mm-crypto-guide.com
Login
Independent review. This site is not the official website and is not affiliated with, endorsed by, or operated by the wallet vendor reviewed here. Never enter your seed phrase or private keys on any third-party site.

If Your MetaMask is Compromised: Immediate Steps & Long-Term Recovery

Dustin Bennett Dustin Bennett
Try Tangem secure wallet →

If Your MetaMask Is Compromised: Immediate Steps & Long-Term Recovery

Quick summary & who this guide is for

If you landed here because you searched "compromised MetaMask wallet" or "my MetaMask was hacked what to do", this is a practical checklist you can act on right now. I believe speed matters; I also believe calm helps. In my experience the majority of losses happen because people try the wrong fix first (for example, connecting a compromised account to another site). This guide is aimed at US-based users who use MetaMask as a software (hot) wallet for DeFi, token swaps, staking, and dApps.

Who should read this: everyday DeFi users, traders who use MetaMask on mobile or browser extension, and people with both small and mid-size balances.

Who should look elsewhere: if you keep large balances and haven’t used a hardware wallet, consider the long-term move to a cold signer. See our hardware wallet integration guide: [/hardware-wallets-with-metamask].

How to tell if your MetaMask is compromised

Signs of compromise are often obvious once you know where to look. Check these:

Try Tangem secure wallet →
  • Outgoing transactions you didn't sign. Look at your Activity tab and a block explorer for your address.
  • Unexpected token approvals or approvals with "infinite" allowance.
  • New accounts created or funds moved to unknown addresses.
  • Unusual popups requesting message signatures or approvals when using dApps.

Ask yourself: did you recently paste your seed phrase anywhere? (That’s usually the fatal mistake.) But sometimes malware or malicious browser extensions can leak private keys or capture signatures.

Immediate steps (first 10 minutes)

  1. Lock MetaMask on every device. Click the account menu and "Lock".
  2. Disconnect connected sites from the compromised account (see the Disconnect section below).
  3. Check the chain: are there pending malicious transactions? If yes, open our pending transaction troubleshooting guide. Cancelling a pending transaction requires replacing the same nonce and is technical. Proceed only if you understand nonces and gas fees.
  4. Take screenshots and save transaction hashes — they can be useful later.

And yes, it's stressful. But moving faster than the attacker is the priority.

Short-term containment (next few hours)

These steps determine whether you can stop the attacker or just limit damage.

  • If you still control the private keys (no one else has the seed phrase), create a fresh account on a clean device and transfer assets there immediately. Test with a small amount first.
  • If the seed phrase is leaked, assume the attacker can sign at any time. In that case, try to move funds immediately, but understand the attacker may front-run or drain the account.
  • Never paste the seed phrase into websites or mobile apps that ask for it. Never.

If you need step-by-step help on moving assets and creating/importing accounts, see import-and-restore-wallet and sync-and-use-on-multiple-devices.

Revoke approvals and disconnect dApps

Many hacks start with an approved dApp that can spend tokens on your behalf. Revoking allowances is a good containment move — but only if you still control the address.

Why revoke? Unlimited token allowance lets a smart contract pull tokens without extra confirmations. Revoking reduces that attack surface.

Quick actions:

  • Disconnect connected websites from the compromised account: open MetaMask > Settings > Connected Sites and remove entries.
  • Check token allowances for each token and each chain. You can read on-chain approvals from a block explorer and then issue revoke transactions from your account to set allowances to zero.

Warning: if the attacker has your private keys, they can re-approve or drain funds faster than you can revoke. If that's the case, prioritize moving funds.

See our step-by-step revocation walkthrough: [/how-to-revoke-approvals-step-by-step] and the deeper explainer on token allowances: [/token-allowances-and-revoke].

