Tip: Phantom has a new look on mobile. For an overview of changes, see What's new in Phantom.
If your wallet was drained or you think you were scammed, act quickly to protect anything that may still be safe. Start with the steps below before spending time trying to understand exactly what happened.
Phantom is a self-custodial wallet, which means only you control your private keys. Phantom cannot reverse blockchain transactions, freeze assets, or recover stolen funds. However, you can still secure remaining assets, report the scam, and reduce the risk of further loss.
Warning: Never share your Secret Recovery Phrase or private key with anyone. Anyone with access to either has full control of your wallet. Phantom Support will never ask for your recovery phrase or private key.
Act fast: secure your wallet right now
If your wallet may be compromised, complete these steps as soon as possible. Acting quickly can help prevent further losses.
Step 1: Disconnect suspicious apps
Disconnect any app you do not recognize or no longer trust.
- Select your profile avatar in the upper left.
- Go to Settings → Connected Apps.
- Disconnect any app you do not recognize. To be safe, select Disconnect All.
Disconnecting stops apps from reading your wallet data. It does not revoke spending permissions that may already exist.
Step 2: Revoke token approvals
Some scams grant ongoing spending permissions that stay active after you disconnect an app. Revoking approvals helps stop further unauthorized transfers.
Use the revoke tool that matches the network involved:
- Solana: Use Famous Fox's Revoker. Connect your Phantom wallet, then select Revoke all.
- Ethereum and EVM networks, including Ethereum, Base, Polygon, and Monad: Use Revoke.cash. Connect your Phantom wallet, review active permissions, and revoke anything you do not recognize.
Revoking approvals is different from disconnecting. Disconnecting removes an app's ability to view your wallet. Revoking removes an app's permission to move certain tokens.
Step 3: Move remaining assets to a new wallet
If your recovery phrase, private key, or device may be compromised, do not keep using the old wallet. Create a new wallet and move any trusted remaining assets to it.
Do not transfer suspicious or unknown tokens. Some scam tokens are designed to trigger malicious actions when you interact with them, including trying to send or swap them.
For detailed instructions, see Move funds to a new Phantom wallet when you need to start over.
Important: Before transferring, check for staked tokens, DeFi positions, perpetual or prediction market positions, and Cash account balances. Some assets or balances may require extra steps before they can be moved.
Understand what happened
Understanding the scam can help you protect yourself going forward and provide useful details if you file a report. These are the most common scenarios.
Connected to a malicious website or app
You may have connected your wallet to a site that looked legitimate but was designed to steal funds. These sites often ask you to approve transactions that give the scammer permission to move your tokens.
This can happen through:
- Phishing links in emails, DMs, Discord, Telegram, or X.
- Fake NFT mints or airdrop claim pages.
- Ads or search results that lead to cloned project websites.
- Suspicious links in token names or NFT metadata.
Shared your Secret Recovery Phrase
If you entered your recovery phrase into any website or app, or shared it with anyone, the wallet is permanently compromised. The attacker can control the wallet and steal any assets sent to it later.
Do not try to secure or continue using that wallet. Create a new wallet and move any trusted remaining assets immediately.
Phantom Support will never ask for your recovery phrase.
Bought a scam token
Scam tokens are designed to trick you into losing funds. Common types include:
- Fake token airdrops: Tokens appear in your wallet with instructions to visit a malicious site to claim rewards.
- Pump-and-dump tokens: Scammers hype a token on social media, wait for the price to rise, then sell and crash the price.
- Honeypot tokens: These let you buy but prevent you from selling, trapping your funds.
- Rug pulls: Creators attract buyers and then remove liquidity or abandon the project.
- Impersonation tokens: Tokens that copy the name, logo, or branding of a legitimate project.
Receiving a scam token does not harm your wallet by itself. The risk comes from interacting with it, such as clicking links, trying to swap or sell it, or approving transactions.
You're not sure what happened
This is common. Scammers often hide how access was gained. If you do not know what happened, treat the wallet as compromised and secure your remaining assets using the steps above.
Common hidden causes include:
- Malware on your device, such as keyloggers, clipboard hijackers, or malicious browser extensions.
