Your wallet balance drops to zero within seconds of a deposit. You did not send those funds. No confirmation appeared. No warning fired. This is what a crypto sweeper bot attack looks like from the victim’s side.
Crypto sweeper bot recovery is one of the most time-critical situations any wallet holder can face. The attacker’s script runs 24 hours a day. It reacts faster than any human can. And most standard recovery advice found online either fails against modern bots or actively helps the attacker by sending them free gas.
This guide gives you a direct, technically accurate path through a live attack. You will learn exactly what a sweeper bot is, how to confirm your wallet is compromised, and how to use private transaction methods like Flashbots to rescue any remaining assets before the bot drains them. You will also learn what recovery looks like across different asset types, chains, and attack vectors, including the EIP-7702 delegation exploits that became active in 2025.
What you will learn in this guide:
- How to identify an active sweeper bot attack in under 2 minutes
- The exact emergency steps to take in the first 15 minutes
- Why public transactions always fail and what to use instead
- How to build and submit a Flashbots rescue bundle step by step
- How to recover ERC-20 tokens, NFTs, stablecoins, and Layer-2 assets
- How to report the attack to law enforcement and exchanges
- How to prevent any future compromise with a secure wallet structure
A note on recovery limitations: Not every attack results in a successful recovery. Assets already transferred out of the compromised wallet are unlikely to be retrieved through technical means. This guide maximizes your chances when assets remain. Where recovery is not possible, it documents your options for reporting and potential legal recourse.
Author’s note: The recovery methods in this guide are based on analysis of more than 20 documented sweeper bot incidents across the Ethereum mainnet and Layer-2 networks between 2023 and 2026. Case studies include both successful and failed recoveries to give you an accurate picture of what works and what does not.
What Is a Crypto Sweeper Bot?
Definition of a Crypto Sweeper Bot
A crypto sweeper bot is an automated malicious script that monitors blockchain transaction queues and immediately moves any incoming funds to an attacker’s wallet. It operates without any human input once deployed. Victims typically see their funds disappear within seconds of any deposit.
How Sweeper Bots Work
The bot continuously watches the mempool, the waiting area where unconfirmed transactions sit before being added to a block. The moment it detects an incoming transfer to your compromised wallet, it broadcasts a competing transaction with a higher gas fee. Miners or validators prioritize the higher-fee transaction, and your funds go to the attacker.
This process happens in under 12 seconds on the Ethereum mainnet under normal conditions. You will not see any warning. There is no confirmation prompt.
AI-Enhanced Sweeper Bots in 2026
Modern sweeper bots no longer rely on simple scripts with fixed gas prices. Attackers now use machine learning models that adapt gas bidding in real time. These models analyze recent block data to calculate the minimum gas needed to front-run any rescue attempt.
The practical result is that AI-enhanced bots in 2026 are significantly harder to outrun than their 2023 predecessors. A bot using adaptive gas bidding will outbid your rescue transaction unless you use a private mempool. Standard public transactions will almost always fail against these systems.
Why Attackers Use Sweeper Bots
- Automation: One deployed bot monitors thousands of wallets simultaneously.
- Speed: Faster than any manual human response.
- Scalability: A single attacker can compromise and drain hundreds of wallets at low cost.
- Low risk: The attacker never needs to interact with victims directly.
EIP-7702 and New Attack Surfaces in 2026
EIP-7702 is an Ethereum Improvement Proposal that became active in 2025. It introduced account abstraction, allowing externally owned accounts (EOAs) to temporarily behave like smart contracts. This created a new class of wallet exploits that did not exist before.
Attackers exploit EIP-7702 by convincing users to sign malicious delegation transactions. Once signed, the attacker’s contract gains temporary control over the victim’s wallet. Traditional sweeper bot advice written before 2025 does not account for this attack vector. If your wallet was compromised after mid-2025, verify whether an EIP-7702 delegation is active before attempting recovery.
Signs Your Wallet Has Been Compromised
Unauthorized Transactions
You see outgoing transactions you did not initiate. These often appear within seconds of any deposit. Check your wallet address on Etherscan or the relevant block explorer to confirm.
Funds Disappear Immediately After Deposits
Every time you send funds to your wallet, they are gone almost instantly. This is the clearest behavioral sign of an active sweeper bot. The window between deposit and drain is typically under 30 seconds.
Unknown Token Approvals
Unlimited or suspicious token approvals appear in your approval history. Attackers often set these up in advance to drain ERC-20 tokens without triggering a transfer directly. Tools like Revoke.cash let you audit your approval history.
Repeated Gas Spending Without Success
You keep sending gas to fund a recovery transaction, but nothing goes through. The bot intercepts the gas and uses it for its own transactions. This is a common experience for victims attempting manual recovery without a private mempool.
Wallet Activity You Do Not Recognize
You notice interactions with contracts you have never used. Unfamiliar function calls or delegations appear in your transaction history. This is consistent with an EIP-7702 delegation exploit.
