How we checked this
We reviewed the linked sources and keep this page updated when the record changes. Use the source list below to verify the details.
Short answer
If you suspect a wallet compromise, preserve the minimum information needed to describe what happened without exposing the secrets that control access. A cautious first record usually includes the wallet address, the network involved, visible transaction hashes, block explorer links, the suspicious site or app details, and a short timeline.
Do not share a seed phrase, private key, password, backup code, or remote-access session with anyone offering help. General cybersecurity guidance from official public-sector sources warns against sharing credentials and against giving attackers or unknown contacts more access during an incident.
Summary box
Capture first: wallet address, chain or network, transaction hash, explorer link, suspicious URL or app name, date/time/timezone, and relevant messages.
Never share: seed phrase, private key, password, backup codes, or remote access.
Safer approach: save only what helps explain the incident, then stop interacting through the same suspicious channel.
Why this matters
Good records can help you reconstruct events and prepare a cleaner summary for official support or public reporting channels. Poorly handled records can create new risk if they expose credentials, recovery data, or more personal information than necessary.
That makes documentation part of incident response. The goal is not to collect everything. The goal is to preserve useful facts while limiting further exposure.
What to capture first
Record the public wallet address and the exact network you think was affected. Keep them together in your notes so you do not mix up one wallet, one chain, or one incident with another.
If relevant, note whether you are looking at a wallet address, a naming service label, or an exchange deposit address shown inside an account. The important point is to record the exact public identifier you actually used or saw.
2. Transaction hashes and explorer linksIf you can see suspicious on-chain activity, save the transaction hash and the matching block explorer link. These are public references that can help you point to a specific transaction later.
A transaction reference may help confirm that an on-chain action happened, but it does not by itself prove who controlled the wallet or what caused the incident.
3. Suspicious site, app, extension, or contact detailsCapture the exact domain, URL, app name, browser extension name, email address, phone number, or social handle involved, if visible. Then stop clicking, replying, or trying to verify the issue through that same channel.
4. A short timelineWrite down the date, local time, timezone, what you were trying to do, what appeared on screen, and when you first noticed something was wrong. A short written timeline is often easier to review than a large folder of uncategorized images.
5. Limited device and account contextIt can be useful to note the wallet app name, browser, operating system, and any support ticket reference connected to the event. Keep this limited to details that help explain the incident. Do not export or send recovery material, password-manager contents, or anything else that could grant access.
6. Relevant messagesIf the incident involved email, chat, text, or social messages, save the relevant conversation and any visible usernames or ticket IDs. Avoid continuing the exchange with a suspected scammer or an unverified helper.
Comparison table: useful records vs risky exposure
| Item | Why keep it | Public sharing | Sharing with verified official support | Never share |
|---|---|---|---|---|
| Wallet address | Identifies the public wallet involved | With caution | Only if relevant and only the minimum needed | No |
| Chain or network name | Shows where activity happened | Usually | Yes, if relevant | No |
| Transaction hash | Points to a specific on-chain action | With caution | Yes, if relevant | No |
| Explorer link | Preserves a public reference | With caution | Yes, if relevant | No |
| Suspicious URL or domain | Helps identify the suspected trigger | With caution | Yes, if relevant | No |
| App or extension name | Helps document the possible vector | With caution | Yes, if relevant | No |
| Redacted screenshot | Can preserve wording, warnings, or requests | With caution | Often useful if carefully reviewed | No |
| Chat handle or email address | Preserves the contact trail | With caution | Yes, if relevant | No |
| Seed phrase | Gives wallet access | No | No | Yes |
| Private key | Gives wallet access | No | No | Yes |
| Password or backup code | Can enable account takeover | No | No | Yes |
| Remote-access details | Can expose live control of accounts or devices | No | No | Yes |
Practical checklist before you ask for help
- Write down the wallet address and exact network involved.
- Save any suspicious transaction hashes and explorer links you can see.
