If you see "This account might be malicious. Do not send or deposit funds into it. Please proceed with caution," Phantom has detected that the Solana account you are viewing may be controlled by a scammer or malicious program. This warning is based on onchain activity and signals that interacting with the account may be unsafe.
This warning does not mean Phantom has blocked your account. It indicates that the account may be controlled by malicious program logic that can prevent withdrawals or automatically drain funds.
Warning: Do not send funds to this account. If the account is under malicious control, any new deposits may be stolen immediately. Never share your Secret Recovery Phrase or private key with anyone. Phantom Support will never ask for your recovery phrase or private key.
Fund recovery
It depends on what happened. In some situations you may be able to recover tokens using a third-party recovery tool. In other cases, funds cannot be recovered once control of the account has been reassigned. The following steps will help you determine what happened and whether recovery may be possible.
Step 1: Check if your account ownership was changed
Every Solana account has an owner program. If you approved a malicious transaction, ownership of your account may have been reassigned to a different program. When this happens, the new program may block you from moving funds.
- In Phantom, go to the Home tab and select Receive.
- Copy the Solana address from the account that shows the warning.
- Go to solscan.io and paste your address into the search bar.
- In the More info section, locate the Owner field.
If the owner is System Program, ownership of the account has not changed. The warning may still appear if you imported a Secret Recovery Phrase or private key that someone else also controls. In this case, skip to Step 3.
If the Owner is anything other than System Program, your account has likely been reassigned to a malicious program. Continue to Step 2 to attempt recovery.
Step 2: Recover your funds
You may be able to recover certain SPL tokens or unstaked SOL using a third-party recovery tool. One commonly used tool is sol-recovery.xyz. This tool is not affiliated with Phantom, and recovery is not guaranteed.
- Go to sol-recovery.xyz.
- Connect your compromised wallet.
- Connect a second wallet that has a small amount of SOL to pay for network fees.
- Select Wallet at the top of the interface.
- Select the token account you want to recover and choose Recover.
- Approve the recovery request using the safe wallet.
Note: Recovery tools can only recover Solana-based tokens and staked SOL accounts. SOL held directly in a reassigned account cannot be recovered.
Step 3: Secure your wallet
If you imported a Secret Recovery Phrase or private key that someone else provided or that you found online, stop using that wallet immediately and create a new one. Anyone who has access to that Secret Recovery Phrase retains full control of all accounts derived from it, even if the account owner shows System Program.
If your Secret Recovery Phrase may have been exposed, move any remaining funds from unaffected accounts to a new wallet as soon as possible. Always store your Secret Recovery Phrase securely offline and never share it with anyone.
Why this warning appears
You approved a malicious transaction
Some scams trick users into approving transactions that reassign ownership of a Solana account to a malicious program. Once ownership is transferred, the program may prevent withdrawals or automatically drain funds that enter the account.
You imported a compromised Secret Recovery Phrase or private key
Bad actors sometimes distribute Secret Recovery Phrases or private keys that appear to control wallets with funds. These wallets are configured to automatically transfer any deposits to attacker-controlled addresses. This is sometimes called a "rotten seed phrase" scam. If you imported one of these phrases, the attacker may still control the wallet even if the account owner shows System Program.