Move funds to a new or hardware wallet

If you decide to move funds, do this:

  1. Create a new wallet on a device you trust. Preferably create a hardware wallet or a freshly installed browser/mobile wallet.
  2. Back up the new seed phrase immediately (see next section).
  3. Transfer a small test amount first to confirm everything works.
  4. Then move the remainder, chain by chain.

If you plan to move funds to a hardware signer, our hardware integration guide explains the connection steps: [/hardware-wallets-with-metamask] and [/connect-hardware-to-metamask-mobile].

But don't assume a transfer will succeed automatically. Attackers often monitor mempools and may attempt to front-run a transfer.

Backup the new seed phrase safely

Backup practices matter as much as the transfer itself. Backup advice I use daily:

  • Write the seed phrase on paper and store it in two geographically separated secure locations.
  • Use a metal backup if you want fire/water protection.
  • Avoid storing the seed phrase in cloud notes, photos, email, or password managers unless the backup is encrypted and you understand the trade-offs.

More options and risks are covered in our backup & recovery guide: [/seed-phrase-backup-recovery].

Long-term recovery & hardening

After recovery you should harden how you use MetaMask:

  • Move large balances to a hardware wallet (cold storage). See [/hardware-wallets-with-metamask].
  • Use separate accounts: one for daily DeFi interactions and one for long-term storage.
  • Limit token approvals and check them regularly.
  • Consider a smart contract wallet (account abstraction) for gasless sessions or session keys; these reduce exposure of a single seed phrase. Learn more: [/account-abstraction-smart-contract-wallets].

Comparison: Quick feature table

Feature MetaMask (software/hot) Hardware wallet (cold) Smart-contract wallet (account abstraction)
Control of private keys Yes (non-custodial) Yes (non-custodial, offline) Keys held by smart contract; recovery options vary
Can revoke approvals from compromised account Yes (if you still control keys) Yes (if you sign from device) Depends on implementation (may support session revocation)
Speed to move funds after compromise Fast (if device clean) Slower (requires device + setup) Varies; can offer gasless flows
Best for Daily DeFi, swaps, dApp use Long-term storage of large balances Frequent dApp interactions with added safety

(Image: screenshot placeholder - alt: example of transaction activity and pending tx screenshot)

FAQ

Q: Can MetaMask be hacked?

A: MetaMask itself is software; it cannot prevent an attacker from signing transactions if they have your seed phrase or your device is compromised. So yes, accounts controlled by MetaMask can be hacked via social engineering, phishing, or device malware. The product being installed on your device is not the same as the account being invulnerable.

Q: My MetaMask was hacked — what to do?

A: Start by locking the wallet, documenting transactions, disconnecting dApps, and then assess whether the seed phrase or device is compromised. If you control the keys, revoke approvals and move funds to a new wallet. If the seed phrase is leaked, create a new secure wallet elsewhere and attempt immediate transfers (test with small amounts first).

Q: How do I revoke token approvals in MetaMask?

A: You can read on-chain approvals with a block explorer and send transactions to reduce or zero allowances. For a guided walkthrough see [/how-to-revoke-approvals-step-by-step] and [/token-allowances-and-revoke].

Q: What happens if I lose my phone?

A: If you have your seed phrase backed up, re-import on a new device. If you don’t have the seed phrase, and there’s no cloud encrypted backup you control, recovery is not possible.

Conclusion & next steps

If your MetaMask is compromised, act fast: lock, document, disconnect, and prioritize moving funds to a wallet you control on a secure device. But don't rush into risky steps like pasting your seed phrase into unknown sites. For step-by-step revoke help, visit [/how-to-revoke-approvals-step-by-step]. For backup best practices see [/seed-phrase-backup-recovery].

If you want hands-on checklists and a printable quick-plansheet, see our security checklist and our troubleshooting pages for pending transactions and disconnecting sites: [/pending-transaction-troubleshooting] and [/disconnect-connected-sites].

If you need more guidance, what I've found is small, careful test-transfers save people a lot of grief. Take that test step. Good luck.

Try Tangem secure wallet →