- Record the exact suspicious domain, app, extension, email, number, or handle as displayed.
- Note the date, time, timezone, and what happened immediately before the problem.
- Save relevant messages, but stop engaging through the same channel.
- Review screenshots before sharing them. Remove or cover balances, QR codes, full names, phone numbers, home-screen details, and any recovery or login information.
- Keep a private copy of your notes and images.
- Never share a seed phrase, private key, password, backup code, or remote access.
- Prefer official support pages and public reporting channels you verify yourself over unsolicited direct messages.
Common mistakes that can increase exposure
Uncropped screenshots can reveal more than intended, including account details, contact information, QR codes, balances, or recovery material. If you need to share an image, use a carefully redacted version.
Sending secrets for “verification”A request for a seed phrase, private key, password, backup code, or remote access is a serious warning sign. Official cybersecurity guidance does not treat handing over credentials as a normal part of incident handling.
Installing another tool from an unverified contactA follow-up message telling you to install software, reconnect a wallet, or join a screen-sharing session can create additional risk. Preserve the record first, and do not assume a new link or tool is safe because it is described as support.
Mixing incidents togetherIf you use more than one wallet or network, keep separate notes for each incident. Mixing records can make later review harder and can weaken your explanation of the sequence.
What to do next
Once you have preserved the basics, turn them into a short summary: what wallet or account was involved, what network was involved, what suspicious action you saw, what site or message appeared beforehand, and when it happened. This can help you avoid rushed oversharing later.
Verify any support or reporting channel independentlyIf you need help, find the official support or reporting page yourself rather than using a link sent in a message or comment. Official cybersecurity guidance supports verifying channels before sharing incident details.
Stay cautious about private outreachIf you post publicly, be careful with anyone who contacts you privately and offers tracing, urgent technical help, or recovery services. Good records may improve clarity, but they do not guarantee recovery or any specific response from a provider or authority.
For broader prevention guidance, see our wallet safety coverage hub.
What your records can confirm—and what they cannot
Your notes can help confirm which public address was involved, which network was relevant, which transactions appeared, and which site, app, or message was shown to you. That can make the incident easier to describe accurately.
Those records usually cannot, on their own, prove who controlled the wallet, whether malware was involved, whether funds can be recovered, or what outcome a support team, platform, or authority will reach. Documentation improves clarity, not certainty.
Date-checked note
Date checked: This article was reviewed in general form for publication readiness. Because wallet-provider procedures and reporting options can change, verify current steps directly on the official site for your wallet, exchange, browser, device maker, or local public reporting authority before acting.
FAQ
Start with the public wallet identifier you used, the network involved, any visible transaction hashes, and a short timeline of events. Then save the suspicious site, app, or contact details if visible.
Should I share my seed phrase so someone can check what happened?No. A seed phrase is not routine evidence. It is access data. Sharing it can expose your wallet directly.
Is a transaction hash enough to prove my wallet was hacked?No. A transaction hash can help show that an on-chain action occurred, but it does not by itself prove who controlled the wallet or what caused the incident.
Are screenshots or explorer links more useful?They do different jobs. Explorer links can point to a public on-chain record, while screenshots can preserve wording or visible warnings if they are carefully redacted.
Can careful documentation recover my funds?No documentation method can guarantee recovery. What it can do is help you preserve facts, explain the incident more clearly, and reduce the chance of making the situation worse through oversharing.
Sources
- CERT Polska — official cybersecurity alerts and guidance.
- NASK — official cybersecurity and digital safety resources.
- Gov.pl: Cyberbezpieczeństwo — official public-sector cybersecurity guidance.
- CryptoRescue wallet safety hub — internal cluster page for broader wallet-safety context.
Update log
- 13 Jul 2026Published with source tracking and reader-safety context.
- CorrectionsIf a source changes or a claim needs clarification, this page can be updated from the editorial desk.