’re likely to find all of your wallet addresses completely drained of all their funds. In some cases, you may only lose the private key for a single wallet address, leaving other wallets unaffected, but that doesn’t make it any less dangerous.

That said, not all hope is lost. You may have staked assets, unclaimed airdrops, or illiquid assets that a scammer doesn’t know what to do with that might be able to be saved. Once a scammer has drained your wallet, they will often put your seed phrase or private keys in what we call a “sweeper bot”, which steals your ETH whenever you try and send any to it.  

One possible solution is to use flashbots to bundle multiple transactions into one. This allows victims to unstake assets and send them to another wallet before the scammer steals the ETH and remaining tokens.

Steps to Recover:

  1. Check and transfer any remaining assets on different chains to another wallet generated from a different Secret Recovery Phrase; usually, scammers go after assets on the most used chains. 
  2. You might be able to rescue some assets, as explained above. Contributors of Boring Security sometimes perform these ‘Flashbots Recoveries’, but depending on your situation, there are some providers that do this service for a fee. 
  3. Scan your devices and eliminate any malware; you may need to do a complete reinstall of the operating system.  
  4. Create a new seed phrase using a Hardware Wallet to secure your crypto and devices affected.

Scams That Target Your Social Media Accounts

Scammers frequently target social media accounts in crypto scams, including platforms like Instagram, Reddit, Discord, X, and emails. Using weak passwords or 2FA methods like SMS-based 2FA, or not using 2FA,  you risk of losing control of your social media accounts. Worse yet, with massive layoffs at both Discord and X, recovery of these accounts often doesn’t happen as quickly as most users would like. 

Password Leaks and Auth Token Compromises

To prevent password compromises on social media accounts, use password managers like Bitwarden and 1password. You should also generate unique passwords for each social media and email account, taking care to ensure they were created randomly and with high complexity.  Keep an eye on sites like Have I Been Pwned to let you know when your sensitive data has been leaked, breached, or hacked.

It’s also important to use two-factor authentication through an authentication app such as Google Authenticator or Authy, a security key such as a Yubikey, or set up a security key app on your Ledger device.

Do NOT use SMS 2FA and remove your phone number linked to your social media accounts as even having one connected to your socials makes it vulnerable to SIM Swaps (explained below).

Similar to password compromises, Discord Auth Token compromises allow the logged-in, active session token to be hijacked. This allows the hacker to control the Discord account as if they owned it, completely bypassing any 2FA. Change the password on the affected account to refresh the token and effectively revoke access from the scammers.

Steps to recover:

  1. Change your password and enable one of the preferred 2FA methods listed above
  2. Remove SMS as a 2FA option, and remove your phone number entirely from social media.
  3. Audit any of your account activity and alert your followers and anyone who may have been contacted while your account was compromised. Although embarrassing, announcing your compromise is the best approach, in case the scammer left DM conversations or deleted messages so that you can’t see what you’ve sent.

Malicious App Integrations on X

Malicious app integrations are increasingly pernicious in the web3 area. Are you signing up for a new airdrop or whitelist? You’ll probably need to connect your X to some application you’ve never used before. But what is happening is those connections are requesting far too many permissions we call “write” permissions, such as DM, Tweet, Follow/unfollow, etc. 

Some request so many permissions that these apps can completely act as you. In the wrong hands, whether maliciously or accidentally, this could lead to your X account becoming compromised, and perpetuating scams like crypto drainers, fake mints, etc. 

Revoking the malicious app integration will cease the attack, but figuring out which one can be difficult if you’ve given out these permissions to many applications. If that is the case, consider removing integrations and applications you don’t recognize, and no longer need/use, especially if they have any of these “write” permissions mentioned above.

Steps to recover:

  1. Start with your most recently added application with “write” permissions, and remove those apps from your account.
  2. Be sure to look at your tweets, tweet replies, and DMs and follow up with anyone who may have been sent a scam link to protect your friends and followers.

SIM Swap

The SIM Swap is one of the most common techniques scammers use to breach social media accounts. It starts with a scammer switching the SIM card associated with your mobile phone number. This redirects your texts and calls to a phone controlled by the scammer. If your carrier has fallen for this scam, you won’t be able to make calls or send messages.

Steps to recover:

  1. Contact your cell provider so they can restore your SIM and remove the scammer’s access.
  2. Contact X and fill out their compromised account report form.
  3. Consider adding a password to your mobile provider account, and adding SIM Swap Protection.

Final Thoughts

Security can be overwhelming, it takes effort to ensure that all defenses are in place, especially in the crypto world. But those defenses can be the decisive factor between losing your hard-earned assets or becoming part of why your friends and followers lose theirs.

Recovering social media accounts from X or Discord can take days or even weeks. Even the expedited service for gold check-mark verified accounts does little to help the recovery process.  Recovering lost funds doesn’t happen 95-99% of the time, and when it does happen, it is usually years later, and only a fraction of those funds get returned to you, and only if you have filed your losses with the proper authorities.

Prevention is the name of the game. Focus on that so you never have to worry about recovery, but if you ever do lose control, hopefully, this article can help you recognize what has happened and help you mitigate some of the damage.

This article was written by ReDzin for Boring Security. Follow him on X here, and check out Boring Security’s X account, Discord server, and official website for more information. And, of course, don’t forget to go and prove your knowledge on the rest of this module via Ledger Quest!


Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]

Subscribe to our
newsletter

New coins supported, blog updates and exclusive offers directly in your inbox


Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter.

Learn more about how we manage your data and your rights.