Rescue Assets From a Compromised Wallet

Q: What is a sweeper bot and how does it work?

A sweeper bot (drainer bot) is an automated program that hackers install on wallets with leaked private keys. The bot continuously monitors all wallet activity — when it detects any new assets deposited including gas fees, it immediately transfers everything to the hacker's wallet within seconds, sometimes even in the same block as the deposit transaction.

⚠️ Disclaimer — Please Read Before Reaching Out

Scope: This service helps move assets still in your wallet or smart contract to a safe wallet. Assets already transferred to the attacker's wallet cannot be retrieved — no one can reverse a completed blockchain transaction.
No guaranteed outcomes: Success depends on the technical condition of each individual case. We provide a free technical assessment and only confirm support when there is clear feasibility.
Fees are charged only after success — no upfront payments of any kind, ever.
Official contact only: X (Twitter) @trangchongcheng. Be cautious of impersonator accounts on Telegram, Discord, or any other platform claiming to be Airdrop101.
Airdrop101's safe wallet: All rescued assets are received and returned through the publicly verifiable address 0xe99fe1d334b6a74d00adf4522e5051361de2bf40 — independently verifiable onchain.

Just discovered your crypto wallet (MetaMask, OKX, Phantom…) has been compromised? Tokens and NFTs disappearing automatically, gas fees drained the moment you deposit, or strange transactions appearing that you never made? This is the nightmare of anyone in the cryptocurrency market — and you're not alone.

The Web3 and crypto space is riddled with risks — from phishing attacks and malicious approvals to increasingly sophisticated wallet exploits. Many users lose control of their wallets without any chance to react, leaving assets stranded with no clear way forward.

When a wallet has been compromised, the key thing to understand is: assets still stuck in the wallet — especially tokens in staking, vesting, or unclaimed airdrops — can still be rescued. These are assets that have not yet been taken and still have a chance to be moved to a safe wallet before the attacker acts.

What Is a Compromised (Hacked) Crypto Wallet?

A compromised crypto wallet is a situation where a malicious actor gains control of your wallet by obtaining your private key or seed phrase through various deceptive methods. When this happens, the hacker can fully control all transactions on the wallet — withdraw tokens, transfer NFTs, claim airdrops, rewards… or interact with any smart contract on your behalf. Each crypto wallet like MetaMask, Phantom, etc. has a private key or seed phrase that grants full access to the wallet. Once this information is exposed to someone else, you have essentially been hacked and that person has complete access to your wallet and assets.

Signs That Your Crypto Wallet Has Been Hacked

If you encounter any of the situations below, your wallet has very likely been compromised:

Tokens (coins) and NFTs automatically disappear from your wallet without you making any transactions. Tokens are drained across many different chains at nearly the same time. Some assets that are staking or locked will be unlocked and the hacker will wait for the unlock date to continue withdrawing.

Strange transactions appear in your wallet history — especially approve, permit, or transfer commands. These are the commands hackers execute to prepare for draining assets from the hacked wallet.

Gas fees ($ETH, $BNB, $AVAX, $POL…) are drained immediately after deposit — this is the clearest sign of a sweeper bot. From 2025 onwards, sweeper bots have evolved with many variants that cause native tokens (ETH, BNB…) to automatically disappear when deposited into the wallet without any visible withdrawal transaction — making it impossible for you to have gas fees to execute any transaction.
Receiving unknown tokens from unknown sources — this could be a dust attack.

Unable to execute transactions such as withdrawals, claims, unstaking, or withdrawals despite the wallet still having a balance. This is a transaction overwrite tactic that hackers have set up on the victim's wallet. Every time you make a transaction, the hacker cancels it or even overwrites it with their own transaction.

Important: When you notice any abnormal signs, stop all activity on the wallet immediately. Don't deposit more funds, don't try to rush withdrawals.

What Is a Sweeper Bot and How Does It Work?

