Guide
Solana Wallet Hacked? Emergency Steps to Rescue Your Funds Right Now

The Bottom Line
When your Solana wallet has been compromised or drained, the order of your actions is everything. The core playbook is: ① Create a brand-new wallet (with a brand-new seed phrase) → ② Move any SOL and tokens remaining in the compromised wallet to the new wallet, highest-value first → ③ Revoke token approvals (delegates) → ④ Never use the compromised seed phrase again. Unfortunately, assets that have already been sent out or drained cannot be clawed back on-chain. But if you act quickly, you can stop the bleeding and prevent further losses. Stay calm, and work through the steps in this article in order.
Key takeaways
- If you suspect your private key or seed phrase has leaked, moving assets to a new wallet takes priority over revoking approvals. As long as an attacker holds your key, they can keep draining you even after approvals are cleared.
- Evacuate highest-value tokens first, while leaving a little SOL for gas. It's a "first mover wins" race against the drainer.
- Assets already drained cannot be recovered. The goal is to stop further outflows.
- Never reuse a compromised seed phrase. The ultimate prevention is a hardware wallet (Ledger, etc.).
First, diagnose: leaked key, or malicious approval?
Your priorities depend on what the attacker actually controls. Get this wrong and you'll take the wrong action.
| Situation | Example symptoms | Top priority |
|---|---|---|
| Private key / seed phrase leaked | SOL is drained the instant you deposit it / funds move without your action | Immediately evacuate all assets to a new wallet (revoking approvals may be pointless) |
| Granted a malicious approval (delegate) | Only specific tokens move on their own / NFTs get taken | Revoke that approval, then evacuate |
| Unclear / can't tell | You don't know which it is | Err on the side of danger = treat it as a key leak and evacuate now |
On Solana, each SPL token has its own dedicated "token account," and when you grant delegate authority to a dApp, that party can move your tokens. This is the equivalent of an "approve" on Ethereum. Being tricked by phishing into signing a malicious approval is the classic attack; how it works is explained in detail in What Is a Wallet Drainer.
注意
If funds are drained the moment you deposit them, the seed phrase itself is in the attacker's hands. In that case, revoking approvals won't stop it. The only way to stop the bleeding is to move assets to a wallet with a new seed phrase. This article is educational information, not investment advice, and does not guarantee recovery of any individual loss.
Step 1: Create a new wallet (ideally on a separate device)
First, prepare a destination for your funds. It's best to create it in a clean environment separate from the compromised device or browser extension.
- If your phone may be infected with malware, create the new wallet on a different device.
- Do not store the new seed phrase in screenshots, the cloud, or chat apps — keep it offline, such as on paper.
- If possible, create it directly with a hardware wallet (Ledger, etc.) from the start. This is the safest option.
The right way to protect a seed phrase is covered in How to Keep Your Seed Phrase Safe. It's all for nothing if you leak the key to your new destination wallet too.
Step 2: Evacuate remaining assets, highest-value first
This is a race against time. The attacker's bot (the drainer) is targeting the same assets, and whoever moves them out first wins.
- Send the highest-value tokens and NFTs first to the new wallet.
- Solana transfers require a tiny amount of SOL for gas, so don't send all your SOL — leave enough for a few transactions' worth of fees.
- Once you've moved the valuable assets, send the remaining SOL last.
- Don't touch unfamiliar, suspicious tokens. Some scam tokens are rigged to call a malicious contract the moment you interact with them (approve or send).
If you're in a state where "SOL gets drained instantly even when I deposit it, so I can't even pay the transfer fee," the key is fully compromised. Recovering assets from that wallet is extremely difficult, and the way to avoid widening the damage is to not throw good money after bad.
Step 3: Revoke token approvals (delegates)
For cases that aren't a key leak but "you merely granted a malicious approval," or as cleanup just to be safe, revoke the delegate.
- According to the official Solana documentation, when you revoke a delegate, the delegate's authority is cleared and the delegated amount is reset to zero, so that party can no longer move your tokens.
- You can use Revoke.cash (which supports Solana) or Solana revoker tools to do this. Connect your wallet, display the list of current approvals, and revoke the ones you don't need.
- On Solana, the fee to revoke is tiny (a fraction of a US cent in SOL).
How to choose a tool and the specific steps are laid out in How to Revoke Token Approvals on Solana.
重要
Revoking an approval only "prevents that party from moving your tokens going forward" — it does not reverse outflow transactions that have already executed. Be sure to understand that drained assets do not come back. Also, because the revocation process itself involves connecting your wallet, always type in the URL of an official, trusted tool directly and never click links from search ads or DMs.
Step 4: Never use the compromised seed phrase again
Even after things settle down, consider a seed phrase or private key that has leaked once to be "permanently contaminated."
- Don't deposit funds back into the old wallet later. Watch out for accidental transfers from exchanges, too.
- Check whether you reused that seed phrase on any other service.
- Review your browser-extension wallets, suspicious apps, and the dApps you granted permissions to, and remove anything sketchy.
- Run a malware scan on your device. If you don't eliminate the source of infection, your new wallet is at risk too.
Step 5: Document, report, and prevent recurrence
- Preserve your transaction history. Note the attacker's address and the outflow transactions on Solscan or Solana Explorer (useful for later consultation or investigation).
- If the losses are large, contact your local cybercrime reporting authority or the support team of the exchange you use.
- The real key to preventing recurrence is going hardware wallet. Because the private key never leaves the device, it becomes far more resistant to phishing signatures and malware.
- As a routine, audit your approvals regularly and promptly revoke delegates for dApps you no longer use.
For the full landscape of scams targeting Solana and how to spot them, see The Complete Guide to Solana Scams. Knowing the tactics is your best defense for "pausing before you sign" next time.
Frequently Asked Questions
Q. Can I recover the drained assets? A. Generally, no. Blockchain transactions can't be reversed, and there's no mechanism to forcibly return assets that have moved to an attacker's address. The goal is to "stop any further outflow."
Q. If I revoke approvals, will I be safe? A. It works if you "merely granted a malicious approval." But if the seed phrase itself has leaked, revoking won't stop it. In that case, evacuating to a new wallet is the only fix.
Q. My SOL is drained the instant I deposit it. What do I do? A. Your private key is compromised. Recovering that wallet is difficult, so stop depositing and focus on securing your other wallets and assets (creating a new one and checking for reused seed phrases).
Q. Is it okay to just add a new account under the same seed phrase? A. No. Every account derived from the same seed phrase is at risk as long as that seed has leaked. Always start over with a new seed phrase — ideally on a hardware wallet.
Sources & References
Sources
FAQ
- Can I recover the drained assets?
- Generally, no. Blockchain transactions can't be reversed, and there's no mechanism to forcibly return assets that have moved to an attacker's address. The goal of these steps is to stop any further outflow.
- If I revoke approvals, will I be safe?
- It works if you merely granted a malicious approval (delegate). But if the seed phrase itself has leaked, revoking won't stop the attack — the only way to stop it is to move your assets to a wallet with a new seed phrase.
- My SOL is drained the instant I deposit it. What should I do?
- Your private key is in the attacker's hands. Recovering that wallet is difficult, so stop depositing more funds and focus on creating a new wallet and checking whether you reused the seed phrase elsewhere.
- Is it okay to just add a new account under the same seed phrase?
- No. Every account derived from the same seed phrase is at risk as long as that seed has leaked. Always start over with a new seed phrase — ideally on a hardware wallet.
This article is informational only and is not financial, investment, or trading advice. Prices are reference snapshots and may be outdated. Always do your own research.