After a Drain: Recovery, Reporting, and Damage Control

Most of what was stolen is gone. That is the honest starting point, and everything that follows is built on that premise. Understanding what remains possible — and what is permanently off the table — is the only way to avoid compounding a bad outcome.

This is Part 5 of the NFT Security Masterclass and the hardest piece to write, because the most useful thing it can tell you is what not to waste time on.

The First Hour: Triage Before Anything Else

Drainers are automated. The moment you signed the transaction, a bot swept your wallet. By the time you realised something was wrong, the assets were likely already bridged, mixed, or sold. The first hour is not about recovering what was taken — it is about stopping additional losses.

Step 1: Disconnect your wallet from every connected site.

Not just the site you think caused the drain. Every site. Open your wallet's connected sites panel and revoke all connections. Individual site disconnects are insufficient if your browser session is still active.

Step 2: Revoke all remaining approvals.

Do this from a clean device — ideally one that has never accessed the compromised wallet or visited Web3 sites. Go to revoke.cash and revoke every outstanding token and NFT approval on the compromised address. This is the single most important technical step. If approvals remain active, a drainer can return for anything you receive into that address later. Part 3 of this series covers the full revocation walkthrough.

Step 3: Move remaining assets to a brand new wallet.

Generate a new seed phrase on a clean device. Transfer anything remaining in the compromised wallet to this new address. Do not reuse the compromised seed phrase for anything, ever again.

Step 4: If your seed phrase itself was exposed, the situation is more severe.

Every wallet derivable from a compromised seed phrase is compromised — including addresses you have never used. A drainer that obtained your seed phrase does not need to wait for you to use an address; it can sweep derivation paths proactively. Treat every account under that seed as lost.

Building the Paper Trail

Law enforcement cannot work without documentation, and documentation cannot be reconstructed later with the same completeness it has right now. Do this while the trail is fresh.

What to collect:

• The compromised wallet address
• Every transaction hash associated with the drain (from Etherscan, Solscan, or the relevant chain explorer)
• Screenshots of every phishing site, DM, or email that preceded the drain, with URLs visible
• Timestamps of when you noticed each event
• Any wallet addresses the stolen assets moved to
• Any marketplace listings the stolen NFTs appeared in afterward

On-chain tracing tools you can use yourself:

• Etherscan / Solscan / chain explorers — free, immediate, shows transaction paths
• Arkham Intelligence (platform.arkhamintelligence.com) — public labeled explorer; shows if funds touched known entities
• MistTrack by SlowMist (misttrack.io) — 400M+ labeled addresses, over 1,000 tracked entities; free lookups available; generates risk reports useful for filing
• Breadcrumbs.app — visual fund flow graph; useful for presenting to investigators who are not chain-native

Enterprise-grade tools like Chainalysis Reactor and Crystal Intelligence exist but are not available to individuals. Law enforcement agencies use them. Your documentation feeds into their analysis.

Where to Report

Reporting does not guarantee recovery. It creates the legal record necessary for any future action and contributes to aggregate data that funds enforcement priorities.

United States:

• IC3.gov — the FBI's Internet Crime Complaint Center; primary federal filing point. The FBI reported $16.6 billion in Internet crime losses in 2024. File here regardless of loss size.
• FBI Field Office — for losses above approximately $10,000, direct contact with your local field office is worth attempting alongside the IC3 filing.
• Local or state police — file for a report number. This number is typically required for insurance claims and may be required for tax documentation.
• Chainabuse.com — community attribution platform operated in partnership with TRM Labs. Adds the attacker's addresses to a shared blocklist used by some exchanges and wallets.
• SEC — if the NFT or token involved has characteristics of a security and the scheme involved fraudulent solicitation.

United Kingdom: Action Fraud (actionfraud.police.uk) is the primary reporting body.

European Union: Europol coordinates cross-border crypto crime; individuals report to their national agency, which can escalate.

Include your MistTrack or Arkham report links in every filing. Investigators who are already familiar with the tools will know what they are looking at.

What Recovery Actually Looks Like

There are four scenarios where partial recovery is not impossible. None of them are common. All of them require acting fast and considerable luck.

Scenario 1: CEX freeze. If traceable funds reach a centralised exchange with KYC requirements and you report to that exchange's compliance team within hours with transaction hash documentation, the exchange may freeze the deposit pending investigation. This requires the attacker to have made the significant operational security error of cashing out directly to a KYC exchange — which sophisticated drainer operators typically do not do. The funds are not returned to you by the exchange; they are frozen pending law enforcement process.

