Skip to content
DA
Scams & fraud

Crypto phishing and seed phrase theft — how wallets get emptied

Quick answer: Phishing steals crypto by tricking you into revealing your seed phrase or approving a malicious transaction. No legitimate wallet, exchange or support agent will ever ask for your seed phrase — anyone who does is stealing from you. Type addresses yourself, verify before signing, and store recovery words offline only.

Most stolen crypto is not hacked — it is handed over. A convincing email, a fake support agent or a lookalike wallet site asks for your seed phrase or a signature, and the wallet empties minutes later. The defences are simple habits, applied every time.

Reviewed by Digital Assets Team
Not financial advice. This guide is general information only, fact-checked against UK government sources. It is not a personal recommendation. Cryptoassets are high-risk. You may lose all the money you invest.

What attackers actually want

Two things empty wallets: the seed phrase itself, or your approval signature. Phishing for the phrase uses fake wallet-restore pages, fake support chats and 'validation' forms. Approval attacks are subtler — a site asks you to sign something that quietly grants its smart contract permission to move your tokens. Both rely on you acting quickly on a page you did not navigate to yourself.

The common lures

A message that your wallet 'needs migration' or your account 'will be suspended'. A support agent in a Telegram or Discord group who direct-messages first and offers to fix your problem via a 'sync' page. An airdrop claiming free tokens if you connect and approve. A Google or social ad for a wallet site one letter off the real address. Each ends at a page asking for recovery words or an unlimited token approval.

Habits that defeat phishing

Never type or photograph your seed phrase except when restoring a wallet you initiated yourself, on a device you trust. Bookmark your exchange and wallet sites and use only the bookmarks. Treat anyone who direct-messages you first about crypto support as a scammer — real support does not open with a DM. Read what you are signing; if a signature request mentions approvals you do not understand, reject it. For meaningful holdings, use a hardware wallet so signing happens on a separate device.

If your phrase or approval leaked

Assume total compromise and act in minutes, not hours. Move remaining funds to a brand-new wallet with a freshly generated phrase — not one the attacker may have seen. Revoke token approvals using a reputable revocation tool if an approval was signed. Then report to Action Fraud with transaction IDs. Funds already moved are rarely recoverable, so speed on what remains is the priority.

Frequently asked questions

My exchange emailed asking me to verify my account. Is that phishing? +

Treat it as suspect. Do not click the link — log in by typing the address or using your bookmark. Genuine account notices appear inside your account; phishing emails depend on their link being the only door you use.

Is it safe to keep my seed phrase in a password manager? +

It is better than a plain note but still an online copy that goes wherever that account goes. For long-term holdings the standard is offline storage — written or stamped, kept somewhere secure, with no digital copy at all.

What is an approval or allowance attack? +

When you sign a transaction giving a smart contract permission to spend your tokens. Malicious sites request unlimited allowances, then drain the token later. Review and revoke allowances periodically.