🚨 STOP — DO THIS FIRST (Under 5 Minutes)

If you suspect a compromise, act immediately:

1. Disconnect: Unplug ethernet, turn off Wi-Fi and Bluetooth, or enable airplane mode.
2. Don't access funds: Never log into wallets, exchanges, or email from the suspect device.
3. Secure funds now: Use a clean device to move crypto to a hardware or new wallet.

Every second matters. Attackers can drain accounts in minutes. Do these three steps first.

🧠 Know Your Enemy — Common Attack Type

Rootkit — hides in the system for persistent admin access; removal usually requires a clean OS install. RAT — remote control of your device, including screen, files, and webcam; steals seeds and moves funds. Dropper — small installer that fetches and runs the real payload, often disguised as an update or tool. Exploit — takes advantage of unpatched bugs to gain control or escalate privileges. Spyware/Stalkerware — monitors calls, messages, mic, GPS, apps; exposes 2FA and private data. SIM swap — carrier ports your number to an attacker; SMS 2FA and resets are then theirs. Malicious extension — looks helpful but captures clipboard, cookies, keystrokes; can swap wallet addresses.

🔗 Session Jacking (Session Hijacking)

What it is: Stealing a logged-in session cookie or token so the attacker can act as you without needing a password.

Why crypto users care: It gives direct access to exchange or wallet dashboards, bypassing normal login.

Common causes:

• Public Wi-Fi and open hotspots
• Routers with outdated firmware or default credentials
• Malicious browser extensions
• HTTP websites leaking session tokens

If you suspect this, log out of all sessions from a clean device, revoke API keys, update your router firmware, and avoid public Wi-Fi when trading.

🚨 Obvious Signs Something's Wrong

On Your Computer

• An installer flashes briefly
• Files named "Zoom_Update.exe" or "Ledger_Update.scr" appear
• Browser tabs open themselves
• Antivirus disables itself
• New extensions appear
• Fan noise or heat while idle
• Cursor moves or text types itself
• Clipboard data changes (wallet address mismatch)

On Your Phone

• Screen lights up or camera activates randomly
• "New SIM activated" or "Device added" alerts
• Battery drains quickly
• Unknown apps or permission changes
• Delayed or missing 2FA codes
• Apps you didn't install have admin rights

If any of this happens, stop using that device for crypto until it's rebuilt.

🎣 How Did This Happen?

Social Engineering

• Fake "support" messages on Discord, Telegram, or X
• Phishing emails with look-alike domains
• "Urgent security update" pop-ups
• Impersonators offering "help"

Malicious Downloads

• Cracked software or game cheats
• Fake wallet apps or trading bots
• Macro-enabled documents
• Unofficial installers

Weak Security Habits

• Reused passwords
• SMS-only 2FA
• Public Wi-Fi without VPN
• Ignoring OS/browser updates

Technical Vulnerabilities

• Outdated systems and routers
• Default credentials
• Unpatched browsers and plugins
• No endpoint protection

Prevention is easier than recovery. Be skeptical of links, downloads, and requests to "verify" anything.

💀 Exfiltration: The Real Risk

Once an attacker gets in, their priority is data theft.

Targets include:

• Wallet files, keys, and seed phrases
• Clipboard data
• Browser cookies and autofill
• Screenshots or webcam feeds
• 2FA codes
• Password manager vaults

Most theft happens within 5–15 minutes. Secure funds first — investigate later.

💻 Computer Response Guide (Windows / macOS / Linux)

Step 1 — Disconnect and Isolate (0–2 min)

• Unplug internet, disable Wi-Fi/Bluetooth
• Remove external drives
• Don't log in anywhere
• Use a clean device for all recovery actions

Step 2 — Protect Accounts and Funds (≤5 min)

• Move crypto to a hardware wallet or brand-new wallet
• Change passwords from a clean device
• Sign out of all sessions
• Revoke API keys/trading bots
• Enable hardware 2FA
• Remove suspicious browser extensions

Step 3 — Rebuild (≤24 hr)

• Backup only personal files (no executables)
• Reinstall OS from official media
• Update BIOS, firmware, and router
• Change router password
• Avoid fake "cleaner" apps

Step 4 — Optional Forensics (Advanced)

If you want to inspect before wiping, boot a Live USB (Kali, Tails, Ubuntu) and mount the drive read-only.

