Why am I seeing “This account might be malicious”?

"This account might be malicious. Do not send or deposit funds into it. Please proceed with caution."

If you see this warning, Phantom has detected that the Solana account you are viewing may be controlled by a scammer or malicious program. This warning is based on onchain activity and signals that interacting with the account may be unsafe.

This warning does not mean Phantom has blocked your account. It indicates that the account may be controlled by malicious program logic that can prevent withdrawals or automatically drain funds.

Warning: Do not send funds to this account. If the account is under malicious control, any new deposits may be stolen immediately. Never share your Secret Recovery Phrase or private key with anyone. Phantom Support will never ask for your Secret Recovery Phrase or private key.

Can you get your funds back?

It depends on what happened. In some situations you may be able to recover tokens using a third-party recovery tool. In other cases, funds cannot be recovered once control of the account has been reassigned.

The steps below will help you determine what happened and whether recovery may be possible.

Step 1: Check if your account ownership was changed

Every Solana account has an owner program. If you approved a malicious transaction, ownership of your account may have been reassigned to a different program. When this happens, the new program may block you from moving funds.

To check the owner program, follow these steps:

1. In Phantom, go to the Home tab and select Receive.
2. Copy the Solana address from the account that shows the warning.
3. Go to solscan.io and paste your address into the search bar.
4. In the More info section, locate the Owner field.

If the owner is System Program, ownership of the account has not changed. The warning may still appear if you imported a Secret Recovery Phrase or private key that someone else also controls. In this case, skip to Step 3.

If the Owner is anything other than System Program, your account has likely been reassigned to a malicious program. Continue to Step 2 to attempt recovery.

Step 2: Try to recover your funds

You may be able to recover certain SPL tokens or unstaked SOL using a third-party recovery tool.

One commonly used tool is sol-recovery.xyz. This tool is not affiliated with Phantom, and recovery is not guaranteed.

1. Go to sol-recovery.xyz.
2. Connect your compromised wallet.
3. Connect a second wallet that has a small amount of SOL to pay for network fees.
4. Select Wallet at the top of the interface.
5. Select the token account you want to recover and choose Recover.
6. Approve the recovery request using the safe wallet.

Note: Recovery tools can only recover Solana-based tokens and staked SOL accounts. SOL held directly in a reassigned account cannot be recovered.

Step 3: Secure yourself going forward

If you imported a Secret Recovery Phrase or private key that someone else provided or that you purchased online, stop using that wallet immediately and create a new wallet with a new Secret Recovery Phrase.

Anyone who has access to that Secret Recovery Phrase retains full control of all accounts created from it, even if the account owner shows System Program.

If your Secret Recovery Phrase may have been exposed, move any remaining funds from unaffected accounts to a newly created wallet as soon as possible.

Always store your Secret Recovery Phrase securely offline and never share it with anyone.

How did this happen?

There are two common causes:

You approved a malicious transaction

Some scams trick users into approving transactions that reassign ownership of a Solana account to a malicious program. Once ownership is transferred, the program may prevent withdrawals or automatically drain funds that enter the account.

You imported a compromised Secret Recovery Phrase or private key

Bad actors sometimes distribute Secret Recovery Phrases or private keys that appear to control wallets with funds. These wallets are configured to automatically transfer any deposits to attacker-controlled addresses through malicious scripts or program logic.

This scam is sometimes called a "rotten seed phrase" scam. If you imported one of these phrases, the attacker may still control the wallet even if the account owner shows System Program.