A sweeper bot (also known as a drainer bot) is an automated program installed by hackers to monitor wallets with leaked private keys. This is one of the most dangerous threats because it operates 24/7 at speeds faster than any manual operation.

The mechanism is simple yet highly effective: the bot continuously scans all activity in the wallet. The moment it detects new assets — whether tokens, gas fees, or NFTs — the bot immediately creates a transaction to transfer everything to the hacker's wallet. This process happens within seconds, sometimes even in the same block as the deposit transaction, making it virtually impossible to "race" the bot manually.

This is exactly why many people deposit gas fees into a hacked wallet trying to withdraw assets, only to have the gas immediately "swept" clean by the bot. You need specialized tools and techniques to overcome a sweeper bot.

Technical Factors That Affect Rescue Feasibility

In the blockchain world, all transactions are irreversible. Certain asset types — particularly tokens with fixed vesting schedules, time-locked staking, or airdrops with claim deadlines — have defined technical windows during which they can be moved.

When reaching out, please include your wallet address and any relevant deadline information so we can accurately assess what's possible.

Can a Hacked Crypto Wallet Be Recovered?

The answer depends on what assets remain. Assets already transferred to the hacker's wallet cannot be retrieved — no one can reverse a blockchain transaction. However, assets still stuck in your wallet or in smart contracts can potentially be moved to a safe wallet in many cases. Below is a detailed breakdown.

Cases Where We Can Help

We have the highest success rate in the following situations:

Tokens/NFTs locked in smart contracts — Staking rewards, vesting tokens, unclaimed airdrops still sitting in smart contracts, not yet withdrawn to the wallet. This is the "gold mine" that hackers haven't touched because it's locked or they don't know about it.
Wallet has a sweeper bot but some assets haven't been swept — Some tokens have special mechanisms that the bot hasn't recognized and are still in the wallet.
Assets on multiple networks — Hackers may only sweep certain chains, missing assets on other chains.
Valuable NFTs — In some cases, NFTs remain in the wallet because hackers haven't gotten to them or don't know how to sell them.
Incorrect or missing 1–2 seed phrase words — Brute-force techniques can be used to find the correct combination.

Cases That Are Difficult or Impossible to Help With

To be honest: not every situation can be saved. Situations that are nearly impossible to recover include:

All tokens have been fully drained with no assets remaining in the wallet or in any smart contracts
The hacker has moved assets through mixers or CEXs and withdrawn to fiat
Complete loss of seed phrase (12/24 words) with no backup copies whatsoever

Note: If you're unsure whether your case is recoverable, contact Airdrop101 for a free technical assessment — no commitment to proceed until we've reviewed the specifics.

How Does Airdrop101 Help Move Your Assets?

Airdrop101 is a community specializing in airdrops, retroactive rewards, and blockchain, while also supporting asset extraction from compromised wallets with proprietary tools and code. To date, we have successfully rescued over 300 cases involving more than 700 compromised wallet addresses — across a wide range of attack types — over more than 2 years of operation.

Specialized Tools and Code

Unlike manual approaches, Airdrop101 uses self-developed tools — including custom scripts, a bundle transaction builder, and automated smart contract interaction modules. This allows us to handle complex situations that conventional methods cannot solve.

Free Telegram Community Support

Airdrop101 maintains a Telegram community group — a space for sharing knowledge about airdrops, retroactive rewards, blockchain, and wallet security completely free of charge. It's a place where you can ask questions, stay updated, and connect with fellow Web3 enthusiasts.

