I noticed an unauthorized transaction in my Exodus wallet. What should I do next?

What to do if you notice an unauthorized transaction in your wallet, how to start an investigation with Exodus Support, and how to keep your funds safe.

The information contained in this article is for general informational purposes only and is not legal advice. All information is provided in good faith. However, we make no representations or warranties of any kind, expressed or implied, regarding the accuracy or completeness of any information.


In this article:


What is a compromised wallet?

A wallet has been compromised if the password, 12-word secret recovery phrase, and/or private keys have been viewed or copied by anyone other than the original owner of the wallet.

Anyone who has the 12-word phrase of a wallet has full control over the wallet's funds. If a malicious or untrustworthy individual has access to a wallet's 12-word phrase or private keys, the assets in that wallet are in immediate danger.

With self-custody (also called non-custodial) wallets like Exodus, keeping the wallet's private data safe is vital. A self-custody wallet is only as safe as the device it is on and your security practices.

A compromised wallet is not safe for storing your assets. If you suspect that your wallet has been compromised, you should move all your assets to another wallet immediately.

Do not send any crypto to the compromised wallet.


How do I know if my wallet has been compromised?

If you believe your wallet has been compromised, take a moment to review your wallet’s transaction history. Have you noticed any transactions that you did not initiate?

To review your deposits and withdrawals in Exodus Desktop, visit: How do I audit my deposits and withdrawals?

In certain situations, an unfamiliar transaction may not be a cause for concern. For example, sending an ERC20 token requires a transaction fee (also known as gas) in Ethereum (ETH), which will show up as a separate transaction. Additionally, the process of staking and claiming staking rewards will generally require a transaction.

If a hacker has compromised your wallet, it is more likely that you will see transactions to destinations (wallet addresses) you are unfamiliar with, and they tend to be larger in nature. If you see large, unfamiliar transactions, your wallet may be compromised.


What steps should I take if my wallet is compromised?

If you suspect that your wallet is compromised it is crucial that you send all your remaining assets to a safe alternative as soon as possible.

Once your remaining funds are safe, please contact Exodus Support at [email protected] to inform us about a potential breach of your wallet security. Please provide any details that you think might be related to the possible breach.

Where can I send my remaining assets?

The best options that serve as a safe destination for any remaining funds are self-custody software wallets (including Exodus), hardware wallets, and custodial exchanges.

To learn more about the different types of wallets, visit: What are the different types of crypto wallets?

How do I ensure the alternative destination is safe?

Self-custody software wallets:

If your self-custody wallet is installed on a desktop device, please download and install an anti-virus or anti-malware software to make sure your device is being protected against known threats.

Malwarebytes is a commonly used anti-malware software for Microsoft Windows, macOS, Chrome OS, Android, and iOS. It finds and removes any malware on your device.

Please note, there is an increased chance of malicious software on a system that is using pirated or cracked software, including the operating system.

If you wish to use Malwarebytes, here are steps on how to download and install the program on Windows and Mac.

If you are unable to download Malwarebytes, Bitdefender is a popular alternative.

Self-Custody Hardware wallets (Trezor, Ledger, and more):

Hardware wallets can provide some of the highest levels of protection against theft. Although hardware wallets can offer greater security, they are only as safe as your security practices. It is still crucial that you keep the private keys and secret recovery phrase safe.

  • Never keep any digital copies of the secret recovery phrase. Storing your secret recovery phrase digitally defeats the purpose of a hardware wallet, as anything stored on an internet-connected device can be potentially accessed by malicious individuals.
  • If your secret recovery phrase is stored in any digital form on your computer or cloud storage, it would be safest not to send your funds to this wallet and empty the hardware wallet as soon as you can.
  • It might be possible to ‘reset’ your hardware wallet. Please contact us at [email protected] for more information.

Have you ever shared or entered your hardware wallet’s secret recovery phrase into a website, browser extension, or another wallet?

If the answer is yes, please do not send your funds to this wallet. Send your funds out of this hardware wallet to an alternative destination as soon as possible.

Custodial exchanges (Coinbase, Binance, and more):

Custodial exchanges come with their own set of risks. If you send funds to a custodial exchange, you do not have full ownership or control over your funds. If an exchange becomes insolvent or is hacked, your funds can be at risk. However, they often offer their own security, and possibly even insurance options. Please examine the safety and security of your custodial exchange accounts by asking yourself the following questions:

Q. Does the exchange account have two-factor authentication (2FA) enabled?

  • Text/phone-based 2FA, such as codes sent over SMS, should not be used
  • Be mindful of any notifications (either email or standard notifications) of unrecognized logins or unsuccessful login attempts for your exchange account

Q. How do you store your exchange account’s password?

  • Make sure it isn't easily accessible by scammers
  • Aside from paper, the only secure way to store a password is through a password manager
  • To learn more about passwords, visit: The importance of a good password

How do I send my assets?

