If you are seeing transactions in your wallet that you don’t recognize or are unaware of making, there can be several explanations. Most of the time, such transactions don’t mean someone has access to your wallet, but there are precautions you can take to avoid scams.
It’s important to remember that when users lose crypto from non-custodial wallets, it is for one of two reasons:
1. because they inadvertently gave away their wallet keys/phrase
2. because they interacted with a malicious contract
No one can ‘hack’ into your noncustodial wallet without your keys because the level of encryption is very strong. However, scammers can TRICK YOU INTO GIVING ACCESS to the wallet by convincing you to give away your phrase, or by having you interact with a token or website where you will approve contract permissions that will take assets out of your wallet.
Random tokens or NFTs deposited to your wallet
Seeing tokens or NFTs in your wallet that you never bought, swapped, or expected as an airdrop? They are probably airdrops intended to generate interest in a project, or scam tokens. On Ethereum, it is possible to program a smart contract to send tokens to a long list of active Ethereum addresses or to addresses with certain parameters. This doesn’t mean that the scammers know your address or who you are personally. The tokens are being sent en masse, like spam email.
What should you do?
Do not interact with the tokens, don’t try to send or swap them. Any value they have is probably fake, intended to pull users into the scam. These tokens can’t hurt your wallet just by being in it. However, if you interact with them, you could be tricked into giving approval to send crypto out of your wallet, into making a failed transaction with a high gas fee which will go to the scammer, or fall victim to a malicious contract in other ways. It’s not possible to delete tokens from an address, but you can hide them from view in some wallet interfaces. For example, in MEW wallet app, you can do it by clicking on the token entry and selecting ‘Hide token’. For more information, see our article about random token airdrops.
Outgoing transactions from your wallet for 0 USDT or other amounts of tokens you don't recognize
Recently, some crypto users across the space have been seeing outgoing transactions for USDT and other currencies appear in their transaction history. These transactions can be for 0 amount or for other amounts, and can even be for tokens that you don't own. This has caused concern about compromised wallets since these are transactions that the user didn’t approve, but there is something else going on here.
Scammers can use token contracts to write commands that will make it seem like a transaction was sent by a wallet when it really wasn’t, or that wallets have balances of fake tokens. Balances of real assets in your wallet are not affected by this. You can always check your address balance on a block explorer like Etherscan to verify that you haven't lost valuable assets from the wallet.
Like airdrops, the transactions themselves are not harmful to your wallet. The goal of the scammer is to introduce their address to your transaction history, so that at some point you will accidentally copy the scammer’s wallet address when sending a REAL transaction out. Or, they hope that a user will get scared by these transactions and look for help on Telegram or Twitter, and be tricked by a scammer posing as support.
This type of attack is also called 'address poisoning' – meaning, poisoning your transaction history with scammer addresses.
What should you do?
First of all, don’t panic. If someone really had access to your wallet keys, they would be able to transfer all of your crypto out of the wallet instead of making transactions for zero amounts. Second, understand that these transactions are not targeting MEW wallet or you personally – they are sent in large numbers on the blockchain, like spam email.
You should take extra care not to send a real transaction to the wrong address by accident. DOUBLE AND TRIPLE CHECK all transaction information, including the address, before sending your crypto. Similarly to the well-known ‘send 3 ETH to receive 6 ETH back’ scam, this is an example where the scammers try to trick the users into sending crypto to a scammer wallet. They do this precisely because they CAN’T break ‘into’ a wallet due to the strong cryptographic protections, so they have to find ways to trick users into giving up their coins or their keys themselves.
Incoming transactions for very small amounts
Getting tiny deposits of various currencies can also be a sign of an attempted scam. One scenario is when the scammer drops small amounts of crypto to multiple addresses that look a lot like the scammer address - especially in the beginning and ending characters. Just like with the outgoing 0 transactions scam, the scammer’s goal is to introduce their address to your history and have a user accidentally copy-paste the scammer’s address into a real transaction. This is another example of 'address poisoning' attacks.
What should you do?
When the first and last characters of an address are the same, it’s especially easy to inadvertently copy-paste the wrong address. To avoid this, again, DOUBLE AND TRIPLE CHECK the address you are sending to, and use address-book features of wallets or blockchain domain names to avoid address mistakes.
0 ETH approvals and contract permissions
Sometimes, transactions for 0 ETH in your history indicate an approval for a DApp or a smart contract that you have made in the past. Examples can include the first step in the process of registering a domain name, or a permission for a token swap.
What should you do?
These types of transactions are necessary for the work of smart contracts and nothing to worry about. Still, if you are concerned that you may have given approval for something that you didn’t intend, there are ways to check and revoke permissions.
The popular Ethereum block explorer Etherscan features a token approval tool that allows users to check their Ethereum wallets for approvals. The tool can be found here: https://etherscan.io/tokenapprovalchecker and the guide for using it is here: https://info.etherscan.com/tokenapprovals/.
Enter your public wallet address(es) into the search bar to see if there are any past approvals and permissions. If you want to revoke a permission, you will need to connect your web3 wallet to the Etherscan interface. If you are using MEW wallet app, you can do so via the integrated mobile browser. See Interacting with DApps on MEW wallet iOS or Android for more information. With Enkrypt browser extension, just click ‘Connect to Web3’ and select ‘MetaMask’ from the options if you are not connected automatically. (This works because Enkrypt uses the same connection method as MetaMask.)
Large outgoing transactions you didn’t make
If you are seeing that large amounts of your crypto are transferred out without your knowledge, the ONLY way that can happen is if someone else has your recovery phrase or private key. Some ways this can happen are:
- if someone knows about and has access to where you store your phrase
- if someone helped you set up the wallet in the beginning and could have seen your phrase
- if you imported a wallet into MEW that was created somewhere else and the phrase was compromised at an earlier time
- if you stored your phrase on a cloud service, google doc, email, note-taking app, or other digital storage that was connected to the internet
- if you inadvertently shared your phrase with someone pretending to be support or typed it into a web interface
What should you do?
Remember that MEW is non-custodial and does not have any access to user accounts. Also, all transactions on the blockchain are final and nobody can freeze or reverse them. If wallet keys are compromised, there is no way to reset or change the keys/phrase retroactively. So, if you suspect that someone gained access to your wallet, you should create a new wallet with a new recovery phrase as soon as possible and transfer any remaining crypto.
Keep in mind that thieves sometimes leave some tokens in the wallet on purpose. They expect the user to add ETH for gas fees, and they create a bot to move all ETH out as soon as it’s put in. For this reason, start with a very small amount of ETH for gas to check if such a bot is affecting your wallet.
For more information, see these articles: