Escalation copy, minus the panic varnish
This appendix exists because some readers still need the practical next step after the fraud. We keep the checklist, redact the brands, and avoid pretending TER runs the operation.
Wallet drained, seed stolen, account taken over?
[REDACTED] 911 replies in ~8 minutes. Free. 24/7.
If your wallet was drained, your seed phrase stolen, or your account taken over — follow this field-tested sequence. Every second counts. Don't pay "recovery" services. Don't share your seed. The fastest path to help is the green button below.
Real responders. Real chain analysts. ~8 min reply.
[REDACTED] 911 is the war-room hotline of the Security Alliance — a coalition of top web3 security teams that triages live incidents, coordinates with exchanges, and helps trace funds. Free, volunteer-run, no recovery fees.
5-step emergency sequence
Open [REDACTED] 911 — get a human on the line
Before anything else, message the [REDACTED] 911 bot. Give them the basics (chain, drained wallet, drainer wallet, tx hash if known). They reply in ~8 minutes and stay with you while you work the rest of this checklist.
- If you suspect malware on your device → also open [REDACTED]/go/malware
- [REDACTED] coordinates with chain analysts, exchanges, registrars — they have channels you don't
Move what's left — burn the wallet
If any tokens or NFTs remain, transfer them to a fresh, never-connected wallet generated on a clean device. Treat the compromised seed as public knowledge from now on. Do not reuse it.
- Generate new seed offline ([REDACTED], [REDACTED], or air-gapped [REDACTED])
- Send native gas first, then highest-value tokens, then dust last
- If gas is sniped by sweep-bots → use Flashbots Protect RPC to bypass mempool
Revoke every approval — chain by chain
Approvals you signed weeks ago can drain you tomorrow. Use revoke.cash to revoke all token approvals on every chain you've used. setApprovalForAll, Permit2, and unlimited allowances are the dangerous ones.
Report to the community — make the attack public
Tag the drainer wallet on Chainabuse, MetaSleuth, Reddit r/CryptoScams, X (cc @zachxbt). Public attribution makes it harder for the attacker to cash out at exchanges and warns the next victim. This is your most important contribution to the ecosystem.
- Submit drainer wallet to Chainabuse — feeds 30+ vendors
- Post tx + drainer addr on Reddit r/CryptoScams and X with screenshots
- Tag @zachxbt on X if loss is significant — he triages serious cases
- Report the possibly phishing URL to THE ENABLERS REGISTRY so we kill the domain
File with law enforcement — preserve evidence
File a police report. The case number unlocks insurance claims, tax write-offs, and CEX compliance freezes. Capture evidence first: screenshots, browser extensions list, every tx hash with UTC timestamps. Never reformat the affected machine until evidence is offsite.
- US: FBI IC3 at ic3.gov · UK: Action Fraud · EU: national CERT
- Save evidence to clean USB or encrypted Proton Drive — not the affected machine
- Forward case number back to [REDACTED] — they use it to escalate exchange freezes
How recovery scammers find you
Anyone offering paid recovery is a scammer4 patterns to recognize · always block & report
"I can reverse the transaction"
Public chains are immutable. No "white-hat hacker", flashbots service, or insider can reverse a confirmed tx. Anyone claiming this is selling you fiction.
DMs from "recovery agents"
Scammers monitor X, Reddit, [REDACTED] for victim posts. Within hours of you posting, you'll get DMs from "[REDACTED] support", "USDT recovery", "blockchain forensics". All scams, every time.
"Send 10% upfront / gas fee"
The classic. They take your fee, ghost you, or come back asking for more. Real responders ([REDACTED], THE ENABLERS REGISTRY, ZachXBT) never ask for money.
Fake testimonials & screenshots
Their site has glowing 5-star reviews and "trustpilot" badges. They paid for those. Cross-check any "recovery firm" name with public scam-reporting forums first.
Report to community — break the silence
Multi-vendor abuse registry. Reports propagate to [REDACTED], [REDACTED], NASDAQ:COIN, and 30+ partners.
Public on-chain investigation tool. Flag the wallet, visualize fund flow, share the case URL.
Post the possibly phishing URL, drainer wallet, and tx hash. Subreddit indexes well in Google for future searches.
Public thread with screenshots and addresses. Gets attention from chain analysts and protocol teams.
Submit the malicious URL — we route it to the registrar, hosting provider, browsers, and 30+ wallet vendors for blocklist.
Federal complaint. Generates a case number that unlocks CEX compliance freezes and insurance leverage.