To learn how to send funds from your Exodus wallet, visit: How do I send Bitcoin and other crypto out of Exodus?

For steps on how to receive funds to your specific destination, please contact us at [email protected].

Can I recover my funds?

While we would like nothing more than to be able to reunite you with your funds, blockchain assets are built in such a way that their transactions are irreversible.

Non-reversible transactions are at the core of blockchain technology; the blockchain is a public ledger that no single entity controls. You can read more about this in our Knowledge Base article: Can you cancel or reverse a transaction?

The only path which may result in the recovery of your stolen assets requires the participation of both a law enforcement agency, and the funds being sent to an exchange regulated by international financial laws, such as Coinbase or Binance. Without both of these events happening, the chances of being reunited with your funds are very small.

What if my assets are staked?

With some assets, even if they are staked, you are still able to send the funds to an external destination wallet.

With certain assets, there is an unstaking “cool-down” period which may possibly allow for the funds to be claimed by you before the potential thief can claim them. Cosmos (ATOM), Ontology (ONT), and Solana (SOL) fall into this category.

The cyber-thief may have an automated solution to claim the funds (known as “sweeper-bots”). The recovery of unstaking or unbonding funds becomes a race between you and the cyber-thief.

Assets that can be staked within Exodus and a summary of the unstaking process:

Algorand (ALGO)
  • The Algorand ecosystem has moved to a decentralized governance model
  • When you sign up to be a governor, your funds are committed to the ALGO ecosystem, but they can still be sent from your Exodus wallet
  • You will not receive ALGO rewards for this governance period if the funds are sent from your wallet
Cardano (ADA)
  • With ADA, you are staking your entire address
  • Once the funds are sent from your wallet, the staking ends. There is no cool-down period.
Cosmos (ATOM)
  • When you stake your ATOM, you delegate it to the ATOM validator and are not able to send those funds until unstaking is initiated and the 21-day unbonding period ends. The time listed is precise, and your funds will be available shortly after.
  • Please email [email protected] if your ATOM is unstaked by a malicious actor
Ontology (ONT), Ontology Gas (ONG)
  • When ONT is staked, the funds cannot be sent until unstaking is initiated
  • When you wish to unstake your ONT, you will need to wait for 2 consensus rounds to finish (up to 120,000 blocks) for you to be able to transact with that ONT again
  • The current ONT round and time estimates can be tracked at this website: https://node.ont.io/stake
  • Please email [email protected] if your ONT is unstaked by a malicious actor
Solana (SOL)
  • With SOL, your staked funds are delegated to the SOL validator, and those funds cannot be sent
  • SOL unstaking could take several epochs for your funds to be released. SOL unstaking is difficult to monitor because of variable epoch lengths.
Tezos (XTZ)
  • Staking XTZ involves staking your entire Tezos address. Normal transactions, while your Tezos is staked, are still possible.
  • Unstaking your XTZ is possible at any time without a cooldown period
VeChain (VET) & Vethor (VTHO)
  • VET is automatically staked to earn VTHO rewards
  • There is no cooldown period, and the funds can be sent anytime

How do I report the crime?

Use the resources below to find your local cybercrime unit to report your case.

If you can't find a cybercrime agency in your region, you can report your case to your local police like any other theft or fraud.

In the table below you can find links to cybercrime reporting resources for 14 countries. If your country is not listed, please go to Cybercrime Reporting for more information or email us at [email protected].

Country Link to report a cyber crime
Australia https://www.cyber.gov.au/acsc/report
Brazil http://www.pf.gov.br/institucional/unidades and/or http://www.ctir.gov.br
Canada https://www.getcybersafe.gc.ca/cnt/rsrcs/rcvr-scm-en.aspx
Colombia https://www.policia.gov.co/contactenos and/or http://www.colcert.gov.co/?q=contenido/reportar-un-incidente
France https://www.internet-signalement.gouv.fr/PortailWeb/planets/Accueil!input.action
Germany https://www.bsi.bund.de/EN/Service/Contact/contact_node.html
India https://cybercrime.gov.in/cybercitizen/home.htm
Italy http://www.commissariatodips.it/
Mexico https://www.gob.mx/policiafederal#2071 and/or http://www.cns.gob.mx
New Zealand http://www.police.govt.nz/advice/email-and-internet-safety/electronic-crime
Philippines https://www.doj.gov.ph/reporting_cybercrime.html
Portugal http://cibercrime.ministeriopublico.pt/en/pagina/report
Spain https://www.policia.es/denunweb/denuncias.htm and https://www.gdt.guardiacivil.es/webgdt/pinformar.php
Switzerland https://www.fedpol.admin.ch/fedpol/en/home/kriminalitaet/cybercrime/meldeformular.html
United Kingdom https://www.actionfraud.police.uk/
United States https://www.ic3.gov/default.aspx

How did this security breach happen to me?

