What to save first after a suspicious wallet signature

If you think you signed or approved something suspicious, a cautious first step is to preserve what you can without interacting further than necessary. In practice, that can mean saving a screenshot of the request screen if it is still visible, plus a screenshot of any visible wallet activity or transaction record afterward. Those images may help preserve fast-changing context, but they do not by themselves prove the full incident, identify the other party, or guarantee any recovery outcome.

There is no single universal screenshot rule for every wallet, chain, or signing flow. But if a suspicious request is still on screen, a practical evidence-preservation approach is often to save:

1. what you were shown, and
2. what appears to have happened afterward, if a visible record exists.

Just as important: stop further interaction if you suspect risk. If you think your seed phrase, private key, password, or device access may be exposed, prioritize containment over collecting perfect records.

Suspicious wallet incidents can change quickly. Pages may refresh, close, or disappear, and visible details may be harder to reconstruct later. General public cyber-safety guidance supports preserving basic records early and avoiding extra interaction with suspicious content where possible.

A screenshot is only a snapshot of what was visible on your screen at one moment. It can help with later checking, reporting, or support conversations, but it should be treated as supporting evidence rather than final proof of the whole event.

If the wallet request screen is still visible, it may preserve immediate context such as the site or app, warning text, the action label, or other visible identifiers. That can matter if the page later changes or disappears.

If your wallet, activity page, or another visible record shows something after the event, that screenshot can preserve what you could see after the request was approved or signed.

This article does not claim that every suspicious signature creates the same kind of visible history, or that every wallet shows the same information. The sources currently support narrow, general evidence-preservation advice, not wallet-specific technical rules.

1. Stop clicking through the suspicious site or app.
2. Save a screenshot of the request screen if it is still visible.
3. Save a screenshot of any visible record afterward, such as wallet activity or another visible confirmation/history view, if available.
4. Save the page or app context only if you can do so safely without reopening the suspicious content.
5. Keep the original image files. If you later crop or redact, keep an untouched copy for your own records.
6. Do not share seed phrases, private keys, passwords, or remote access with anyone offering help.

• Do not reopen a suspicious page just to recreate a missing screenshot.
• Do not approve more requests to see what happens.
• Do not assume screenshots alone prove the full scope of loss or control.
• Do not send wallet credentials to strangers, fake support accounts, or paid recovery services.

• Save the suspicious request screen if it is still open.
• Save any visible history, activity, or confirmation screen afterward.
• Save surrounding context only if doing so does not require more risky interaction.
• Keep original files before editing them.
• Check whether the screenshots contain personal information before sharing them.
• Stop further interaction if you suspect broader compromise.

Reality: A screenshot records what was visible on your screen. It may be useful evidence, but it does not automatically prove the full sequence of events or any legal outcome.

Reality: General cyber-safety guidance favors preserving what you safely can, then limiting further interaction with suspicious content.

Reality: Sharing seed phrases, private keys, passwords, or remote access creates serious additional risk.

That can still be useful because it preserves what you were shown at the moment of concern. Save it, keep the original, and look for any safe-to-view record of what happened afterward.

That can still help preserve visible aftermath. Keep it together with any other safe context you already have, such as the app name or browser address bar.

Treat that as a warning sign. Evidence preservation may help with reporting or later review, but it does not guarantee recovery, refunds, or legal results.

• Whether the visible activity or history matches the time of the incident.
• Whether the site or app context shown in the screenshot matches what you intended to use.
• Whether the images include sensitive information you should redact before sharing them.
• Whether you need country-specific reporting guidance from a government cyber or fraud-reporting body.

Date checked: 2025-02-14. This article is limited to general public cyber-safety and evidence-preservation guidance from the cited official sources. It does not verify wallet-specific display behavior, chain-specific signing flows, or platform-specific reporting paths. Those details should be checked against current official documentation for the wallet, service, or authority involved.

Not in every case. Different wallets and incidents may surface different information. This article presents a cautious starting point for general evidence preservation, not a universal rule.

Save any visible history, confirmation, or surrounding context you still have. Do not reopen a suspicious page just to recreate the screen.

No. If you suspect broader exposure, prioritize safety and containment. Preserve only what you can collect without increasing risk.

No. This is general evidence-preservation guidance. Reporting options, legal steps, and platform processes vary by country and service.

• CERT Polska — public cybersecurity alerts and incident-safety guidance.
• NASK — public cybersecurity and digital safety resources.
• Gov.pl: Cyberbezpieczeństwo — government cyber-safety guidance.