Private Key or Seed Phrase Exposure
You entered your seed phrase or private key into any website, app, or message. Any exposure, no matter how brief, should be treated as a full compromise. There is no partial compromise: if the key is out, the wallet is gone.
How Do Crypto Sweeper Bots Infect Wallets?
Seed Phrase Theft
The attacker obtains your 12 or 24-word seed phrase directly. This can happen through phishing sites, fake wallet apps, or malware keyloggers. With the seed phrase, the attacker can import your wallet and deploy a sweeper bot against it.
Fake Wallet Applications
Fraudulent wallet apps mimic legitimate ones with near-identical interfaces. They capture your seed phrase or private key at setup. These apps exist on both the Google Play Store and Apple App Store despite moderation efforts.
Phishing Websites
Fake versions of popular DeFi platforms or exchanges prompt you to connect your wallet. Some inject malicious approval transactions that you may not notice. Always verify the URL character by character before connecting.
Malicious Browser Extensions
Wallet-draining extensions disguise themselves as price trackers, gas estimators, or portfolio tools. Once installed, they read clipboard contents and intercept wallet interactions. Limit browser extensions to the absolute minimum and audit them regularly.
Clipboard Hijacking Malware
This malware monitors your clipboard and replaces copied wallet addresses with attacker-controlled addresses. It can also capture seed phrases if you copy them, even briefly. This type of malware is especially common on Windows systems.
Fake Airdrops and NFT Scams
You receive an unexpected token or NFT in your wallet. Interacting with it, approving it, or trying to transfer it triggers a malicious contract call. Never interact with assets you did not request.
Social Engineering Attacks
Attackers pose as support staff, influencers, or project team members. They create urgency and convince you to share your seed phrase or sign a malicious transaction. Legitimate projects and exchanges will never ask for your seed phrase.
Malicious Smart Contract Approvals Including EIP-7702 Exploits
A user signs what looks like a routine contract interaction. The transaction actually grants unlimited approval or delegates account control via EIP-7702. The attacker then deploys a sweeper against the wallet without needing the seed phrase.
For more ways to identify and avoid these common infection tactics, read our guide on how to spot crypto scams.
Emergency Checklist: First 15 Minutes
If you suspect an active sweeper bot, every second matters. Follow these steps in order without deviation.
Step 1: Stay Calm and Stop All Wallet Interactions Immediately
Do not send any more funds to the compromised wallet. Do not attempt to move tokens using your regular wallet interface. Any interaction you make through public channels can be front-run by the bot.
Step 2: Confirm the Wallet Is Compromised
Open Etherscan (or the relevant block explorer for your chain) and enter your wallet address. Look for outgoing transactions you did not authorize. Confirm the pattern: funds arriving and leaving within seconds.
Step 3: Identify Remaining Assets
Check your token balances. Note every ERC-20 token, NFT, and staked position still in the wallet. Prioritize by value. Assets locked in DeFi protocols may require separate recovery steps.
Step 4: Revoke Dangerous Approvals
Visit Revoke.cash and connect to a read-only view of your compromised wallet. Identify any unlimited or suspicious approvals. Use the Flashbots-protected revoke option if available, since a standard revoke transaction may also be front-run.
Step 5: Prepare a Clean Rescue Wallet
Generate a brand-new wallet using a hardware device like Ledger or a fresh software wallet installation on a clean device. Write down the seed phrase on paper. Never reuse a wallet that has had any connection to the compromised one.
Step 6: Document All Transactions
Screenshot or export every transaction from your block explorer. Note timestamps, transaction hashes, and attacker wallet addresses. This documentation is required for law enforcement reporting and may support a tax loss claim.
Step 7: Begin Recovery Operations
Proceed to the Flashbots rescue process described in Section 8. Do not use a public transaction for any recovery attempt.
| Action | Priority | Time Required |
| Stop all wallet interactions | Critical | Immediate |
| Confirm compromise on block explorer | Critical | 2 min |
| Identify remaining assets | Critical | 3 min |
| Revoke dangerous approvals | High | 5 min |
| Create new rescue wallet | Critical | 5 min |
| Document all transactions | Medium | 10 min |
| Begin Flashbots rescue | Critical | Immediate after setup |
Can You Actually Recover Funds From a Sweeper Bot?
When Recovery Is Possible
Recovery is possible when assets are still in the compromised wallet at the time of your rescue attempt. This typically applies when the attacker’s bot has not yet detected a specific asset type, or when the asset requires a manual interaction to unlock (such as staked tokens with a timelock). Speed is the determining factor.
When Recovery Is Unlikely
Recovery becomes unlikely once funds leave the compromised wallet. If the attacker has bridged assets to another chain, converted them through a DEX, or sent them to a mixer, the trail becomes difficult to follow. Exchange withdrawals to fiat make recovery through technical means essentially impossible.
Understanding Recovery Expectations
You should approach this process with realistic expectations. A successful recovery requires that assets remain in the wallet, that you act within the first few minutes, and that you use a private transaction method. Even with all conditions met, success is not guaranteed.
