What to do if you have a sweeper bot on your account
Does this article need to be translated?
Have assets suddenly moved out of your account, without your permission or knowledge? Have you noticed that every time you transfer something into your account, it gets automatically forwarded somewhere else?
If so, you might be dealing with a sweeper. This article will give some explanation as to what sweepers are, and provides further guidance on dealing with having one attached to your account.
You should immediately stop using accounts associated with your current Secret Recovery Phrase. Any funds deposited may end up being stolen. Continue reading the article for next steps.
What is a sweeper?
Also known as a sweeper bot, a sweeper is an automated bit of code (also called a script) that can be assigned to a blockchain address, to perform actions relating to that account automatically, such as automatically sweeping assets deposited into the account to another address.
If you want to learn more about what sweeper bots are, how they work, and how they can get installed, take a look at our explainer on sweeper bots.
What to do if I have a sweeper bot on my account?
Analyze recently installed applications and browser extensions, especially those from untrusted third parties. Ensure your operating system, security software, web browsers, and other applications are fully updated. Perform a virus/malware scan on any device you have MetaMask installed.
If you have the suspicion that you may have a sweeper bot on your account, there are a couple things you should and should not do.
Do not deposit more funds
Depositing more funds to your account will likely result in losing more funds. When the sweeper bot detects that you've deposited additional funds, it can immediately send these out to another address, resulting in you no longer having access to these funds. These funds are irretrievable, meaning that you will lose them forever.
Report the scam
Report the scam on a blockchain explorer and to your local authorities. Then, report the scam to Chainabuse using the Chainabuse Report Form.
Educate yourself on how sweeper bots work
To avoid this happening again in the future, educate yourself on how these kinds of attacks can happen. Learn more about how sweeper bots work.
Never share your Secret Recovery Phrase with others. It will grant them access to all of your accounts and funds.
Migrate to a new Secret Recovery Phrase
Do not create additional accounts in your now-compromised Secret Recovery Phrase; any newly-created accounts will also be compromised, and you're likely to lose funds deposited into them.
Instead, generate a brand new Secret Recovery Phrase. Read more about migrating your accounts.
Consider using Flashbots
Any remaining assets in your wallet can potentially be recovered by using Flashbots. You can also open a case with the Flashbots Whitehat team here, if you don't wish to attempt this yourself. Please note that their recovery team requires a $1,000 asset recovery minimum, and they take a 5-10% cut of the recovered assets.
Bringing a bot to a bot fight
In this context—fighting against an automated opponent who takes your ETH from you before you can use it—things can look pretty hopeless. Enter Flashbots, who have developed a project called Flashbots/searcher-sponsored-tx. This allows you, essentially, to pay for the transaction on the compromised address from another account. Or, as they put it: “This is accomplished by submitting a Flashbots transaction bundle, with the first "sponsor" transaction paying the "executor" wallet in ETH, followed by a series of executor transactions that spend this newly received ETH on gas fees.”
This strategy requires two accounts — the compromised account (the executor) and another to pay for the transaction (the sponsor). Success using Flashbots will require significant technical know-how and research. The following instructions are provided as a general guide only.
- Make sure the compromised account has no ETH in it; we highly recommend you use a burner bot first.
- We generally advise running this burner bot on more than one machine, using a different endpoint on each. For example, run a burner locally using Infura, and a burner on a remote server with another provider such as Quiknode. This is so that you have a redundancy plan in case we have high network latency or node issues (rate limits, syncing issues). The code in Flashbots/searcher-sponsored-tx will need to be altered for your specific needs, but the engine is there for you to rescue your tokens from a compromised address. The Flashbots engine is flexible enough to support a single transfer() call, or unstake() and transfer().