Scenario 2: Marketplace delisting. OpenSea, Blur, and other major marketplaces have processes for flagging stolen NFTs. Submitting the token contract and token ID with supporting transaction documentation can result in the NFT being delisted from that marketplace — meaning the attacker cannot sell it there. This does not return the NFT to you, and it does not prevent sale on other platforms or via direct transfer. It is a partial friction measure, not recovery.

Scenario 3: Law enforcement seizure. If an attacker is identified, operates in a cooperative jurisdiction, and law enforcement chooses to pursue the case, asset seizure is possible. This process takes years. Most individual drains do not meet the scale threshold to attract prosecution resources unless they are part of a larger pattern.

Scenario 4: Protocol exploit coverage. Nexus Mutual and similar decentralised cover protocols cover smart contract bugs in covered protocols. They explicitly do not cover phishing-induced drains, user-level approval mistakes, or seed phrase compromise. There is no mainstream crypto insurance product that covers the category of loss described in this article. If someone tells you otherwise, they are misinformed or lying.

Permanent write-offs:

• Funds that passed through Tornado Cash or any mixer
• Funds sent to exchanges in non-cooperative jurisdictions
• Funds converted to privacy coins
• Funds that have gone through multiple hops across chains

Tax Treatment (US) — Not Tax Advice

This section is informational only. Consult a CPA or tax attorney for your specific situation.

Before 2018, theft losses were deductible as casualty losses on US federal returns. The Tax Cuts and Jobs Act of 2017 (Pub. L. 115-97, §11042) eliminated personal theft and casualty loss deductions for tax years 2018 through 2025, except for losses in a federally declared disaster area. Crypto theft does not qualify as a federally declared disaster. IRS Publication 547 and Topic 515 confirm this treatment through 2025.

Business-use theft losses follow different rules and may still be deductible if the stolen assets were business property.

Critical 2026 note: The individual provisions of TCJA sunset on December 31, 2025. Whether the theft loss deduction restriction extends, expires, or changes for 2026 and beyond depends on Congressional action that, as of April 2026, has not been finalised. Do not assume either direction. A qualified tax professional is the only appropriate source for how your 2026 loss is treated.

Recovery Scammer Warning

This section may be the most important thing a drain victim reads.

Within hours or days of a public drain — or sometimes within hours of you posting about it anywhere — you will receive unsolicited direct messages from people claiming they can recover your funds. They go by names like "blockchain recovery specialist," "crypto forensics expert," or "recovery hacker." Some will name-drop law enforcement agencies. Some will show fabricated screenshots of previous recoveries. Some will already know your wallet address and the specific assets that were taken, because that information is public on-chain.

None of them can recover your funds. On-chain transactions are irreversible by design. No private service has the ability to reverse a confirmed blockchain transaction. This is not a limitation of current technology — it is the fundamental property that makes blockchain records trustworthy.

How these scams work:

• They require an upfront fee to "begin the process"
• They eventually ask for your seed phrase to "reconnect to your wallet" — and drain whatever remains
• They invent jargon like "blockchain authorities" or "network reversal protocols" to sound credible
• They always initiate contact via DM; legitimate recovery processes begin with you

The only legitimate recovery paths are:

1. Law enforcement contacts you via official channels after you filed a report — they never ask for payment
2. An exchange notifies you via a support ticket you opened — the ticket number you have on file
3. A marketplace notifies you via a request you submitted through their official process

If you did not initiate the contact, the contact is a scam. Block and report.

After the Triage: Rebuilding

A compromised wallet should be treated as permanently retired. The address is forever associated with the drain event, indexed on-chain, and flagged in attribution databases. Build your new setup from scratch.

This means a new seed phrase, stored offline according to a deliberate custody plan — see Building a Personal Custody Plan. If you did not have hardware signing before, this is the moment to start — not because hardware wallets are invulnerable, but because they eliminate much of the approval-signature attack surface that drainers depend on.

Series Conclusion

You have reached the end of the NFT Security Masterclass.

Part 1 explained why signature types determine what an approval can actually do. Part 2 showed how hardware wallets constrain the blind-signing risk that makes drainers effective. Part 3 walked through auditing and revoking approvals — the ongoing hygiene practice that limits exposure. Part 4 dissected how drainer kits are built and deployed so you could recognise an attack in progress.

This final part was the one no one wants to need.

The most important thing this series can leave you with is this: the drain that hit you, or the one you are trying to prevent, was not inevitable. The attack surface is well understood. The mitigations are available, most of them free. The readers who work through all five parts of this series and apply what they contain are genuinely harder targets — not because they are immune, but because drainers are optimised for the path of least resistance, and that path no longer runs through you.