Steini's User Avatar

@Steini

in /crypto-wallets 6 days ago

Signup / Login

Device lost/stolen: the first 30 minutes playbook

Losing a device feels like an emergency. Sometimes it is. Often it’s just panic trying to borrow your brain.

This post is the calm playbook for the first 30 minutes and the next 24 hours – depending on what you lost:

  • a phone with a hot wallet

  • a laptop with wallet software

  • a hardware signer

  • a watch-only device

Because these aren’t the same problem.

Step 0 – Identify what you actually lost (60 seconds)

Before you do anything clever, answer this:

  • Did the lost device contain spendable keys?

    • Yes: hot wallet on phone, browser extension wallet, software wallet with keys on the device → treat as high risk.

    • No: hardware signer (keys should be on the device, but spending still needs PIN/passphrase), or watch-only → treat as containable, but still act fast.

  • Was the device unlocked or easily unlockable?

    • unlocked when lost, weak PIN, no biometric, no lockout → assume worst case.

    • locked + strong device PIN + secure lock settings → you have breathing room.

    If you’re not sure, assume it’s worse than you want it to be. That mindset saves money.

What’s at risk

  • If you lost a hardware signer

    • In most cases, the funds aren’t “on the device”. The device holds keys and signs. Your coins are on-chain.

    What’s usually true:

    • A thief with the device still needs your PIN.

    • If you use a passphrase, the device alone is usually even less useful.

    What can still go wrong:

    • They can try PIN guessing.

    • If your setup is sloppy (seed stored with device, passphrase written in the same case, etc.), the device loss becomes part of a bigger compromise.

    • If the device was paired with a phone/laptop and that other device is compromised, social engineering gets easier.

  • If you lost a phone with a hot wallet/extension wallet

    This is where money disappears.

    • Hot wallets are designed for convenience. If someone can get into the device, they can often get to the wallet.

    • “But I have Face ID” is not a plan.

    • If your wallet had cloud backups, screenshots, notes, email drafts, autofill, or you ever copied secrets into the clipboard… The risk surface is bigger than people admit.

  • If you lost a laptop with wallet software

    This can be anything from fine to catastrophic, depending on whether keys lived on it.

    • If it’s a desktop wallet used only as a coordinator (e. g., Sparrow as a workbench with a hardware signer), the risk is often mostly privacy (wallet history, xpub/descriptors, labels).

    • If it held keys (software wallet), treat like a hot wallet compromise.

The first 10 minutes

This is the bit where people make it worse by rushing.

  1. Do not “test” your seed phrase online

    • If your brain says “I’ll just check quickly”… No! That’s how scams win.

  2. Lock down the device account immediately

    • Phone: use Find My (Apple)/Find My Device (Google) and mark it lost

    • Laptop: sign out of the OS account remotely if you can (where supported)

    • If you can do a remote lock/wipe, do it – but only after you’ve thought about what you’d lose (see below).

  3. Change the passwords that matter (not all of them)

    Prioritise the accounts that let someone escalate:

    • your email (because password resets go there)

    • your Apple ID/Google account (because it controls the device)

    • your password manager (if it’s on the device)

    • any exchange/on-ramp accounts you used on that device

  4. Freeze SIM swap risk

    If your phone is gone, assume SIM swap attempts may follow.

    • contact your mobile provider and ask for extra account protection

    • if you rely on SMS 2FA anywhere: move away from it as soon as you can

  5. If you only do one thing: protect email. Email is the skeleton key.

The first 30 minutes (containment)

Now you decide which branch you’re in.

  1. Branch A – Hot wallet/keys on the device (high risk)

    1. Treat the wallet as compromised

      Don’t wait for “evidence” you were hacked. The goal is to remove the chance.

    2. If you still can, move funds to a safe destination

      • If you have a secure second device and you can still access the wallet, move funds to a safer wallet (preferably cold storage).

      • If you’re panicking, move in one clean step – not ten half-steps.

    3. On EVM chains? Revoke approvals/permissions

      If you used Ethereum-style wallets (MetaMask, Rabby, etc.), malicious approvals can drain you later even if the wallet app is gone.

      • Use a reputable approval checker for the chain you used and revoke anything you don’t recognise.

      • If you don’t know what that means: this is where people in the comments can help, but don’t share secrets.

    4. Assume your session tokens are valuable

      If you were logged into exchanges, password managers, or email on that phone, treat those sessions as stolen.

      • sign out of all sessions where possible

      • rotate passwords

      • rotate 2FA (use authenticator apps or hardware keys, not SMS)

  2. Branch B – Hardware signer lost (usually containable)

    1. Don’t nuke your setup out of panic

      If the device was protected properly, you likely have time.

    2. Ask: could someone also access my backups?

      This is the real question.

      • If the seed phrase is stored separately and safely: risk is lower.

      • If the seed phrase was in the same bag/house/car: treat as a combined incident.

    3. If you suspect the seed might also be exposed: rotate

      • Set up a new wallet on a new signer (or a secure environment)

      • Generate a new seed (and passphrase if you use one)

      • Move funds to the new wallet

    4. If you’re confident backups are safe: monitor

      • Watch addresses for unexpected outgoing transactions (watch-only is perfect for this)

      • If anything moves that you didn’t sign, you’re already in “rotate immediately” territory

  3. Branch C – Watch-only device lost (privacy problem)

    1. If it was truly watch-only:

      • They can see balances/transactions and your wallet structure (depending on what was stored).

      • They can’t spend, but they can target you with better phishing.

    2. What to do:

      • Assume future scams might be better tailored.

      • Be extra suspicious of “support” messages that correctly reference your wallet type or balances.

The next 24 hours

  1. Do a proper account audit

    • email account recovery settings

    • password manager access

    • exchange logins and withdrawal whitelists

    • any cloud storage you used for wallet-adjacent files

  2. Check for “helpful” leaks

    Be honest: did that device have any of this?

    • photos of seed words

    • seed words typed into notes

    • screenshots of balances

    • passphrase hints that are actually the passphrase

    If yes: treat as compromise and rotate.

  3. Write down what happened (non-secret)

    Future You will forget details. Write:

    • what was lost

    • what you changed

    • what wallets/accounts might have been exposed

    This is the boring part that stops you repeating mistakes.

  4. Run a recovery drill (afterwards, not during the panic)

    The worst time to discover your backup is wrong is when you’re already under stress.

The “don’t be your own enemy” list

These are the classic mistakes people make in incidents:

  • typing seed/passphrase into a website to “check” something

  • taking advice in DMs from “support” or someone “trustworthy”

  • rushing a migration and sending funds to an unverified address

  • changing ten passwords but forgetting email

  • assuming “hardware wallet lost = funds lost” (usually false)

  • assuming “phone lost = fine” (often false)

If you only do three things:

  1. Secure your email and device account (Apple/Google)

  2. Decide if keys were on the lost device (hot vs signer vs watch-only)

  3. If keys might be exposed: rotate funds to a new wallet (end the uncertainty)

If you want help in the comments, use this template (and keep secrets private):

  • What was lost: phone/laptop/signer

  • Was it locked: yes/no

  • Wallet type: hot wallet/hardware signer/watch-only

  • Chains involved: Bitcoin/Ethereum/Solana/etc.

  • What you’ve already done: (Find My, password changes, session sign-outs)

  • Confirm what you have NOT shared: seed/passphrase/private keys

You don’t need to be brave here. You just need to be methodical – and fast enough to stay ahead of the mess.

2Score: 2

0 Comments