How do you check if your crypto wallet has been compromised?

Signs of a compromised wallet include: unexpected outgoing transactions you did not authorise, tokens disappearing from your balance, token approvals you do not recognise when checking via a tool like Revoke.cash, receiving unsolicited tokens (dusting attacks), or your wallet being drained entirely. On-chain activity is fully transparent, so checking your address on Etherscan or Solscan reveals all activity.

What should you do immediately if you suspect your wallet is compromised?

If you suspect compromise, move all remaining assets to a new wallet immediately using a different device. Do not use the potentially compromised seed phrase or private key for the destination wallet. Prioritise moving the highest-value assets first. Once assets are safe, investigate how the compromise occurred to prevent recurrence.

What tools exist for checking whether a wallet address has been flagged?

Chainabuse.com allows users to search addresses associated with known scams and hacks. MistTrack and Elliptic provide professional blockchain analytics. Revoke.cash and DeBank show all token approvals and transaction history. Etherscan's address page shows all inbound and outbound transactions that can reveal unauthorised activity.

What is a dusting attack and how does it relate to wallet compromise?

A dusting attack sends tiny amounts of tokens to many wallet addresses. When recipients move the dust, attackers can use on-chain analysis to link addresses and potentially deanonymise wallet holders or identify connected wallets. Receiving unsolicited tokens does not mean your wallet is compromised, but interacting with them can create linkage vulnerabilities.

What are the most common ways crypto wallets get compromised?

The most common compromise vectors are: exposing your seed phrase (to phishing sites, clipboard malware, or physical theft), connecting to a malicious DApp that drains token approvals, downloading a fake wallet application, having your device infected with keylogger malware, and social engineering attacks that convince you to enter credentials on fraudulent sites.

Can a read-only wallet viewing tool compromise your wallet?

Legitimate read-only tools (like DeBank, Zapper, or Etherscan) do not require your private key or seed phrase, only your public wallet address. These tools pose no compromise risk. Compromise only occurs when you provide a seed phrase, private key, or approve a transaction. Never enter your seed phrase into any website for any reason.

How do token approvals contribute to wallet compromise?

When you use DeFi protocols, you approve smart contracts to spend your tokens. If a contract is later found to be malicious or exploited, those approvals can be used to drain your tokens. Regularly auditing and revoking unnecessary approvals via Revoke.cash or Etherscan's token approval checker limits ongoing exposure to this risk.

How do you create a clean new wallet after a compromise?

Generate a new wallet on a clean device (ideally factory-reset or newly purchased) using reputable wallet software. Write down the new seed phrase on paper in a secure location. Never import the compromised wallet's seed phrase on the new device. Transfer assets from the compromised wallet to the new one immediately, starting with the highest-value assets.

How to Check if Your Crypto Wallet Has Been Compromised

Why Wallets Get Compromised

A compromised crypto wallet is one where an unauthorised party has gained the ability to transfer or control your assets. This can happen in several ways: your seed phrase was exposed, your private key was stolen, you signed a malicious token approval, or malware on your device captured your credentials. Each path of compromise requires a different response, but the immediate priority is always the same: determine the scope of the breach and act quickly to protect any remaining assets.

Many people do not realise their wallet has been compromised until they notice missing funds. By that point, recovery of stolen assets is usually impossible. This is why building the habit of proactive monitoring, rather than waiting to discover a problem, is so important. Blockchain transactions are public and permanent: every transfer in and out of your wallet is recorded and viewable by anyone with the wallet address. This transparency, which is often seen as a privacy concern, is actually a powerful tool for security monitoring.

Understanding what “compromised” means technically is also important. An attacker may have full control of your wallet through possession of the seed phrase, giving them the ability to access your wallet from any device, now and in the future, regardless of what you do on your current device. Or they may have a time-limited approval that allows them to drain a specific token at any time until that approval is revoked. Or they may have installed malware that captures new seed phrases or private keys if you generate them. The type of compromise determines the appropriate recovery strategy.

Warning Signs Your Wallet May Be Compromised

The most obvious sign is funds you did not send appearing to have left your wallet. But there are subtler warning signs worth watching for, especially if you are proactively monitoring before a drain has occurred.

Unexpected Token Approvals

If you see approvals granted to addresses you do not recognise, this is a serious warning sign. An approval does not immediately drain your wallet, but it gives the holder the ability to do so at any time. Regularly checking your active token approvals using tools like Revoke.cash, or the Etherscan token approvals page, should be a standard part of your security routine. See the guide on token approvals and why they matter and how to revoke smart contract approvals for detailed instructions.

Transactions You Did Not Initiate

Any outgoing transaction from your wallet that you did not personally authorise is a clear indicator of compromise. Check your transaction history using a blockchain explorer for your network. Even small test transactions (sometimes called “dust transactions” or reconnaissance transfers) by an attacker before a larger drain are worth investigating.

New Wallet Connections You Do Not Recognise

Some wallet interfaces, like MetaMask, allow you to see which sites have requested and received permission to view your wallet address. If you see connections to sites you do not recognise or did not visit intentionally, revoke them immediately.

Clipboard Changes or Unusual Device Behaviour

Clipboard hijacking malware monitors your clipboard and replaces copied wallet addresses with attacker-controlled ones. If you paste a wallet address and the pasted address differs from what you copied, your device may be infected. Unusual device behaviour such as unexpected slowdowns, unknown processes in task manager, or applications you did not install can also indicate malware presence.

How to Check a Wallet Address Using Block Explorers

Blockchain explorers are your primary tool for investigating wallet activity. Every transaction on a public blockchain is recorded and searchable. Here is how to use them to check for signs of compromise.

