Sources checked

How we checked this

We reviewed the linked sources and keep this page updated when the record changes. Use the source list below to verify the details.

Source links attached Safety context included Corrections open

Short answer

If you suspect a wallet compromise, preserve the minimum information needed to describe what happened without exposing the secrets that control access. A cautious first record usually includes the wallet address, the network involved, visible transaction hashes, block explorer links, the suspicious site or app details, and a short timeline.

Do not share a seed phrase, private key, password, backup code, or remote-access session with anyone offering help. General cybersecurity guidance from official public-sector sources warns against sharing credentials and against giving attackers or unknown contacts more access during an incident.

Summary box

Capture first: wallet address, chain or network, transaction hash, explorer link, suspicious URL or app name, date/time/timezone, and relevant messages.

Never share: seed phrase, private key, password, backup codes, or remote access.

Safer approach: save only what helps explain the incident, then stop interacting through the same suspicious channel.

Why this matters

Good records can help you reconstruct events and prepare a cleaner summary for official support or public reporting channels. Poorly handled records can create new risk if they expose credentials, recovery data, or more personal information than necessary.

That makes documentation part of incident response. The goal is not to collect everything. The goal is to preserve useful facts while limiting further exposure.

What to capture first

1. Wallet address and network

Record the public wallet address and the exact network you think was affected. Keep them together in your notes so you do not mix up one wallet, one chain, or one incident with another.

If relevant, note whether you are looking at a wallet address, a naming service label, or an exchange deposit address shown inside an account. The important point is to record the exact public identifier you actually used or saw.

2. Transaction hashes and explorer links

If you can see suspicious on-chain activity, save the transaction hash and the matching block explorer link. These are public references that can help you point to a specific transaction later.

A transaction reference may help confirm that an on-chain action happened, but it does not by itself prove who controlled the wallet or what caused the incident.

3. Suspicious site, app, extension, or contact details

Capture the exact domain, URL, app name, browser extension name, email address, phone number, or social handle involved, if visible. Then stop clicking, replying, or trying to verify the issue through that same channel.

4. A short timeline

Write down the date, local time, timezone, what you were trying to do, what appeared on screen, and when you first noticed something was wrong. A short written timeline is often easier to review than a large folder of uncategorized images.

5. Limited device and account context

It can be useful to note the wallet app name, browser, operating system, and any support ticket reference connected to the event. Keep this limited to details that help explain the incident. Do not export or send recovery material, password-manager contents, or anything else that could grant access.

6. Relevant messages

If the incident involved email, chat, text, or social messages, save the relevant conversation and any visible usernames or ticket IDs. Avoid continuing the exchange with a suspected scammer or an unverified helper.

Comparison table: useful records vs risky exposure

ItemWhy keep itPublic sharingSharing with verified official supportNever share
Wallet addressIdentifies the public wallet involvedWith cautionOnly if relevant and only the minimum neededNo
Chain or network nameShows where activity happenedUsuallyYes, if relevantNo
Transaction hashPoints to a specific on-chain actionWith cautionYes, if relevantNo
Explorer linkPreserves a public referenceWith cautionYes, if relevantNo
Suspicious URL or domainHelps identify the suspected triggerWith cautionYes, if relevantNo
App or extension nameHelps document the possible vectorWith cautionYes, if relevantNo
Redacted screenshotCan preserve wording, warnings, or requestsWith cautionOften useful if carefully reviewedNo
Chat handle or email addressPreserves the contact trailWith cautionYes, if relevantNo
Seed phraseGives wallet accessNoNoYes
Private keyGives wallet accessNoNoYes
Password or backup codeCan enable account takeoverNoNoYes
Remote-access detailsCan expose live control of accounts or devicesNoNoYes

Practical checklist before you ask for help

  • Write down the wallet address and exact network involved.
  • Save any suspicious transaction hashes and explorer links you can see.
  • Record the exact suspicious domain, app, extension, email, number, or handle as displayed.
  • Note the date, time, timezone, and what happened immediately before the problem.
  • Save relevant messages, but stop engaging through the same channel.
  • Review screenshots before sharing them. Remove or cover balances, QR codes, full names, phone numbers, home-screen details, and any recovery or login information.
  • Keep a private copy of your notes and images.
  • Never share a seed phrase, private key, password, backup code, or remote access.
  • Prefer official support pages and public reporting channels you verify yourself over unsolicited direct messages.

Common mistakes that can increase exposure

Oversharing screenshots

Uncropped screenshots can reveal more than intended, including account details, contact information, QR codes, balances, or recovery material. If you need to share an image, use a carefully redacted version.

Sending secrets for “verification”

A request for a seed phrase, private key, password, backup code, or remote access is a serious warning sign. Official cybersecurity guidance does not treat handing over credentials as a normal part of incident handling.

Installing another tool from an unverified contact

A follow-up message telling you to install software, reconnect a wallet, or join a screen-sharing session can create additional risk. Preserve the record first, and do not assume a new link or tool is safe because it is described as support.

Mixing incidents together

If you use more than one wallet or network, keep separate notes for each incident. Mixing records can make later review harder and can weaken your explanation of the sequence.

What to do next

Use the records to make a clean incident summary

Once you have preserved the basics, turn them into a short summary: what wallet or account was involved, what network was involved, what suspicious action you saw, what site or message appeared beforehand, and when it happened. This can help you avoid rushed oversharing later.

Verify any support or reporting channel independently

If you need help, find the official support or reporting page yourself rather than using a link sent in a message or comment. Official cybersecurity guidance supports verifying channels before sharing incident details.

Stay cautious about private outreach

If you post publicly, be careful with anyone who contacts you privately and offers tracing, urgent technical help, or recovery services. Good records may improve clarity, but they do not guarantee recovery or any specific response from a provider or authority.

For broader prevention guidance, see our wallet safety coverage hub.

What your records can confirm—and what they cannot

Your notes can help confirm which public address was involved, which network was relevant, which transactions appeared, and which site, app, or message was shown to you. That can make the incident easier to describe accurately.

Those records usually cannot, on their own, prove who controlled the wallet, whether malware was involved, whether funds can be recovered, or what outcome a support team, platform, or authority will reach. Documentation improves clarity, not certainty.

Date-checked note

Date checked: This article was reviewed in general form for publication readiness. Because wallet-provider procedures and reporting options can change, verify current steps directly on the official site for your wallet, exchange, browser, device maker, or local public reporting authority before acting.

FAQ

What should I save first after a suspected wallet compromise?

Start with the public wallet identifier you used, the network involved, any visible transaction hashes, and a short timeline of events. Then save the suspicious site, app, or contact details if visible.

Should I share my seed phrase so someone can check what happened?

No. A seed phrase is not routine evidence. It is access data. Sharing it can expose your wallet directly.

Is a transaction hash enough to prove my wallet was hacked?

No. A transaction hash can help show that an on-chain action occurred, but it does not by itself prove who controlled the wallet or what caused the incident.

Are screenshots or explorer links more useful?

They do different jobs. Explorer links can point to a public on-chain record, while screenshots can preserve wording or visible warnings if they are carefully redacted.

Can careful documentation recover my funds?

No documentation method can guarantee recovery. What it can do is help you preserve facts, explain the incident more clearly, and reduce the chance of making the situation worse through oversharing.

Sources

Update log

  1. 13 Jul 2026Published with source tracking and reader-safety context.
  2. CorrectionsIf a source changes or a claim needs clarification, this page can be updated from the editorial desk.