Once any remaining assets have been moved to a safe location, you have the option to open an investigation. Our dedicated team can help investigate how this breach of your wallet security occurred.

How do I begin an investigation?

If you would like to investigate, you can contact Exodus Support by emailing us at [email protected]. You can write “Investigations” or “stolen funds” in the email subject line.

The investigation will require your cooperation and participation. The investigation process will consist of a series of questions and some small tasks through which you will provide relevant data that will help us to determine the source of the security breach.

The investigation can typically take several weeks to complete. In some cases, the evidence is clear and convincing and points to a definite cause. In other cases, it can be more difficult to identify the cause with complete certainty.

How do I ensure my email account is safe?

Since the safety and security of your information is of the utmost importance, please ensure that the email address used to contact Exodus Support is not compromised.

To determine if your email address is secure, you can ask yourself the following questions:

  • Are you able to log in to your email successfully?
  • Does your Sent folder have unrecognized emails?
  • If applicable, do you have 2FA enabled for your email client? If this is not yet enabled, please enable 2FA as soon as possible.
  • Does your email have any unrecognized sign-in attempts?
  • Has your email been leaked in a data breach?

When you are sure your email address is safe, send an email to [email protected] to begin an investigation.

Exodus Support is not available by telephone or chat. To learn more about all the ways you can contact us, visit: How do I contact Exodus Support?

How do I send my Safe Report to Exodus Support?

Exodus is a self-custody wallet, which means we cannot see the details of your wallet and transactions. In order to investigate what happened, we need your Safe Report.

Your Safe Report contains addresses, transactions, and other non-compromising wallet details. Your Safe Report does not contain your password, 12-word secret recovery phrase, or private keys.

You can attach a copy of your wallet’s Safe Report (one for every device your wallet is on), and send the file(s) with your email.

Please include a thorough explanation of what has occurred, how you think a breach could have happened, and any other information that you think might be relevant.

Can I be refunded for my loss?

We must state clearly that we will not be able to compensate you for the loss of your funds. This is because the Exodus wallet is a self-custody wallet that lives on your device only.

We do not store any personal information or information that would allow anyone access to your funds. This information includes your passwords, private keys, and your 12-word secret recovery phrase. For more on this, visit: What information does Exodus have access to?

Because we never have any access to or control over your funds, and we are only providing you with software to manage your own funds, Exodus cannot assume any liability for any losses that you may incur as a result of your wallet becoming compromised.

Why should I save the 12-word secret recovery phrase for the compromised wallet?

Please retain the 12-word secret recovery phrase of your compromised wallet for your records. The 12-word phrase is the only way to access your transaction history and similar data, because Exodus is a self-custody wallet.

Write your 12-word phrase down on paper and store it somewhere secure. You will need your 12-word phrase to access the compromised wallet after deleting the wallet and/or wiping your device memory.

To learn how to restore a wallet using the 12-word phrase, visit: How do I restore from my 12-word secret recovery phrase?

How do I delete the compromised wallet?

Once your 12-word phrase for your wallet is stored, it is best to delete the compromised wallet. To find out how to delete your Exodus wallet, visit: How do I delete my wallet and start over?

You can then create a new Exodus wallet. To keep your new wallet safe, you can follow these security tips: How do I keep my money safe? How to store cryptocurrency safely.

How do I clean the devices that held the compromised wallet?

Desktop devices:

As malicious software could likely be the cause of a breach, the only way to ensure your system is clean is by removing and reinstalling your operating system (OS).

Save your personal files and documents on an external USB drive, and then follow the instructions for your device to do a fresh installation of your OS.

Make sure that you have copies of your files before deleting your hard drive. You can restore your device again after the reset process is complete.

Mobile devices:

You will need to reset your phone to the factory default settings to ensure your device is clean. View these articles for information on how to reset your iOS or Android device:

Online accounts:

If any of your online accounts have been connected with cryptocurrency or finance, please verify your account safety by:

  1. Changing all passwords.
  2. Enabling two-factor authentication - avoid SMS or text-based 2FA. When possible, use an authenticator app.

What if I do not wish to start an investigation?

If you know how the breach of your wallet occurred, an investigation may not be necessary. It is your decision whether or not to open an investigation.

After opening a case with our dedicated team you can decide to end the investigation at any point. If you decide to end the investigation, we will temporarily retain the information you submitted in case you would like to restart the investigation.


Further resources

If you are interested in taking a deep dive into how you can keep yourself and your crypto safe, you can visit these resources:

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.