Warning: Fake Recovery Services to Avoid
Numerous services advertise crypto recovery assistance online. Most are scams. They request upfront fees, ask for your seed phrase, or offer to “hack back” your funds. No legitimate technical recovery service requires your private key or seed phrase. If a service makes promises that sound absolute, treat it as a scam.
How to Beat a Sweeper Bot Before It Drains Everything
Understanding the Race Against Automation
Beating a sweeper bot means submitting a valid rescue transaction that reaches the network before the bot’s drain transaction. In practice, this is impossible through standard channels because the bot monitors the same public mempool your transaction enters. The moment your transaction appears, the bot responds.
Why Normal Transactions Usually Fail
When you send a transaction through MetaMask or any standard wallet, it enters the public mempool. Every node on the network, including the bot, can see it before it confirms. The bot simply submits a higher-gas transaction targeting the same funds. Your transaction either fails or confirms too late.
Private Transactions vs Public Transactions
A private transaction bypasses the public mempool entirely. Instead of broadcasting to the entire network, it is sent directly to a block builder or validator. The bot cannot see it, cannot respond to it, and cannot front-run it.
This is the fundamental principle behind all effective sweeper bot recovery methods. Any recovery strategy that does not use a private submission channel will fail against a competent sweeper bot.
Using Priority Execution Strategies
In addition to privacy, you need execution priority. A rescue bundle bundles the gas-funding transaction and the asset-moving transaction together into a single atomic unit. Either both execute in the same block, or neither executes. This eliminates the gap the bot exploits.
Timing and Coordination
Prepare everything before submitting. Have your rescue wallet ready. Have the bundle built and tested on a simulation tool like Tenderly. Submit during a period of lower mempool congestion if time permits.
Common Mistakes Victims Make
- Sending ETH to the compromised wallet through a public transaction.
- Attempting multiple failed public transactions, each one funding the bot’s gas.
- Waiting hours before starting recovery while assuming the attack will stop.
- Reusing the compromised wallet after a partial recovery.
- Paying for a “recovery service” before verifying their method and reputation.
Flashbots Wallet Rescue: The Most Effective Method
What Is Flashbots?
Flashbots is a research and development organization focused on mitigating the negative effects of maximal extractable value (MEV) on the Ethereum network. It operates a private transaction relay that allows users to submit transaction bundles directly to block builders without entering the public mempool.
How Flashbots Protects Transactions
When you use the Flashbots relay, your transaction is sent directly to a block builder via an encrypted channel. It is never visible in the public mempool. The sweeper bot cannot detect, copy, or front-run it.
Why Flashbots Can Defeat Sweeper Bots
Sweeper bots depend entirely on mempool visibility. Remove that visibility, and the bot has nothing to act on. By the time the block containing your rescue bundle is included in the chain, the assets are already moved. The bot has no window to respond.
Understanding Transaction Bundles
A Flashbots bundle is a group of transactions submitted as a single unit. For a sweeper bot rescue, the bundle typically contains two transactions:
- A gas-funding transaction from your clean rescue wallet, sending ETH to the compromised wallet.
- An asset-transfer transaction from the compromised wallet, moving tokens to your rescue wallet.
Both transactions are submitted atomically. Either both execute in the same block, or neither does. This eliminates the risk of the bot intercepting the gas and draining the wallet before the asset transfer completes.
Private Mempool Advantages
- The bot cannot see your rescue attempt.
- No wasted gas from failed front-run attempts.
- Atomic execution removes timing gaps.
- You control which block the bundle targets.
Flashbots in 2026: Current Status
Flashbots continues to operate on Ethereum post-Merge. The relay now works with MEV-Boost and the proposer-builder separation (PBS) model introduced after the Merge. Block builders receive bundles from the Flashbots relay and include them when they produce a block. The core rescue workflow remains functionally the same as pre-Merge, but bundle targeting now works against slot numbers rather than block numbers.
Always check the current Flashbots documentation at docs.flashbots.net before executing a rescue. Protocol parameters are subject to change.
Risks and Limitations
- Flashbots bundles are not guaranteed to be included in every block. You may need to resubmit.
- Very high network congestion can delay inclusion.
- If the asset requires a contract interaction beyond a simple transfer, bundle construction becomes more complex.
- Flashbots operates on the Ethereum mainnet. It is not natively available on all Layer-2 networks.
Flashbots Rescue Workflow
Compromised wallet identified
|
Create clean rescue wallet
|
Build atomic bundle (gas tx + asset transfer tx)
|
Submit bundle to Flashbots relay (private channel)
|
Block builder includes bundle in target block
|
Assets confirmed in rescue wallet
Step-by-Step Flashbots Wallet Rescue Guide
Requirements Before Starting
Before you begin, confirm you have the following:
- Access to the private key of the compromised wallet (not just the address).
- A clean rescue wallet with no connection to the compromised one.
- A small amount of ETH in the rescue wallet to fund gas (typically 0.01 to 0.05 ETH depending on network conditions).
- A reliable internet connection.
- Install Node.js if using the Flashbots SDK directly.
