This is a work in progress and not a release. We're looking for volunteers. See Issues and Contribution to know how to collaborate.

Malware Infection

Security Specialist

Operations & Strategy

Authored by:
SEAL

This is a short guide prepared by SEAL that will help you navigate a malware infection. You have a limited amount of time to reduce the amount of damage that can be done to you. If you need help at any point, contact SEAL 911

IF YOU SUSPECT YOUR COMPUTER HAS BEEN HACKED DO THE FOLLOWING IMMEDIATELY:

  • Disconnect your computer from the internet
  • Turn off your computer
  • Open this document on another device
  • Do not turn on your computer until further notice

Secure your crypto assets

The hackers have automatically stolen your crypto wallets, private keys, seed phrases, and credentials from:

  • Browser extension wallets (MetaMask, Phantom, Rabby, Coinbase Wallet, etc)
  • Hardware wallet applications (Ledger Live, SafePal, etc)
  • Local node wallets (Ethereum node keystore, Bitcoin node wallets, etc)
  • Password managers (1Password, Bitwarden, LastPass, etc)
  • Cloud storage (iCloud, Google Drive, etc)
  • Centralized exchanges (Coinbase, Binance, etc)
  • And more

You need to:

  1. Prioritize the wallets with the highest value.
  2. Create a new wallet from a clean device (phone, tablet, other computer) and write the seed phrase down on paper.
  3. Move all assets out from your old wallets, starting with tokens/NFTs/admin roles and ending with the native token (such as ETH).

If you need information from your compromised device, do not reconnect it to the internet, or the hackers will continue stealing your data.

The hackers may have installed “sweeper bots” on your addresses. These bots automatically “sweep” tokens to their wallets, but might not be able to handle non-tokenized deposits or protocols that require complex withdrawals. If your address has been swept, do not withdraw any additional assets without consulting SEAL 911 or Flashbots Whitehats.

Notify your colleagues/friends

The hackers may try to use the files and data they stole from your computer to impersonate you and scam/hack people in your network. If you work at a crypto protocol, the hackers may try to leverage your access to steal internal files and private keys and hack your protocol.

You need to:

  • Notify your company’s security team, IT team, or simply your coworkers
  • Notify a few other people in your network

Here is a message that you can copy/paste:

Hey, I think my computer was infected by malware and my wallets/accounts might be hacked. I’m currently working with SEAL 911 on next steps. Please don’t trust any suspicious messages from me until you can fully confirm that I’ve recovered my accounts, and help me spread the word.

Secure your accounts

The hackers have automatically stolen your active login session, and potentially your passwords, from:

  • Browsers (Chrome, Brave, Firefox, etc)
  • Desktop Applications (Telegram Desktop, WhatsApp, etc)
  • Password managers (1Password, Bitwarden, LastPass, etc)

This means that your online accounts are at risk, such as:

  • Telegram
  • Twitter
  • Discord
  • Email (Google, Apple, Proton, etc)
  • Password manager (yes, your password manager account may be at risk)
  • Company accounts (Okta, Slack, etc)
  • Social media
  • Online banking
  • Cloud storage/backups

You need to:

  • Log in to your accounts from a clean device (phone, tablet, other computer)
  • Go to the security settings and log out all other active sessions
  • Change your password
  • Activate or reset 2FA

Notify the authorities

If the hackers have managed to steal any crypto or take over any accounts or caused other impact, you need to begin the slow process of involving the legal system.

Collect the following information:

  • Any addresses (including the chain) or exchange accounts that have been stolen from
  • Any transactions that the theft occurred in (including the chain)
  • Any accounts that the hackers messaged you from
  • Any URLs that you visited or downloaded files from
  • Any other suspicious activity you observed
  • A timeline of events (see below for example)

You will need this information to file reports at the following places:

  • IC3.gov (even if you are not a US citizen/resident, US law enforcement may be able to match you with other victims)
  • Chainabuse.com
  • SEAL 911
  • Your local police department

Example timeline:

October 22, 2024

  • [USERNAME] reached out to me on Telegram
  • They appeared to be an investor with [VC FIRM] and asked to schedule a call
  • On the date of the call, they sent me this link: [URL]
  • I joined the call but got an error that said my call timed out
  • I told [USERNAME] and they told me to follow the instructions on the site to fix it
  • I followed the instructions, but it didn’t work, so we rescheduled the call
    • These were the instructions I followed: [COMPUTER CODE]

October 23, 2024

  • Approximately 200k USD was stolen from these wallets
    • [ADDRESS 1]
    • [ADDRESS 2]
  • I was logged out of my Telegram account ([USERNAME]) and could not log back in
  • I was logged out of my Twitter account ([USERNAME]) and could not log back in
  • I received an email from Bitgo that someone logged into my account from [IP]

Get a new computer

Your compromised computer is no longer safe to use. You can either:

  • Get a new computer: If you work for a large company, you may want to send your compromised computer to a forensics company for further analysis or for regulatory compliance. If so, you will need to buy a new computer.
  • Wipe your existing computer: If you feel comfortable with performing a full factory reset of your computer, you can do so yourself. If not, you may consider bringing it to a local technician (such as an Apple store, Geek Squad, or similar). Some people find it easier to simply buy a new computer.

You must start fresh from this computer. Do not restore your device from backup (such as Time Machine, Windows Backup, or any third-party backup programs), or you may restore the malware as well. If you need to copy files from the compromised computer, do not connect it to the internet (or the malware may continue stealing your data), and do not copy your entire user folder (or you may copy the malware).

Stay vigilant

The hackers may have stolen additional logins that you were not aware of, or you may have not fully removed the infection. If you notice additional signs of compromise, such as login alerts, randomly being logged out of services, or crypto being stolen, you will need to follow this guide again.

If you don’t already, consider following these best practices to keep yourself safe online:

  • Use a password manager (but not LastPass)
  • Turn on 2FA where available (disable cloud backups in your 2FA app)
  • Use a hardware wallet

Here are some guides specifically for securing your: