Hacked.com icon

hacked.com

Bitcoin stolen or wallet compromised: containment and recovery steps

Updated February 26, 2026By Aaron Weaver
bitcoin

When Bitcoin is stolen, the hard truth is that the underlying transactions are generally irreversible. Most recovery outcomes come from fast containment and from catching funds while they are still inside a custodial service (an exchange, a broker, or a payment platform) that can freeze accounts and cooperate with law enforcement.

Safety note: Never share your seed phrase, private keys, or recovery codes with anyone. No legitimate support team needs them, and sharing them usually turns one incident into a total loss.

Triage checklist: stop the bleed before you investigate

  • Identify your custody model. Are you using an exchange account, a software wallet you control, a hardware wallet, or a multisig setup? The correct containment step depends on this.
  • Secure your email immediately. If your exchange or wallet uses email for resets, the inbox is part of the control plane.
  • Lock down accounts that can move funds. Change passwords, enable 2FA, revoke sessions, and remove unknown devices.
  • Preserve evidence. Record transaction IDs, addresses, timestamps, support ticket numbers, and screenshots of relevant settings changes. Do not "clean up" messages until you have documented them.
  • Move remaining funds only from a known-clean device. If you suspect malware or clipboard hijacking, do not keep using the same computer or phone to create new transactions.

Decide what happened (the incident type changes the response)

Incident type Common indicators Best next move
Exchange account takeover New withdrawals, new devices, new API keys, "login from new location" alerts Freeze the account via official support, revoke API keys, reset credentials and 2FA, and document withdrawals
Seed phrase or private key exposure Funds moved from a self-custody wallet without any exchange login activity Assume full compromise: create a new wallet on a clean device and move any remaining funds to new keys
Address substitution or clipboard hijacking The destination address on-chain is not the one you intended Stop transacting on that device, scan for malware, and rebuild from known-good sources
Social engineering scam You were pressured to "verify" or send crypto to unlock something Stop communication, report, and harden the accounts and devices used during the scam
Fake wallet or fake support You installed a new wallet, browser extension, or "support" tool shortly before the theft Remove the software, rotate credentials, and treat the device as compromised

Key idea: If your seed phrase was exposed, there is no "partial compromise". Plan as if the attacker owns that wallet permanently.

If the theft involves an exchange or custodial service

Exchanges can sometimes stop withdrawals or freeze funds if you act quickly and use the official support channel. Do not rely on DMs, "support" accounts, or phone numbers that appear in comments.

  • Use the platform's official support flow and create a ticket immediately.
  • Request an account freeze or withdrawal lock if the platform offers it.
  • Revoke API keys and connected apps you do not recognize.
  • Reset your password and enable 2FA with an authenticator app if supported.
  • Review the withdrawal whitelist (if available) and remove any attacker-added addresses.

If the attacker also compromised your email inbox, secure that first. Otherwise you can get stuck in a loop where the attacker simply resets your recovery again.

API keys, trading bots, and "connected apps"

If you use automated trading tools, portfolio trackers, or third-party apps, they often rely on API keys. Those keys can be a withdrawal path or a surveillance path depending on permissions.

  • Revoke API keys you do not recognize and rotate any keys that were stored on compromised devices.
  • Prefer read-only keys for tracking tools. Only grant withdrawal permissions when you have a clear need.
  • Check whether the exchange supports withdrawal whitelists, device approvals, and withdrawal delays. These controls can buy you time during a takeover.

If you control the wallet (software wallet or hardware wallet)

Self-custody incidents split into two buckets: the attacker either stole your keys (seed phrase, private key, signing device) or they manipulated the transaction you created (address substitution). The containment is different.

Key exposure response

  • Create a new wallet on a known-clean device. Avoid importing the old seed phrase into new software.
  • Move any remaining funds to the new wallet. Assume the old keys are permanently unsafe.
  • Review where the seed phrase was stored: photos, cloud notes, password managers, paper backups, or "backup" services. Remove copies and tighten that system.

Transaction manipulation response

  • Stop sending funds from that device until you have checked for malware and browser extension compromise.
  • When you do transact again, verify the destination address on a second screen (for example, a hardware wallet display) and confirm the first and last characters match what you expect.
  • Keep wallet software and the operating system updated, and remove unknown extensions. See how to detect fake websites and stores for patterns that apply to fake wallet download pages.

Reporting and evidence (what helps and what does not)

Reporting does not guarantee recovery, but it can enable freezing funds at custodians, help identify fraud rings, and support insurance or financial remediation in related cases.

  • File a complaint with IC3 if you are in the United States or the incident touches US services.
  • Report fraud at ReportFraud.ftc.gov for broader consumer fraud tracking.
  • If you used a bank transfer, card, or ACH to fund the scam, contact your bank immediately. Timing matters.