For Ethereum-based wallets, Etherscan is the standard tool. Navigate to etherscan.io and enter your wallet address in the search bar. You will see a complete transaction history, including incoming and outgoing transfers, token approvals, and contract interactions. Look for any outgoing transactions you do not recognise, any approvals you did not intentionally grant, and any interactions with unfamiliar smart contract addresses.

For Solana-based wallets, Solscan provides equivalent functionality. For Bitcoin wallets, mempool.space or blockchain.com allow you to search your address and view your complete transaction history. Many other networks have their own block explorers, and most can be found by searching for the network name followed by “block explorer.”

When reviewing your transaction history, pay particular attention to recent activity. Attackers often execute drains quickly after obtaining access, so if there is a compromise, the evidence will usually be in recent transactions. Look for outgoing transfers to addresses you do not recognise, especially if those addresses also appear in other known drain transactions (cross-referencing on Etherscan’s address page can sometimes reveal this).

For the token approvals specifically, on Etherscan you can navigate to your wallet address, then select the “Token Approvals” tab (available under the address details). This shows all active approvals your wallet has granted to other smart contracts. Any approval with “Unlimited” or a very large token amount to an address you do not recognise should be revoked immediately, even before you confirm whether a drain has already occurred.

The Capital Nexus newsletter covers emerging security threats and practical protection tools every week. Stay a step ahead: Capital Nexus Newsletter.

Steps to Take Immediately if You Suspect Compromise

If you have any reason to believe your wallet may be compromised, treat it as confirmed and act accordingly. The cost of unnecessary caution is minimal. The cost of delayed action when compromise is real can be total loss.

Step 1: Transfer Remaining Assets Out Immediately

Using a different, trusted device (not the one you suspect may be compromised), create a completely new wallet and generate a fresh seed phrase. Transfer all remaining assets from the potentially compromised wallet to this new wallet as quickly as possible. If you use a hardware wallet, transfer to that. Do not reuse the potentially compromised wallet for anything further.

Step 2: Revoke All Suspicious Approvals

Using the new, clean wallet (or a trusted device), go to Revoke.cash or Etherscan’s token approval checker and revoke all approvals from the compromised wallet that you do not recognise. While this does not recover already stolen funds, it prevents further drainage if the attacker has not yet executed their approvals.

Step 3: Secure Your Devices

Run a full malware scan on any device used with the compromised wallet. If you suspect keylogger or clipboard hijacking malware, the safest option is to wipe the device entirely and reinstall from scratch. A compromised device will continue to be dangerous even after you create a new wallet, because any new seed phrase generated on it may be captured by the malware.

Step 4: Document and Report

Record all transaction hashes related to the theft, the attacker’s wallet address, the timestamps, and any phishing sites or messages that may have been involved. Report the crypto scam to relevant authorities including the ACCC’s Scamwatch, the Australian Cyber Security Centre, and any exchanges where the stolen funds may have been sent. Flag the attacker’s address on Etherscan using the “Report” function.

How to Recover and Rebuild Your Security

After a compromise, rebuilding is both a practical and psychological challenge. The practical steps come first: new wallet, new seed phrase, new security practices. The psychological challenge is overcoming the loss and rebuilding confidence without becoming paralysed by fear.

When generating a new seed phrase, do it on a device that is confirmed clean, ideally a hardware wallet that generates the seed phrase on its own secure hardware rather than on a potentially compromised computer. Store the new seed phrase securely using the best practices outlined in the seed phrase storage guide. Consider using advanced seed phrase storage techniques including metal backups for long-term resilience.

Revisit your entire security setup using the self-custody crypto security guide as a framework. Assess which practices contributed to the compromise and build in the layers that would have prevented it. Was your seed phrase stored digitally? Was your hot wallet connected to too many unknown sites? Did you approve a transaction without reading it carefully? Each lesson is an opportunity to build a more robust security posture.

For significant holdings, consider whether a dedicated cold storage setup using a hardware wallet like a Ledger or Trezor is appropriate. Hardware wallets provide a significant security upgrade because the private keys never leave the device and every transaction requires physical confirmation. The complete hardware wallet guide covers how to choose and set up the right device for your needs.

Building Ongoing Wallet Monitoring Habits

The most resilient crypto security posture is one that includes regular, proactive monitoring rather than only reacting to visible problems. The following habits, once established, take minutes per month but can make the difference between catching a compromise early and discovering it too late.

Set a monthly calendar reminder to check your wallet’s active token approvals. Any approval granted to an address you do not recognise, or that you no longer have reason to maintain, should be revoked. This takes under ten minutes using Revoke.cash and eliminates a significant category of ongoing risk.

Periodically verify your seed phrase backup is intact and legible. Backup degradation, physical damage, or simply losing track of where a backup is stored are all common causes of permanent access loss. How to back up a crypto wallet covers the full backup verification process.

Use different wallets for different risk levels. Your main long-term holdings should be in a cold wallet that you rarely connect to anything. An interaction wallet for DeFi and new protocols should hold only amounts you are comfortable losing. This compartmentalisation is the single most effective structural change most users can make to their overall security posture. Read not your keys, not your crypto to understand why ownership and control of your private keys is the foundation of everything else.

The Bottom Line: Proactive Security Beats Reactive Recovery

Checking whether your wallet has been compromised is a reactive skill. Building the habits that make compromise unlikely in the first place is the more valuable goal. The two work together: regular monitoring catches problems early, while strong security practices prevent most problems from occurring.

The tools exist, the knowledge is available, and the steps are straightforward. Using a hardware wallet, securing your MetaMask, managing token approvals, and understanding how wallet draining attacks work are all pieces of a complete security picture. The Cryptopedia library covers every layer of crypto security in detail.

Shepley Capital’s membership gives you ongoing security briefings, market intelligence, and the frameworks to protect and grow your portfolio simultaneously. Join thousands of Australian investors building with confidence: View Membership Options.