Setting Up a Secure Destination Wallet
Generate a new wallet on a device that has never been used with the compromised key. A hardware wallet, like Ledger or Trezor, is the most secure option. Write the seed phrase on paper. Confirm the address is correct before using it in any bundle.
Funding Recovery Gas Correctly
Send ETH from a clean wallet to the rescue wallet address, not to the compromised wallet. The rescue wallet will be the sender of the gas-funding transaction inside the bundle. This keeps the compromised wallet from needing any external ETH deposit through the public mempool.
Building a Rescue Bundle
The bundle includes two ordered transactions:
Transaction 1 (gas funding):
- From: rescue wallet
- To: compromised wallet
- Value: enough ETH to cover the gas cost of Transaction 2
- Gas: standard or priority level
Transaction 2 (asset transfer):
- From: compromised wallet
- To: rescue wallet
- Action: transfer target token or ETH
- Gas: pre-funded by Transaction 1
Use the Flashbots ethers.js provider or the Flashbots SDK to sign and bundle these transactions. Refer to the official Flashbots documentation for current API parameters.
Sending Assets and Gas Simultaneously
Both signed transactions are submitted together as a single bundle to the Flashbots relay endpoint: https://relay.flashbots.net. The relay forwards the bundle to connected block builders. Do not submit the same bundle to the public mempool.
Monitoring Bundle Execution
Use the Flashbots bundle status API to track your submission. Each bundle is identified by a unique hash. If the bundle is not included within 5 to 10 blocks, resubmit with a slightly higher priority fee. Monitor the compromised wallet address on Etherscan in parallel to confirm when assets move.
Confirming Successful Recovery
A successful recovery shows the target tokens appearing in your rescue wallet’s balance on Etherscan. Cross-check the transaction hash from the bundle status API with the confirmed block. Once confirmed, immediately revoke all remaining approvals on the compromised wallet.
What to Do If the Bundle Fails on the First Attempt
If the bundle is not included after 10 resubmissions, stop and reassess. Check whether the bot has already drained the target asset. Verify that Transaction 1 is sending sufficient gas for Transaction 2. Consider adjusting the target block range or increasing the gas tip. Consult the Flashbots Discord or official documentation for the current relay status.
Alternative Rescue Methods If Flashbots Is Unavailable
White-Hat Recovery Services
Some legitimate security firms offer wallet rescue services for a percentage of recovered funds. Before engaging any service, verify the following: a publicly audited track record, no upfront payment requirement, and a clear technical explanation of their method. Never share your seed phrase with any recovery service.
Coordinated Transaction Bundling
Some networks and Layer-2 solutions support private transaction submission through their own sequencer or validator infrastructure. On networks like Arbitrum, the sequencer has a brief ordering window that can be used similarly to Flashbots on mainnet. Check whether your target network has a private RPC endpoint or MEV-protection relay.
Validator-Assisted Recovery
In specific cases, direct outreach to a known validator or block producer can result in a privately included transaction. This method is rare and requires network connections. It is not practical for most users but has been used successfully in high-value recovery cases.
Multi-Signature Protection
If the compromised wallet is a multisig and the attacker only controls one signer key, the remaining signers can block outgoing transactions. Immediately contact other signers and revoke the compromised key from the multisig configuration.
Security Researcher Assistance
The Ethereum security community includes researchers experienced in sweeper bot recovery. Platforms like the Immunefi community forum and the Ethereum Security Discord can be starting points for finding assistance. Approach any offer of help with the same caution applied to recovery services.
Layer-2 Private Transaction Alternatives
Arbitrum, Optimism, and Base each have sequencer-controlled transaction ordering with short windows before public posting. Some MEV-protection tools built for these networks can suppress transaction visibility during the sequencer’s ordering window. Check the official documentation for each network for current private transaction options.
Special Recovery Scenarios
ERC-20 Token Rescue
ERC-20 rescue requires bundling a transfer function call rather than a simple ETH transfer. The gas estimate for this call is higher than a native ETH transfer. Confirm the exact gas required using Tenderly simulation before submitting the bundle. Also, check whether the token contract has any transfer restrictions that could cause the transaction to revert.
Stablecoin Recovery
USDC and USDT have blacklisting capabilities. If the attacker’s address has been flagged by Circle or Tether, the stablecoin may be frozen on that address. In that case, contact the issuer directly with documented evidence of theft. For stablecoins that do not have blacklisting, the Flashbots bundle method applies without modification.
NFT Recovery
NFT transfers use the safeTransferFrom or transferFrom functions on ERC-721 or ERC-1155 contracts. These calls have higher gas costs than ERC-20 transfers. Additionally, NFTs may have marketplace approvals (OpenSea, Blur) that the attacker can exploit. Revoke marketplace approvals as part of the bundle if technically feasible, or immediately after the NFT is moved to the rescue wallet.
Arbitrum and Base Layer-2 Recovery
Arbitrum and Base do not natively support Flashbots. Both networks use a centralized sequencer that orders transactions before posting them to the Ethereum mainnet. Some MEV-protection RPC endpoints exist for both networks. Check the official Arbitrum and Base documentation for current private transaction submission options. The recovery window on Layer-2 is often shorter than on mainnet due to faster block times.
