Private Key Leak Response: The First 24 Hours

What to do in the first 30 minutes

You have just realized your private key or seed phrase has been compromised. Maybe you typed it into a fake "Ledger update" tool. Maybe you photographed it for backup and the photo synced to a now-breached cloud account. Maybe you noticed a small unauthorized withdrawal and the source is your own seed.

The next 30 minutes determine how much you recover and how much you lose. The steps below are in priority order.

Minute 0–5: Triage

• Open a clean device — a phone or laptop that has never had the compromised wallet on it. Not the device where the leak happened.
• Generate a new seed on a fresh hardware wallet, or import to a known-clean hot wallet. Record the new seed offline.
• Note the addresses of the new wallet. You will be sending funds here.

Minute 5–15: Move stablecoins first

Stablecoins are the attacker's highest-priority drain target because they have stable value and immediate liquidity. Move them first. In order:

• USDC, USDT, DAI, BUSD on the chain with the most holdings.
• Then the same stablecoins on other chains (Polygon, Arbitrum, BSC) if you hold them there.
• Send each transfer to the new wallet. Use moderate gas (not lowest) so the transactions confirm in 1–2 blocks.

Minute 15–25: Move liquid majors

ETH, BTC (on Lightning if you hold there), SOL, BNB, MATIC. These have liquidity but the attacker may dump them at small slippage, so they are the second-priority target.

If you have NFTs on the compromised wallet, move the highest-value ones now too. Each NFT is one transaction.

Minute 25–30: Long-tail and farewell

Move whatever is left — long-tail tokens, vested positions, staked assets if you can unstake quickly. Some staked positions have lockup periods; you may have to abandon those.

The wallet itself should now be empty or near-empty. Do not "save" it as a low-value wallet — it is permanently in the attacker's queue and will be drained the moment any value lands on it.

The first hour after the rescue

• Revoke all approvals. Go to revoke.cash, connect the (now empty) compromised wallet, revoke every approval. This costs gas but stops any pending Permit signatures from draining future deposits.
• Audit all linked services. Did the compromised wallet have approvals on Uniswap, Aave, Compound? Did it have CEX deposit addresses linked? Each integration is a re-attack vector.
• Check for related leaks. If the seed was leaked via a phishing site, what else did you give that site? Email? Phone? CEX login? Treat the compromise as a cluster, not a single event.

The forensic step (do this even if you recovered)

Etherscan + a block-explorer tool (Arkham, Nansen for advanced users, or just Etherscan's address page). Note the attacker's destination addresses. File IC3 (ic3.gov) with full transaction hashes. If the attacker eventually routes funds through a US-licensed exchange, your IC3 report is the document that may enable a freeze 6–18 months later. Recovery rates are low (3–8% by industry estimates) but not zero.

The hard truth

Most compromises lose everything in the affected wallet. The 30-minute rescue protocol described above is for the cases where you noticed early. For the cases where you noticed late, the funds are gone. Build the next custody setup with the assumption that you will be attacked again — and design so that one compromise does not lose everything.