"This account might be malicious"

"This account might be malicious. Do not send or deposit funds into it. Please proceed with caution."

If you see this warning, Phantom has detected that this Solana account may be controlled by a scammer or malicious program. This warning is based on onchain activity. Phantom has not blocked or restricted your account and cannot unblock or unrestrict it for you.

Warning: Do not send funds to this account. If the account is under malicious control, any new deposits may be stolen immediately.

Can you get your funds back?

It depends on what happened. In some cases you can recover funds using a third-party tool. In others, the funds may not be recoverable. The steps below will help you understand your situation and try to recover what you can.

Step 1: Check if your account ownership was changed

Every Solana account has an owner program. If you approved a malicious transaction, ownership of your account may have been transferred to a different program, which can block you from moving funds.

To check, follow these steps:

1. In Phantom, go to the Home tab and select Receive.
2. Copy your Solana address from the account that shows the warning.
3. Go to solscan.io and paste your address into the search bar.
4. Find the More info section and look for the Owner field.

If the Owner is System Program, your account ownership is intact. The warning may still appear if you imported a recovery phrase or private key from someone else. See Step 3.

If the Owner is anything other than System Program, your account has likely been reassigned to a malicious program. Proceed to Step 2.

Step 2: Try to recover your funds

You can attempt to recover SPL tokens or unstaked SOL using sol-recovery.xyz. This tool is not affiliated with Phantom and recovery is not guaranteed.

1. Go to sol-recovery.xyz.
2. Connect your compromised wallet.
3. Connect a second, safe wallet that has some SOL to cover network fees.
4. Click Wallet at the top.
5. Select the token account you want to recover and click Recover.
6. Approve the request in your safe wallet.

Note: This tool only supports Solana-based tokens and staked SOL. It cannot recover SOL held directly in a reassigned account.

Step 3: Secure yourself going forward

If you imported a Secret Recovery Phrase or private key that someone else gave you, or that you purchased online, stop using that wallet immediately and create a new wallet with a new recovery phrase. The attacker retains access to any wallet created from that phrase, even if the Owner field shows System Program.

If your recovery phrase may have been exposed in any way, move any remaining funds from unaffected accounts to a new wallet as soon as possible.

Never share your recovery phrase or private key with anyone. Phantom Support will never ask for them.

How did this happen?

There are two common causes:

You approved a malicious transaction

Some scams trick users into signing a transaction that transfers ownership of their account to an attacker. Once ownership is reassigned, the attacker has the authority to withdraw any funds that enter the account, and you may no longer be able to move them yourself.

You imported a compromised recovery phrase or private key

Bad actors sometimes distribute recovery phrases or private keys that appear to control wallets with funds. These wallets are set up to automatically transfer any deposits to an attacker-controlled address through custom program logic or draining scripts. If you imported one of these, the attacker retains control even if the Owner field shows System Program. This is sometimes called a "rotten seed phrase" scam.