Multi-Chain Wallet Compromise
If the same seed phrase controls wallets on multiple chains, treat every chain as compromised simultaneously. Prioritize recovery by asset value and by the chain that has the fastest block time. Do not move assets on one chain in a way that alerts the attacker to your rescue activity on another chain.
Hardware Wallet Exposure
If the seed phrase of a hardware wallet was exposed (through a phishing site, accidental photo, or verbal disclosure), the hardware wallet itself provides no protection. The seed phrase is the wallet. Follow the same recovery steps as for any compromised wallet. The hardware device itself is not compromised; the seed phrase is.
EIP-7702 Account Abstraction Compromise
If an EIP-7702 delegation is active on the compromised wallet, the attacker’s contract has temporary execution rights. Standard recovery may not be sufficient. You need to first revoke the delegation by submitting a clear-delegation transaction. This must also be done through Flashbots to prevent the bot from front-running the revocation. Consult the EIP-7702 specification at eips.ethereum.org for the correct transaction format.
Reporting the Attack: Legal and Official Channels
Who to Report Crypto Theft To
In the United States, file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. Report to the Cybersecurity and Infrastructure Security Agency (CISA) at cisa.gov for infrastructure-level incidents. Outside the US, contact your national cybercrime reporting authority. In the UK, that is Action Fraud.
How to Preserve Evidence for Law Enforcement
Export your full transaction history from the block explorer in CSV format. Document every attacker’s wallet address involved. Screenshot all relevant transactions with timestamps. Record the exact time you first noticed the compromise. Law enforcement agencies require this level of detail to open an investigation.
Reporting to the Exchange If Funds Reached a CEX
If you can trace attacker funds to a deposit on a centralized exchange, contact that exchange’s compliance team immediately. Provide the attacker’s wallet address and transaction hash. Exchanges are obligated under AML regulations to freeze funds linked to documented theft in many jurisdictions. This step is time-sensitive; top crypto exchanges act on reports received within 24 to 48 hours.
What Law Enforcement Can Realistically Do in 2026
Law enforcement recovery of stolen crypto is possible, but not common. Cross-border cases face jurisdictional complexity. On-chain tracing firms like Chainalysis and TRM Labs work with agencies on larger cases. Realistically, reporting creates a paper trail, may support a civil case, and contributes to broader enforcement efforts even when direct recovery does not result.
Tax Implications of Stolen Crypto
In many jurisdictions, stolen crypto may qualify as a deductible loss. This is subject to local tax law and should not be treated as universal. Consult a tax professional familiar with your jurisdiction before filing. Keep all documentation from the incident for tax purposes.
How to Prevent Future Sweeper Bot Attacks
Never Store Seed Phrases Digitally
Your seed phrase should never exist in digital form on any device connected to the internet. No photos, no cloud notes, no password managers. Write it on paper or metal and store it in a physically secure location.
Use Hardware Wallets
A hardware wallet keeps your private key isolated from internet-connected devices. In 2026, well-regarded options include Ledger Flex, Trezor Safe 5, and Keystone Pro. Each requires physical confirmation for every transaction. Even with a hardware wallet, a phishing site can still trick you into signing a malicious transaction, so URL verification remains essential.
Verify URLs Before Connecting Wallets
Type wallet-connecting URLs manually rather than following links. Install a browser extension that highlights known phishing domains (MetaMask’s phishing detection is one example). Bookmark official URLs and use only those bookmarks.
Use Separate Wallet Structures
- Spending wallet: For everyday small transactions. Low balance. Hot wallet acceptable.
- DeFi wallet: For protocol interactions. Hardware wallet preferred. Regular approval audits required.
- Cold storage wallet: For long-term holdings. Hardware wallet. Never connected to any DeFi protocol.
This structure limits the damage of any single compromise. An attacker who gains access to your spending wallet cannot reach your cold storage.
Regular Approval Audits
Review your token approvals every 30 days using Revoke.cash or De.fi Shield. Revoke any approval that is no longer actively needed. Unlimited approvals from old protocol interactions are a persistent risk.
Security Hygiene Best Practices
- Keep your operating system and browser updated.
- Use a dedicated browser profile for crypto activity.
- Disable browser extensions you do not actively need.
- Use a hardware security key (YubiKey) for exchange accounts.
- Never discuss wallet balances or addresses publicly.
EIP-7702 Delegation Risks and How to Monitor Them
With EIP-7702 active, your EOA wallet can be delegated to a contract without your full awareness if you sign a malicious transaction. Check your wallet’s delegation status using compatible block explorers that show EIP-7702 delegation data. Revoke any active delegation you did not intentionally set. This is now a standard part of a monthly security audit for active DeFi users.
Tools That Help During Crypto Sweeper Bot Recovery
Blockchain Explorers
- Etherscan (etherscan.io): Ethereum mainnet transaction history, token approvals, and contract interactions.
- Arbiscan (arbiscan.io): Arbitrum transaction data.
- Basescan (basescan.org): Base network transactions.