A few notable rescue cases:

All onchain proofs below are publicly verifiable through Airdrop101's safe wallet address: 0xe99fe1d334b6a74d00adf4522e5051361de2bf40

~$40,000 $ONDO — Recovered 25,000 $ONDO across 5 compromised wallets over 5 months when token unlocked. View details · Onchain proof
19,800 $KAIO — Claimed 19,800 $KAIO airdrop tokens across 16 wallets with active sweeper bots, unable to receive gas. View details · Onchain proof
70+ wallets $SAHARA — Claimed 6 Sahara airdrop rounds across 70+ wallets using multi-wallet batch transaction. View details · Onchain proof
~$700 $ETH — Claimed ETH unstaked by attacker using transaction simulation before sweeper bot could react. View details · Onchain proof
17,000 $RNBW — Debugged Rainbow app to successfully claim 17,000 $RNBW for 15+ wallets denied the airdrop. View details · Onchain proof
40+ wallets $RECALL — Claimed RECALL airdrop across 40+ compromised wallets with active sweeper bots. View details · Onchain proof
~$5,000 $ERA — Rescued ERA airdrop across 10 compromised wallets, all processed within a single block. View details · Onchain proof
~$25,000 $LINK — Rescued staked $LINK after computer malware infection; initial total damage exceeded $68,000. View details · Onchain proof
~$1,300 NFT Opensea — Minted and transferred Opensea NFTs from a compromised MetaMask wallet with active sweeper bot. View details · Onchain proof

Below are the main forms of support.

Asset Rescue From Wallets With Leaked Private Keys and Seed Phrases

This is our core form of support. When a wallet's private key or seed phrase is leaked, we use techniques such as bundle transactions (combining multiple transactions into the same block) paired with flashbots to move assets faster than the sweeper bot.

This technique allows sending gas fees and executing the asset withdrawal transaction within the same bundle, preventing the bot from "sweeping" the gas before the transaction completes. We support multiple networks:

All EVM chains: Ethereum, BSC (BNB Chain), Base, Linea, Arbitrum, Polygon, Optimism…
Solana: SPL tokens, NFTs on Solana

Airdrop Claiming and Unstaking Support for Hacked Wallets

Have unclaimed airdrop rewards? Tokens locked in staking that you can't withdraw because a sweeper bot is watching your wallet? Airdrop101 specializes in handling these situations.

The team monitors unlock schedules, pinpoints the exact moment assets are released, and executes claim + transfer transactions within the same block to "outrun" the sweeper bot. This includes retroactive rewards, staking rewards, vesting tokens, and other types of DeFi rewards.

On-chain Analysis and Fund Tracing

You don't always know exactly where your assets are. Airdrop101 performs in-depth on-chain analysis:

Fund tracing — Identify where assets have been transferred, through which wallets, to determine the cause of the hack, who the hacker is, and the final destination of the funds.
Find stuck assets — Discover tokens "forgotten" in old smart contracts, LP positions, or DeFi protocols that have ceased operations.
Restore wallet access — Assist in cases where 1–2 seed phrase words are incorrect or missing.

How Does the Asset Move Process Work?

The asset extraction process at Airdrop101 follows 4 clear steps, ensuring transparency and security for every client.

Step 1 — Intake and Situation Assessment

Reach out via X (Twitter) @trangchongcheng, describe the issue, and provide your public wallet address. Airdrop101 will check the wallet status, identify the attack type (sweeper bot, phishing, or leaked seed phrase), and assess rescue feasibility. This step is completely free with no commitment to proceed.

Step 2 — On-chain Analysis and Strategy Development

Once the case is confirmed as rescuable, Airdrop101 performs deep on-chain analysis: checking all assets across multiple networks, identifying assets in smart contracts, evaluating the sweeper bot's behavior, and building the optimal rescue strategy.

Step 3 — Execute the Rescue

Using specialized tools — bundle transactions, flashbots, custom scripts — to move assets from the hacked wallet to a new safe wallet. The entire process is executed at maximum speed, ensuring we outrun the sweeper bot.

Step 4 — Return Assets to the Wallet Owner

All rescued assets will be transferred back to your safe wallet. A percentage fee is agreed upon transparently before proceeding and charged only after successful asset transfer.

Note: If assets have a technical deadline (expiring airdrop, upcoming vesting unlock), mention this during the initial assessment so we can plan accordingly.

How To Protect Your Crypto Wallet From Being Hacked?

