In a recent case, a client of mine was tricked by a fake MetaMask email into giving away their seed phrase. The attacker quickly gained full control over the user’s wallet. But within 30 minutes, I stepped in to reduce the damage. By moving funds, blocking gas access, and deploying a simple nodejs script, I managed to limit the loss. Here’s how it happened — and what you can learn from it.

Full story by Simon Tadross – read more at simontadross.com

My client received a fake MetaMask email saying their wallet was hacked and they needed to reset their password. It looked official — MetaMask logo, urgent tone — but it was a scam. MetaMask never sends emails asking for passwords or seed phrases. In a panic, they clicked and entered their 12 words on a phishing website.

That was all the attacker needed. They had full access.

Thirty minutes later, my client contacted me. The first step was to monitor the hacked wallet: 0xf866...16e. I saw assets were partly locked in Venus Protocol and some BNB was still available. I quickly transferred out all BNB to prevent the attacker from paying transaction fees.

Next, I launched a simple bot that checked the wallet balance and immediately sent any new BNB or tokens to a safe address. The script (shared here: GitHub – counter-hacking-venus) monitored the hacked wallet and instantly moved any BNB or tokens to a safe address.

The attacker couldn’t access many of the funds because they were locked in Venus, a lending platform. In Venus, users supply tokens as collateral and borrow against them. But if your debt-to-collateral ratio gets too high, your assets become eligible for liquidation — which takes time.

This meant the attacker couldn’t just withdraw everything. They had to wait for liquidation or manually repay the debt, but they lacked the skill or tools to act quickly, especially with my bot intercepting any new balance. We didn’t need to rely on mempool tricks — their lack of expertise worked in our favor.

After blocking BNB withdrawals, I targeted tokens that would become available once repaid — like ADA, DOT, and MATIC. I paused the bot temporarily to trick the attacker into trying to withdraw. Once they did, I swept the tokens immediately.

The attacker was also using another wallet to fund gas fees: 0xbC8E...969. I tracked and countered every move.

What We Learned (So You Don’t Have To)

• Never share your seed phrase. Not even with MetaMask support — they will never ask.

• Double-check email links and domains. Don’t click urgent prompts without verifying the sender.

• Use bots and scripts. Automation gave us an edge and helped limit the attack.

• DeFi protocols can slow attackers. Venus’ rules prevented instant draining of collateral.

The attacker got away with about 40% of the assets, but 60% were saved thanks to fast action and smart automation. The experience shows that even in worst-case scenarios, you can fight back.

Want more security breakdowns and DeFi defense stories? Visit simontadros.com.

In a recent case, a client of mine was tricked by a fake MetaMask email into giving away their seed phrase. The attacker quickly gained full control over the user’s wallet. But within 30 minutes, I stepped in to reduce the damage. By moving funds, blocking gas access, and deploying a simple nodejs script, I managed to limit the loss. Here’s how it happened — and what you can learn from it.

Full story by Simon Tadross – read more at simontadross.com

My client received a fake MetaMask email saying their wallet was hacked and they needed to reset their password. It looked official — MetaMask logo, urgent tone — but it was a scam. MetaMask never sends emails asking for passwords or seed phrases. In a panic, they clicked and entered their 12 words on a phishing website.

That was all the attacker needed. They had full access.

Thirty minutes later, my client contacted me. The first step was to monitor the hacked wallet: 0xf866...16e. I saw assets were partly locked in Venus Protocol and some BNB was still available. I quickly transferred out all BNB to prevent the attacker from paying transaction fees.

Next, I launched a simple bot that checked the wallet balance and immediately sent any new BNB or tokens to a safe address. The script (shared here: GitHub – counter-hacking-venus) monitored the hacked wallet and instantly moved any BNB or tokens to a safe address.

The attacker couldn’t access many of the funds because they were locked in Venus, a lending platform. In Venus, users supply tokens as collateral and borrow against them. But if your debt-to-collateral ratio gets too high, your assets become eligible for liquidation — which takes time.

This meant the attacker couldn’t just withdraw everything. They had to wait for liquidation or manually repay the debt, but they lacked the skill or tools to act quickly, especially with my bot intercepting any new balance. We didn’t need to rely on mempool tricks — their lack of expertise worked in our favor.

After blocking BNB withdrawals, I targeted tokens that would become available once repaid — like ADA, DOT, and MATIC. I paused the bot temporarily to trick the attacker into trying to withdraw. Once they did, I swept the tokens immediately.

The attacker was also using another wallet to fund gas fees: 0xbC8E...969. I tracked and countered every move.

What We Learned (So You Don’t Have To)

• Never share your seed phrase. Not even with MetaMask support — they will never ask.

• Double-check email links and domains. Don’t click urgent prompts without verifying the sender.

• Use bots and scripts. Automation gave us an edge and helped limit the attack.

• DeFi protocols can slow attackers. Venus’ rules prevented instant draining of collateral.

The attacker got away with about 40% of the assets, but 60% were saved thanks to fast action and smart automation. The experience shows that even in worst-case scenarios, you can fight back.

Want more security breakdowns and DeFi defense stories? Visit simontadros.com.