On-chain monitoring networks. Flagging the wallet here triggers warnings inside wallets and explorers globally.
Reply or quote-post with case details if loss is significant. He triages serious cases and has CEX channels.
Do this · Don't do this
✓Do — every time
- Open [REDACTED] 911 first — get a human responder before you do anything else.
- Generate a fresh seed on a hardware wallet or fully clean device.
- Revoke approvals on every chain you've ever bridged to — not just the active one.
- Capture evidence first — screenshots, tx hashes, browser state, drainer URL.
- Report drainer wallet publicly on Chainabuse + Reddit + X. Public attribution matters.
- File IC3 / Action Fraud / national CERT if loss exceeds $10k. Adds legal leverage.
✕Don't — ever
- Don't pay "recovery agents" who DM you offering to retrieve funds. 100% scam.
- Don't import the compromised seed into anything new — even a hardware wallet.
- Don't reset the affected machine until you've captured the extensions list and logs.
- Don't trust "[REDACTED] support" / "[REDACTED] support" DMs — official teams never DM first.
- Don't reuse passwords tied to the wallet email — drainers harvest them in parallel.
- Don't delete the possibly phishing tab before screenshots — preserve the URL bar in evidence.
THE ENABLERS REGISTRY and [REDACTED] — different jobs, same fight
We kill possibly phishing sites
Submit a URL — we get the domain suspended at the registrar, blocklisted across browsers and 30+ wallets. We don't do incident response.
They respond to live incidents
Got drained? Need exchange freezes, fund tracing, malware triage? [REDACTED] has chain analysts and security teams on call. ~8 min reply, free.
Common questions, answered fast
Will I get my funds back?
Honest answer: usually no. Recovery happens in less than 8% of cases — and only when funds hit a KYC'd exchange before laundering. Speed is your only leverage. Every minute lowers the odds.
Anyone who DMs you offering "guaranteed recovery" is a scammer targeting your second loss. [REDACTED], THE ENABLERS REGISTRY, and ZachXBT are all volunteer-run and never charge.
What if I think there's malware on my device?
Open the [REDACTED] malware playbook: [REDACTED]/go/malware. It walks you through isolating the device, capturing the infection, rotating credentials from a clean machine, and avoiding cross-contamination.
Common signs: clipboard-paste replaces your address with a different one; a wallet extension you don't remember installing; transactions you didn't initiate; "MFA" requests you didn't trigger.
Should I import my seed into a new wallet "just to check"?
No. Never. The seed is public to the attacker. Any wallet you import it into — including a hardware wallet — is already drained or scheduled to be. Sweep bots monitor known compromised seeds 24/7.
Why public reporting? Why not just file with police?
Police reports are slow. Public reporting on Chainabuse, MetaSleuth, X, and Reddit is fast — and it stays in Google. Three reasons it matters: (1) the attacker can't cash out at major exchanges if the wallet is publicly tagged, (2) the next victim Googles the address before signing and walks away, (3) chain analysts pick up the trail quicker. Always do both.
What's the difference between THE ENABLERS REGISTRY and [REDACTED] 911?
THE ENABLERS REGISTRY takes possibly phishing domains down — we work the registrar, hosting, browser, and wallet-blocklist side. We don't run incident response.
[REDACTED] 911 is the war-room hotline of the Security Alliance — chain analysts, exchange contacts, malware experts, and protocol teams. If you're in an active incident, they're who you want on the phone. [REDACTED]
I see "pending" transactions. Can I cancel them?
If your tx is still pending and the attacker's hasn't confirmed yet, you can race them with a higher-gas replacement. Use cancel in [REDACTED] or speed-up via Flashbots Protect. If the attacker controls the wallet, you are racing their bot's gas — you usually lose. [REDACTED] can sometimes coordinate Flashbots-protected sweep helps; ask in the bot.
How long should I keep evidence?
At least 5 years. Civil suits, tax write-offs, insurance claims, and law-enforcement chain-of-custody all need original screenshots, tx hashes, and timestamps. Store on encrypted offline media — never on the affected machine.
Stop reading. Open [REDACTED] 911.
If you got this far and you haven't messaged the bot yet, do it now. They will guide you through everything IANA #1086 in real time. Free, 24/7, ~8 minute reply.
Archive note
If the page below still says “we” or sounds suspiciously confident, that remains the upstream publisher speaking. TER only preserves the record, strips the house branding, and keeps exits wrapped through the source gate.