Prevention is better than cure. While we can help in many situations, the best approach is always to protect your wallet from the start. Below are the most important security principles.

Private Key and Seed Phrase Security Principles

Never share your private key or seed phrase with anyone, even if they claim to be technical support, a project admin, or a friend
Write it on paper, store it safely — Don't take screenshots, don't save on your phone, don't store in Google Drive or online notes
Back up in multiple locations — At least 2 backup copies in 2 different physical locations
Never enter your seed phrase on any website — Legitimate wallets will never ask you to input your seed phrase online

Recognizing Common Scam Methods

The majority of crypto wallet hacks originate from phishing scams rather than technical vulnerabilities. Three most common methods you need to watch out for:

Fake emails and websites: Hackers create websites identical to official project pages or exchanges, then send emails or messages directing you to the fake site to enter your wallet information. Always double-check the URL — even a single character difference could indicate a phishing site.

Strange tokens / Dust attack: Hackers send a small amount of unknown tokens to your wallet. When you try to sell or interact with these tokens, the malicious smart contract requests approval permission — allowing the hacker to drain all assets from your wallet.

Fraudulent DApps: Fake decentralized applications that ask you to connect your wallet and approve unlimited access (unlimited approval). Once you accept, the hacker can withdraw your tokens at any time without needing your private key.

Important tip: Use separate wallets for different purposes — one wallet for long-term storage, one for daily trading, and a dedicated wallet for airdrop farming. If your airdrop wallet gets hacked, your main assets remain safe.

Using Hardware Wallets and Multisig Wallets

Hardware wallets (cold wallets) such as Ledger and Trezor are the best security solution available today. Private keys are stored entirely offline on the hardware device. Even when connecting the hardware wallet to a computer for transactions, you must physically confirm on the device — hackers cannot bypass this step remotely.

Multisig wallets require multiple private keys to co-sign before a transaction can be executed (e.g., 2-of-3 or 3-of-5). Even if one key is compromised, assets remain safe because the hacker doesn't have enough signatures. This is the ideal choice for those managing large amounts of crypto assets.

Frequently Asked Questions

Can a hacked crypto wallet be recovered?

Yes, in many cases — especially when there are assets locked in smart contracts (staking, vesting, unclaimed airdrops). We use bundle transactions and flashbots to move assets before the sweeper bot can react. However, if all tokens have been fully drained with no assets remaining in smart contracts, recovery chances are very low.

What is a sweeper bot and how does it work?

A sweeper bot is an automated program that hackers install on wallets with leaked private keys. The bot continuously monitors all wallet activity — when it detects any new assets deposited (including gas fees), it immediately transfers everything to the hacker's wallet within seconds.

How much does hacked crypto wallet rescue cost?

The cost depends on the complexity of each case, the type of assets, and the blockchain network involved — typically no more than 15% of the value of assets successfully moved. Fees are charged only after success, with no upfront payments. Airdrop101 provides a free assessment before giving a specific quote. Contact via X: @trangchongcheng.

How do I know if my crypto wallet has been hacked?

Common signs include: tokens disappearing without explanation, unfamiliar transactions you didn't make, gas fees being drained immediately after deposit, or receiving unknown tokens from unknown sources. If you notice any of these signs, stop using the wallet and seek help immediately.

Conclusion

A compromised crypto wallet is not the end of the road. With specialized tools like bundle transactions, flashbots, and in-depth on-chain analysis, Airdrop101 has helped many people minimize the damage — rather than standing by while attackers drain every last asset.

Three most important things to remember: act fast when you discover your wallet has been hacked, never deposit funds into a compromised wallet on your own, and contact someone experienced for timely support.

And don't forget — prevention is always better than cure. Protect your private key, use a hardware wallet for large assets, and separate wallets for different purposes.

Contact Airdrop101 for a Free Assessment

Provide your wallet address and describe the situation. We'll review the technical details and give you a clear answer on what's possible before anything proceeds.

Reach out via X (Twitter): @trangchongcheng