Collect facts, not theories: transaction IDs, destination addresses, platform account IDs, email headers where relevant, and the timeline of what you did. If you later work with investigators, that timeline is what they can act on.

What not to do after funds move

After funds move on-chain, it is tempting to chase the thief directly. Most of those actions either do nothing or create new risk.

  • Do not pay additional "fees" to unlock funds. This is a common scam pattern.
  • Do not install remote access tools at the request of a stranger offering help.
  • Do not attempt vigilante actions or "hacking back". Focus on containment, documentation, and official reporting.

Your highest leverage is still containment. If any accounts, devices, or keys remain uncertain, assume they are compromised and tighten them before you do anything else.

Recovery scams: the second wave after a theft

After a theft, many victims are targeted again by "recovery" scammers. They monitor public posts, support forums, and even leaked customer lists. The pitch is always the same: they claim special access, guaranteed recovery, or a way to reverse transactions.

  • Anyone asking for your seed phrase, private key, or "verification" code is trying to steal what remains.
  • Be cautious with unsolicited DMs offering help. Use official support channels for exchanges and software vendors.
  • Do not install remote access tools at the request of someone claiming to be support.

What to ask an exchange or custodian to do

If the funds touched a custodial service, speed and clarity matter. Support teams can sometimes lock withdrawals or flag accounts, but they need a clean report.

  • Ask whether they can freeze withdrawals and whether they can flag destination addresses associated with the incident.
  • Ask for the timeline of sign-ins, new devices, new API keys, and security setting changes.
  • Confirm whether any withdrawal whitelist or address book was changed and request a reset if available.
  • Ask how they handle law enforcement requests and what documentation they require.

Keep your ticket numbers and do not split the story across many chats. A single, consistent narrative with transaction IDs and timestamps is easier for support and investigators to act on.

Seed phrase storage mistakes that cause "mystery" thefts

Most self-custody losses trace back to one of a few storage mistakes. If you are diagnosing how the theft happened, check these first.

  • Seed phrase photographed or stored in cloud photos, notes apps, or email drafts.
  • Seed phrase typed into a website, form, or "support" chat.
  • Seed phrase imported into multiple wallet apps, increasing the number of devices that can leak keys.
  • Backup phrase stored with the wallet device, making theft or burglary a full compromise.

Multisig and passphrases (when they help)

For larger balances, additional key separation can reduce single-point-of-failure risk. The tradeoff is complexity. Complexity only helps if you can operate it calmly during recovery.

  • A wallet passphrase can protect a seed phrase from casual exposure, but only if you can reliably store and recall it. Losing it can be permanent loss.
  • Multisig setups can reduce theft from a single compromised device, but they require disciplined backups and clear procedures for key recovery.
  • If you are not ready for multisig, a hardware wallet plus strict seed phrase handling is a meaningful upgrade over exchange-only custody for many users.

Rule of thumb: Add complexity only when you have rehearsed recovery. A control you cannot use under stress becomes a new failure mode.

Prevention that actually reduces loss

Bitcoin security is key management plus phishing resistance. The best defenses are boring and repeatable.

  • Use a hardware wallet for meaningful balances and keep the seed phrase offline. Bitcoin.org maintains practical wallet security guidance at Secure your wallet.
  • Use a password manager and unique passwords for exchange accounts and email.
  • Prefer authenticator-based 2FA over SMS when possible, and protect your phone number from port-out fraud.
  • Assume scams will use urgency. If a message demands immediate action, slow down and verify through a second channel.
  • Keep devices updated and watch for malware on systems that can sign transactions or access exchange accounts.

Operational habits that reduce mistakes

Many losses are not sophisticated attacks. They are failures of verification under time pressure. A few habits make those mistakes less likely.

  • For large transfers, send a small test transaction first and confirm it arrives where you expect.
  • Verify addresses out of band. If possible, verify on a hardware wallet screen instead of trusting the computer clipboard.
  • Download wallet software only from verified sources and double-check domain spelling. Fake download pages are common.
  • Keep separate devices or user profiles for finance-related activity if you routinely install new software or browser extensions.

Most "Bitcoin hacks" are really failures of control plane hygiene: compromised email, reused passwords, weak 2FA, or unsafe key storage. If you can clearly separate custody types, contain access fast, and keep your keys and recovery channels private, you can dramatically reduce both the probability of theft and the size of the blast radius when something goes wrong.

The goal is not to become an expert in blockchains. It is to make the theft path expensive: attackers should need more than a phished password or a borrowed phone number to move value.

If you are unsure whether this was an account takeover, device compromise, or key exposure, treat the uncertainty as risk. Secure the inbox, secure the device, and rotate to new keys where appropriate until the system is predictable again.