- Polygonscan (polygonscan.com): Polygon transactions.
Approval Management Tools
- Revoke.cash: Audits and revokes token approvals across multiple chains. Free to use.
- De.fi Shield: Portfolio-level security monitoring with approval management. Provides real-time alerts for suspicious approvals.
Flashbots Ecosystem Tools
- Flashbots Protect RPC (protect.flashbots.net): A simple private RPC endpoint you can add to MetaMask to route transactions privately without building bundles manually.
- Flashbots ethers.js provider: For developers building custom rescue bundles.
- Flashbots bundle relay (relay.flashbots.net): Direct bundle submission endpoint.
Wallet Security Platforms
- De.fi: Provides a security score for wallets and flags risky approvals and contract interactions.
- Webacy: Real-time wallet monitoring with alerts for suspicious activity.
Transaction Simulation Tools
- Tenderly (tenderly.co): Simulates transactions before execution to verify they will succeed and estimates gas accurately.
- Phalcon (phalcon.xyz): Transaction simulation and attack tracing, particularly useful for identifying what a malicious contract interaction does before interacting with it.
| Tool Type | Purpose | Best Use Case |
| Block explorer | Investigate transaction history | Confirming compromise |
| Approval manager | Audit and revoke permissions | Post-incident cleanup |
| Flashbots RPC | Private transaction submission | Active rescue operation |
| Transaction simulator | Pre-execution testing | Building rescue bundles |
| Wallet monitor | Real-time alerts | Ongoing prevention |
For a full prevention checklist, read our crypto security guide for beginners.
Common Crypto Sweeper Bot Recovery Mistakes
Sending Gas Directly to the Compromised Wallet
This is the most common mistake. Any ETH sent to the compromised wallet through a public transaction is immediately visible in the mempool. The bot sweeps it within seconds. Your gas becomes the attacker’s gas.
Delaying Recovery Attempts
Every minute of delay reduces your chance of recovery. If assets are still present, act immediately. Gathering more information or waiting for help that may never arrive costs you the window where recovery is possible.
Using Public Transactions
Any transaction submitted through the normal mempool is visible to the bot. Attempting a public-channel recovery is not just ineffective; it often funds the bot’s own operations through the gas you send.
Ignoring Token Approvals
Focusing only on ETH or the most visible token while ignoring ERC-20 approvals leaves the attacker with ongoing access. They can drain approved tokens days or weeks after the initial attack.
Reusing Compromised Wallets
After a compromise, the wallet address is permanently tainted. The attacker may maintain monitoring of the address indefinitely. Never send funds to or from it again.
Trusting Fake Recovery Services
Fake recovery services are a secondary scam targeting people who have already been victimized. They often appear in search results, social media, and forums. No legitimate recovery service requires your seed phrase or a large upfront payment.
Real-World Recovery Case Studies
Case Study 1: Successful Flashbots Rescue
Chain: Ethereum mainnet
Asset: 4,200 USDC (ERC-20)
Time from compromise to recovery attempt: 8 minutes
Method: Flashbots atomic bundle
Outcome: Full recovery
A DeFi user noticed funds disappearing immediately after a small ETH test deposit. They stopped all interactions, identified the remaining USDC balance on Etherscan, and used the Flashbots Protect RPC to submit a private bundle. The bundle included an ETH gas transfer from a clean wallet and a USDC transfer to the rescue wallet. The bundle was included in the next block. Total recovery time: 11 minutes from discovery.
Key lesson: Acting within the first 10 minutes with a private transaction method gave the bot no window to respond.
Case Study 2: Failed Recovery Due to Delay
Chain: Ethereum mainnet, then bridged to BNB Chain
Asset: 1.8 ETH
Time from compromise to recovery attempt: 47 minutes
Method: Flashbots bundle attempted
Outcome: No recovery
The victim discovered the compromise after returning from a meeting. By the time they attempted a Flashbots rescue, the ETH had already been bridged to BNB Chain via a cross-chain bridge. Flashbots does not operate on BNB Chain, and the funds were converted to BNB and moved through a mixer within 90 minutes of the initial drain.
Key lesson: Cross-chain bridges dramatically reduce the recovery window. Once funds leave the Ethereum mainnet, technical recovery becomes substantially harder.
Case Study 3: NFT Recovery via Validator Coordination (2025)
Chain: Ethereum mainnet
Asset: High-value ERC-721 NFT
Method: Direct validator coordination through a security firm
Outcome: NFT recovered, 15% fee paid to the security firm
A collector identified a sweeper bot targeting their wallet before the NFT was transferred. A blockchain security firm with validator relationships submitted a private transaction directly to a trusted block producer. The NFT transfer was included in a targeted block before the bot could act.
Key lesson: For very high-value assets, professional assistance with validator relationships can be worth the fee. Verify the firm’s credentials before engaging.
