This article explains what sweeper bots are, how they compromise wallets, and what to do if your Phantom wallet has been affected. If your funds disappear immediately after being deposited, a sweeper bot may be active.
What sweeper bots are
A sweeper bot is an automated script that drains funds from a compromised wallet. Once active, it monitors the blockchain for incoming transactions and immediately transfers newly deposited assets to an attacker-controlled address.
These bots operate continuously and execute transactions far faster than a human can react. Many people only realize their wallet has been compromised after funds are repeatedly removed seconds after deposit.
If an attacker has access to your Secret Recovery Phrase or private key, they effectively control the entire wallet and all accounts derived from it.
How sweeper bots get access
Attackers can only set up a sweeper bot if they gain access to your Secret Recovery Phrase or private key. In most cases, this happens through phishing or malicious software.
Common methods include:
- Fake support chats or impersonation websites asking you to “verify” your wallet.
- Malicious websites prompting you to import your wallet using your recovery phrase.
- Compromised browser extensions or mobile apps that log sensitive information.
- Emails or direct messages directing you to fraudulent login pages.
Once your Secret Recovery Phrase is exposed, the attacker can restore your wallet on their own device and automate withdrawals using a sweeper bot.
What to do if your wallet is compromised
If you suspect a sweeper bot is active, stop using that wallet immediately. Do not deposit additional funds or attempt to “beat” the bot by transferring assets out. Any new funds may be drained instantly.
Instead, follow these steps:
- Create a new wallet with a fresh Secret Recovery Phrase. Do not reuse the compromised phrase.
- Run a full malware scan on any computer or phone that interacted with the compromised wallet.
- Remove unknown browser extensions or apps and update your operating system and browser.
- Report the incident:
- Tag the attacker’s address using a Solana block explorer such as Solscan.
- File a report at Chainabuse.
- Contact local authorities if a significant amount was stolen.
Warning: Don’t share your Secret Recovery Phrase or private key with anyone. If someone has access to either, they will have full control of your wallet. Phantom Support will never ask for your recovery phrase or private key.
Asset recovery options
In rare situations on certain networks, advanced recovery techniques may be attempted by independent security professionals. These methods are complex, risky, and not supported on Solana.
Phantom does not offer fund recovery services. In most cases, once funds are swept, they cannot be recovered.
How to protect your wallet going forward
The most effective protection is prevention. Protect your Secret Recovery Phrase and only interact with trusted apps and websites.
To reduce your risk:
- Use a hardware wallet, such as Ledger, to keep your private keys offline.
- Verify website URLs before connecting your wallet or signing transactions.
- Avoid downloading unknown browser extensions or mobile apps.
- Disable or restrict direct messages from unknown accounts on social platforms.
If any website or individual asks for your Secret Recovery Phrase or private key, it is a scam.
If you have additional questions, visit: https://help.phantom.com/