In this situation, your wallet is most likely compromised (someone has obtained unauthorized access). The steps below outline a method for damage limitation: you may be able to rescue some funds from your account before they are removed.
Follow these steps as soon as possible:
- Install MetaMask on another browser (or another browser profile). For Mobile, you'll need a second device, enabling you to create a new instance of MetaMask (if you remove MetaMask from your mobile device and you don't have the Secret Recovery Phrase backed up, you won't be able to re-access it).
- Create a new MetaMask wallet on the new browser, browser profile, or mobile device.
- Write down the Secret Recovery Phrase in the correct order and store it someplace safe. Never give it to anyone.
- Go back to the compromised account and send any remaining funds to the newly created account. If you believe there may be a sweeper script on the compromised account, don't send in any additional ETH or other tokens to pay for gas (if there is a sweeper, try following our guidance here).
- Once you've removed all of the funds you can, discontinue using the old wallet and any accounts associated with the compromised Secret Recovery Phrase.
- Report the scam to the relevant authorities.
Unfortunately, transactions cannot be reversed, nor missing funds restored. MetaMask is a self-custodial wallet, which means we cannot control access to user accounts, nor intervene and rescue your account or funds for you.
Why did this happen?
Due to the sheer scale and scope of web3, there is an enormous abundance of attack vectors that could have been the reason your wallet was compromised. Some common causes are listed below:
- Your computer has been compromised with malicious software and you stored your private information on your computer, allowing it to identify and retrieve your Secret Recovery Phrase, for example.
- You have visited a malicious phishing website that stole your information.
- You gave your private key or Secret Recovery Phrase to someone or a site.
- You gave a dapp or site's smart contract unlimited access to your funds (find out how to revoke access here).
- You installed a fake MetaMask extension that stole your funds.
To learn about types of scams that you may have encountered, check out our Staying Safe in Web3 section.
Try to analyze your browser history and scan your computer to eliminate any further breach of information. If you discover any suspicious phishing websites please follow the steps in our How to report a scam article so we can prevent this from happening to other users in the future. If you have any further information after your own investigation, please let us know.