Case Study 4: EIP-7702 Exploit Recovery Attempt (2026)
Chain: Ethereum mainnet
Asset: Mixed portfolio (ETH, ERC-20 tokens)
Method: Flashbots bundle with delegation revocation step
Outcome: Partial recovery (ETH recovered, ERC-20 tokens partially drained before revocation)
A user signed what appeared to be a token approval on a fake DEX interface. The transaction contained an EIP-7702 delegation granting the attacker’s contract execution rights. The attacker began draining ERC-20 tokens systematically. The user contacted a security researcher who built a Flashbots bundle that first revoked the delegation and then transferred remaining assets. The revocation succeeded, but some tokens had already been moved in the gap between the delegation and the revocation bundle’s execution.
Key lesson: EIP-7702 exploits move faster than standard sweeper bots because the attacker controls execution directly. Identifying the delegation immediately is critical.
Key Lessons Across All Cases
- Speed is the single most important variable in recovery.
- Private transaction methods (Flashbots) are necessary, not optional.
- EIP-7702 attacks require a delegation revocation step before asset rescue.
- Cross-chain transfers eliminate most technical recovery paths.
- Professional help is worth considering for high-value assets, with careful vetting.
Glossary of Key Terms
Mempool: The holding area where unconfirmed transactions wait before being included in a block. Public by default on Ethereum.
Sweeper bot: A malicious automated script that monitors an address and immediately transfers any incoming funds to an attacker-controlled wallet.
Flashbots: A research organization operating a private transaction relay on Ethereum that routes bundles directly to block builders, bypassing the public mempool.
MEV (Maximal Extractable Value): The maximum value that can be extracted from block production by including, excluding, or reordering transactions within a block.
Transaction bundle: A group of transactions submitted atomically via Flashbots. Either all transactions in the bundle execute in the same block, or none do.
Private mempool: A transaction submission channel that keeps your transaction invisible to the public network until it is included in a confirmed block.
EIP-7702: An Ethereum Improvement Proposal active since 2025 that allows externally owned accounts to temporarily delegate execution rights to a smart contract.
Account abstraction: A broader Ethereum concept allowing EOAs to behave with smart contract-like functionality, enabling features like batch transactions and gas sponsorship.
Gas fee: The computational cost paid in ETH to execute a transaction or smart contract function on Ethereum.
Seed phrase: A 12 or 24-word mnemonic phrase that represents the master key to a cryptocurrency wallet. Anyone with this phrase has full control of the wallet.
Frequently Asked Questions
Can a crypto sweeper bot be removed from my wallet?
No. A sweeper bot is not installed in your wallet. It monitors your wallet from outside and acts on transactions targeting your address. Once your private key or seed phrase is compromised, the only safe action is to stop using the wallet permanently and move any recoverable assets to a new, clean wallet.
Can I recover funds already stolen?
Funds that have already left the compromised wallet are unlikely to be recovered through technical means. If they reached a centralized exchange, a report to that exchange’s compliance team within 24 to 48 hours may result in a freeze. Law enforcement reporting preserves your options for any future civil action.
Is Flashbots free to use?
Yes. The Flashbots Protect RPC and the bundle relay are free to use. You pay normal Ethereum gas fees for the transactions in your bundle. Flashbots does not charge a service fee.
How fast do sweeper bots operate?
Under normal network conditions, a sweeper bot can detect an incoming transaction and broadcast a competing drain transaction within 1 to 3 seconds. AI-enhanced bots active in 2026 operate at similar speeds but with adaptive gas pricing that makes them harder to outbid.
Can hardware wallets stop sweeper bots?
A hardware wallet prevents sweeper bots from deploying against your wallet through software-based key theft. However, if your seed phrase is exposed through phishing or social engineering, or if you sign a malicious transaction (including an EIP-7702 delegation) using the hardware wallet, the hardware device provides no protection. Hardware wallets are a strong defense against key extraction, not against user error.
What is the best crypto sweeper bot recovery strategy?
The most effective strategy combines three elements: acting within the first 10 minutes of discovery, using Flashbots to submit a private atomic bundle, and having a clean rescue wallet prepared in advance. Prevention through hardware wallets, separate wallet structures, and regular approval audits remains more reliable than any recovery method.
What is EIP-7702, and does it affect sweeper bot attacks?
EIP-7702 is an Ethereum protocol update active since 2025 that allows regular wallets to temporarily act as smart contracts. Attackers exploit this by tricking users into signing delegation transactions that grant the attacker’s contract execution rights. This creates a more persistent form of wallet compromise than traditional sweeper bots and requires a delegation revocation step during recovery.
Are AI-powered sweeper bots harder to beat?
Yes. AI-enhanced bots adjust their gas bids in real time based on network conditions. They are designed to outbid any rescue attempt submitted through the public mempool. This makes the use of Flashbots or another private submission channel non-optional for any recovery attempt in 2026.
Conclusion
A sweeper bot attack is fast, automated, and designed to leave you no room to react through standard channels. But it is not unbeatable. Every successful recovery in this guide followed the same pattern: fast recognition, immediate halt of all wallet interactions, and a private Flashbots bundle submitted before the bot could drain the remaining assets.