- Phishing sites that looked like Phantom.
- Fake Phantom apps downloaded from unofficial sources.
- A recovery phrase stored in a cloud service, screenshot, or notes app that someone else accessed.
Report the scam
Reporting a scam does not guarantee fund recovery, but it creates a record that can help investigators, exchanges, and other users. In some cases, especially with large losses, reports have helped law enforcement or exchanges freeze or recover assets.
Before you report, collect any details you have:
- Transaction hashes.
- Scammer wallet addresses.
- Website URLs, social profiles, or messages connected to the scam.
- Screenshots, dates, and estimated amounts lost.
Report to Chainabuse
Chainabuse is a public blockchain threat reporting platform used by investigators, exchanges, and security researchers. Submitting a report ties a public record to the scammer's wallet address so others can find and build on it.
Report to law enforcement
You can also report the scam to law enforcement.
- File a local police report: Contact your local law enforcement agency and ask for a case number. You may need it for insurance claims or further action.
- Report to the FBI (US only): Submit a report to the Internet Crime Complaint Center at ic3.gov. The IC3 has worked with exchanges and financial institutions to freeze stolen crypto in past cases.
Warning: Be cautious of anyone who claims they can recover your crypto for a fee or asks for access to your wallet. Recovery scammers often target people who have already been scammed.
What to expect after getting scammed
We want to be honest about what is and is not possible so you can make informed decisions.
- Phantom cannot reverse transactions. Blockchain transactions are final by design. No wallet provider can undo them.
- Phantom cannot access, freeze, or recover your funds. As a self-custodial wallet, Phantom never has access to your private keys or assets.
- Law enforcement may be able to help in some cases. Especially with large losses, agencies have worked with exchanges to freeze scammer accounts.
- Chainabuse reports create a record. Even if your funds are not recovered, the report may help future victims and investigations.
- Stronger security habits can reduce future risk. Many people use this experience as a turning point to improve how they store, connect, and transact.
Protect yourself going forward
These habits can reduce your risk of future scams.
Guard your Secret Recovery Phrase
Your recovery phrase controls access to your wallet. Protect it carefully.
- Store it offline only. Write it down and keep it in a secure location.
- Never store it in a photo, notes app, email, or cloud storage.
- Never enter it into any website. You do not need your recovery phrase to connect to a dApp.
- If you created your wallet with a Google or Apple account, protect your account password and four-digit PIN.
Verify before you connect
Check websites, apps, and tokens before connecting or approving a transaction.
- Only connect your wallet to apps you trust. Use the Explore tab in Phantom to find verified apps.
- Verify project URLs through official sources, such as the project website, X account, or Discord. Do not trust links from DMs, ads, or comments.
- Check the contract or mint address of a token before swapping. Use trusted sources like CoinGecko or blockchain explorers, including Solscan, Etherscan, and others.
Use Phantom's built-in security tools
Phantom includes security tools that can help you spot suspicious activity.
- Transaction previews: Phantom simulates transactions and flags suspicious activity. If you see a warning, stop immediately.
- Spam detection: Phantom identifies and hides suspicious NFTs and tokens automatically.
- Auto-lock: Set Phantom to lock automatically when not in use. Go to Settings → Security & Privacy → Auto-Lock.
Treat unsolicited tokens and NFTs as suspicious
Unknown tokens and NFTs are often used to lure users into malicious websites or transactions.
- Do not click links in token names or NFT descriptions.
- Do not try to swap, sell, or send unknown tokens.
- Hide and report suspicious NFTs: Select the NFT → More → Report as Spam.
- Burn unwanted Solana NFTs only if you are sure they are safe to interact with.
Use a burner wallet for risky interactions
Create a separate wallet and fund it with only what you need for a specific interaction, such as testing a new app or minting an NFT. After the interaction, revoke approvals and move any remaining funds before deleting the wallet.
Use a hardware wallet for high-value assets
Devices like Ledger provide additional protection because your private keys stay on the hardware device. Learn how to use Ledger with Phantom on desktop or mobile.
Periodically review token approvals
Regularly check and revoke permissions for apps you no longer use. This limits exposure from past activity and helps reduce the risk of future unauthorized transfers.