A sweeper bot is an automated script that drains funds from a compromised wallet. If your funds disappear immediately after being deposited, a sweeper bot may be active.
This article is specifically about sweeper bots. If your tokens are missing for another reason, see A token is missing in Phantom.
How sweeper bots work
Once active, a sweeper bot monitors the blockchain for incoming transactions and immediately transfers newly deposited assets to an attacker-controlled address. These bots operate continuously and execute transactions far faster than a human can react. Many people only realize their wallet has been compromised after funds are repeatedly removed seconds after deposit.
If an attacker has access to your Secret Recovery Phrase or private key, they effectively control the entire wallet and all accounts derived from it.
How sweeper bots gain access to your wallet
Attackers can only set up a sweeper bot if they gain access to your Secret Recovery Phrase or private key. In most cases, this happens through phishing or malicious software.
Common methods include:
- Fake support chats or impersonation websites asking you to "verify" your wallet.
- Malicious websites prompting you to import your wallet using your recovery phrase.
- Compromised browser extensions or mobile apps that log sensitive information.
- Emails or direct messages directing you to fraudulent login pages.
Once your Secret Recovery Phrase is exposed, the attacker can restore your wallet on their own device and automate withdrawals using a sweeper bot.
What to do if a sweeper bot is active
Stop using that wallet immediately. Do not deposit additional funds or attempt to beat the bot by transferring assets out. Any new funds may be drained instantly.
Instead, follow these steps:
- Create a new wallet with a new Secret Recovery Phrase. Do not reuse the compromised phrase.
- Run a full malware scan on any device that interacted with the compromised wallet.
- Remove unknown browser extensions or apps and update your operating system and browser.
- Report the incident:
- Tag the attacker's address using a Solana block explorer such as Solscan.
- File a report at Chainabuse.
- Contact local authorities if a significant amount was stolen.
Warning: Don't share your Secret Recovery Phrase or private key with anyone. If someone has access to either, they will have full control of your wallet. Phantom Support will never ask for your recovery phrase or private key.
Can swept funds be recovered?
In rare situations on certain networks, advanced recovery techniques may be attempted by independent security professionals. These methods are complex, risky, and not supported on Solana.
Phantom does not offer fund recovery services. In most cases, once funds are swept, they cannot be recovered.
How to protect your wallet from sweeper bots
The most effective protection is prevention. Protect your Secret Recovery Phrase and only interact with trusted apps and websites.
To reduce your risk:
- Use a hardware wallet such as Ledger to keep your private keys offline.
- Verify website URLs before connecting your wallet or signing transactions.
- Avoid downloading unknown browser extensions or mobile apps.
- Disable or restrict direct messages from unknown accounts on social platforms.
If any website or individual asks for your Secret Recovery Phrase or private key, it is a scam.