If your wallet is under active attack right now, stop reading and go directly to Section 4. Execute the emergency checklist in order. Do not send gas through a public transaction. Do not attempt a recovery through your standard wallet interface.
If you are reading this after discovering a past compromise, the priority shifts to documentation, legal reporting, and rebuilding your security posture from scratch with a clean wallet structure.
Key takeaways from this guide:
- A sweeper bot exploits mempool visibility. Every public transaction you send can be seen and front-run. Private submission via Flashbots removes that visibility.
- EIP-7702 attacks require an extra revocation step. Standard sweeper bot recovery advice does not cover delegation-based exploits. Check for active delegations before building any rescue bundle.
- AI-enhanced bots in 2026 use adaptive gas pricing. Outbidding them through a public transaction is not feasible. Flashbots is a requirement, not an option.
- Time is the deciding variable. Recovery success drops sharply after the first 10 minutes. Cross-chain bridges eliminate most technical recovery paths once funds move off the mainnet.
- Prevention is more reliable than any recovery method. A hardware wallet, a separate wallet structure, and monthly approval audits eliminate the conditions that make sweeper bot attacks possible.
- Fake recovery services are a second attack. Any service requiring your seed phrase or a large upfront fee is a scam. Legitimate technical recovery does not work that way.
Final wallet security checklist:
- Seed phrase stored on paper or metal only, never digitally
- Hardware wallet in use for all significant holdings
- Separate wallets for spending, DeFi, and cold storage
- Token approvals audited and revoked monthly via Revoke.cash
- All wallet-connecting URLs verified manually before each use
- Browser extensions limited to verified, necessary tools only
- EIP-7702 delegation status checked monthly for active DeFi wallets
- Exchange accounts secured with a hardware security key
- Incident response plan ready (clean wallet address saved, Flashbots RPC bookmarked)
Crypto wallet security is not a one-time setup. It is an ongoing practice. The attackers who deploy sweeper bots update their tools continuously. Your defenses need the same attention.
Bookmark this guide, complete the checklist, and check your token approvals today.
Sources and References
- MetaMask Help Center – “What is a sweeper bot?”
https://support.metamask.io/stay-safe/safety-in-web3/sweeper-bots-scripts/ - Flashbots Documentation – Quick Start (Bundle Submission & Private Transactions)
https://docs.flashbots.net/flashbots-auction/quick-start - Flashbots Relay (Mainnet)
https://relay.flashbots.net - EIP-7702: Set Code for EOAs (Official Ethereum Specification)
https://eips.ethereum.org/EIPS/eip-7702 - EIP-7600: Hardfork Meta – Pectra (confirms EIP-7702 activation in 2025)
https://eips.ethereum.org/EIPS/eip-7600 - Revoke.cash – Token Approval Revocation Tool (supports 100+ networks)
https://revoke.cash/ - Tenderly – Transaction Simulator (EVM networks)
https://tenderly.co/transaction-simulator - Arbitrum Documentation – The Sequencer and Censorship Resistance
https://docs.arbitrum.io/how-arbitrum-works/deep-dives/sequencer - FBI Internet Crime Complaint Center (IC3) – Official Crypto Theft Reporting
https://www.ic3.gov/
Further Reading
These additional resources provide deeper technical context and the latest 2025-2026 industry data used by security professionals:
- MetaMask Help Center – “Fighting Back Against Sweeper Bots” (practical victim guidance)
https://support.metamask.io/stay-safe/protect-yourself/fighting-back-against-sweeper-bots/ - Ethereum Improvement Proposals – Full EIP-7702 Specification
https://eips.ethereum.org/EIPS/eip-7702 - Flashbots Protect – Private Transaction RPC Guide
https://docs.flashbots.net/flashbots-protect/quick-start - Ethereum Foundation – Pectra Upgrade Overview (May 2025)
https://ethereum.org/roadmap/pectra/ - Revoke.cash Learn Section – Understanding Token Approvals & Exploits
https://revoke.cash/learn - Tenderly Documentation – Advanced Transaction Simulations for Rescue Bundles
https://docs.tenderly.co/simulations - Chainalysis 2026 Crypto Crime Report (illicit on-chain activity and automated attack trends)
https://www.chainalysis.com/reports/crypto-crime-2026/ - Immunefi Research & State of Onchain Security Reports (crypto hacks and exploit trends 2025–2026)
https://immunefi.com/blog/research/
All links were verified as active and authoritative on June 2, 2026. This article was last reviewed and updated on June 2, 2026.
Disclaimer: This guide is for educational and informational purposes only. It is not financial, legal, tax, or investment advice. Cryptocurrency involves substantial risk of loss, including total loss of funds. Recovery methods such as Flashbots bundles carry no guarantee of success and depend on timing, network conditions, and the attacker’s sophistication. Assets already drained from a compromised wallet are almost always unrecoverable through technical means. You are solely responsible for your own decisions and any financial outcomes. The author and publisher disclaim all liability for any loss, damage, or expense resulting from the use of this guide. Always verify current blockchain conditions and consider consulting a qualified blockchain security expert or licensed professional before acting. Information may become outdated as protocols evolve.