Example commands:

mkdir /mnt/target  
mount -o ro /dev/sda2 /mnt/target  
ps aux | head  
systemctl list-units --type=service --state=running  
ss -tunap | head  
grep -iE "wget|curl|bash -i" /mnt/target/etc -R

Step 5 — Preserve Evidence

mkdir /mnt/evidence  
cp -a /mnt/target/var/log /mnt/evidence/  
ps aux > /mnt/evidence/processes.txt  
ss -tunap > /mnt/evidence/network.txt

Take screenshots of unauthorized activity or processes.

Step 6 — After Rebuild

• Change passwords again
• Restore wallets from verified seeds only
• Keep major funds offline
• Enable encryption and automatic updates

📱 Phone Response Guide (Android / iOS)

Step 1 — Contain and Protect

• Airplane mode on
• Remove SIM card
• Don't use crypto apps

From a clean device:

• Change passwords
• Revoke API keys
• Move funds

Step 2 — Warning Signs

• Battery drains fast
• "New SIM activated" alerts
• Unknown apps or permissions
• High data usage

Step 3 — Pre-Reset Checks

Android: Security → Device admin apps → disable unknowns Privacy → Permission manager → review access

iOS: General → VPN & Device Management → remove profiles Battery → Check usage by app

Step 4 — Full Reset

Android: Factory reset, reinstall apps only from Play Store iOS: Erase all content, reinstall manually (avoid full iCloud restore)

Step 5 — After Reset

• Use a new Apple/Google ID if needed
• Recreate wallets securely
• Change passwords
• Enable updates + hardware 2FA

Step 6 — Protect SIM & Report

Contact your carrier to lock your SIM or add a port-out PIN. Report to exchanges and FBI IC3. Keep screenshots, texts, timestamps.

✅ Quick Recovery Checklist

0–5 Minutes Goal: Stop the bleeding immediately. Actions:

• Disconnect from Wi-Fi, Bluetooth, and ethernet.
• Move crypto to a hardware or freshly created wallet.
• Log out of all accounts and revoke API keys.
• Avoid logging in on the compromised device.

Within 1 Hour Goal: Secure accounts and communications. Actions:

• Change all critical passwords from a clean device.
• Enable hardware-based 2FA (YubiKey or equivalent).
• Call your carrier and lock your SIM (add a port-out PIN).
• Review browser extensions and remove any you don't recognize.

Within 24 Hours Goal: Contain, clean, and rebuild. Actions:

• Back up personal documents (no executables or wallets).
• Wipe and reinstall your OS from official sources.
• Update router firmware and change admin credentials.
• Recreate wallets on a secure, clean device.

Within 1 Week Goal: Audit, document, and harden. Actions:

• Review all financial and exchange accounts for unauthorized access.
• Set up a VPN and enable full-disk encryption.
• Document the entire incident and preserve evidence.
• Schedule a professional security review if you manage large funds.
• Strengthen your ongoing security practices.

🔗 Resources and Tools

Security Tools

• ESET Internet Security — strong, lightweight protection for all major platforms
• Malwarebytes — excellent detection and cleanup
• Windows Defender — built-in and strong
• Amnesty MVT — check phones for spyware
• ClamAV — open-source scanner for Linux

Official Guides

• CISA: Mobile Device Security
• EFF: Surveillance Self-Defense
• NIST Cybersecurity Framework

Exchange Security

• Coinbase Security
• Binance Security
• Kraken Security

Password & 2FA

• Bitwarden
• 1Password
• YubiKey

Report Cybercrime

• FBI IC3 (US)
• Action Fraud (UK)
• Europol Cybercrime
• Canadian Anti-Fraud Centre

🛡️ Final Thoughts

Prevention beats recovery.

After recovery:

1. Keep large funds in hardware wallets
2. Never reuse passwords
3. Always use hardware 2FA
4. Double-check every download
5. Keep all software updated
6. Use separate devices for trading
7. Store 2FA backups offline

You can't stop being targeted, but you can make yourself a much harder target.