Security Guide: Protecting Your Assets During Cleanup

Scammers actively exploit the SOL recovery theme, creating fake services to steal funds. The ability to distinguish legitimate tools from scams is a critically important skill.

Anatomy of a Phishing Attack

Stage 1: Attracting Victims

Scammers use several channels:

Paid Google Ads: Buy ads for queries like "reclaim SOL" or "Solana cleanup". Their site appears above real results marked "Ad".

Twitter/X promotion: Create accounts similar to popular projects (for example, @SolanaCleanup instead of @SolanaStatus), buy followers and promote posts.

Discord/Telegram spam: Send direct messages in crypto chats: "Hey, I helped you recover 5 SOL from empty accounts. Check this tool!"

Fake YouTube videos: Tutorials with high view counts (purchased via bots) and scam site link in description.

Stage 2: Creating Illusion of Legitimacy

Phishing sites look professional:

• ✅ Beautiful design (often stolen from real project)
• ✅ HTTPS certificate (green padlock in browser - NOT a security guarantee!)
• ✅ Fake reviews and counters ("15,234 users recovered SOL")
• ✅ Copying Solana, Phantom, known project logos

Stage 3: Extracting Signature

After wallet connection, scammers request one of:

"Sign Message" for verification - you sign text that looks harmless but actually grants permission to transfer funds.

"Approve unlimited access" - permission for smart contract to spend your tokens without limit.

"Emergency withdrawal" - supposedly to "save funds", but actually sends everything to scammer's address.

Signs of Phishing Site

Red flags in URL:

• ❌ Typos in domain: solchecker.com instead of solcheckers.com, phatom.app instead of phantom.app
• ❌ Suspicious TLDs: .xyz, .click, .online (though not all sites on these domains are scams)
• ❌ Numbers in domain: solcheckers2024.com, claim-sol-3.net
• ❌ Long subdomains: official-claim.solana-recovery.network

Red flags in behavior:

• ❌ Requires connection before showing results - legitimate services use Read-Only scanning
• ❌ Promises incredible amounts: "You have 50 SOL to claim!" (when actually 0.5 SOL)
• ❌ Pressures urgency: "Claim expires in 24 hours!" (rent has no expiration)
• ❌ Requests seed phrase - NEVER enter 12/24 words on websites
• ❌ Asks for deposit for "activation" - legitimate services take fee from recovered amount

Red flags in transaction:

When confirming action in wallet, look for:

• ❌ Large SOL deduction (red numbers instead of green)
• ❌ Instructions "Transfer All" or "Set Authority"
• ❌ Transfer to unknown address without "Close Account" mention
• ❌ Request "Sign Message" instead of "Sign Transaction"

How to Verify Site Before Use

Method 1: Check Domain Age

Use whois.com service:

• Paste site domain
• Look at "Creation Date"

🟢 Site older than 1 year - more likely legitimate
🟡 Site created 1-6 months ago - requires attention
🔴 Site created less than a month ago - high scam risk

Method 2: Search Community Mentions

Check for discussions:

• Reddit: search service name in r/solana
• Twitter: mentions from verified accounts
• Discord: official Solana servers

Method 3: Test Wallet

If in doubt:

• Create new empty wallet
• Send 0.01 SOL to it
• Try service on this wallet
• Check transaction in Solscan

If you see suspicious instructions - site is scam, but you only risked pennies.

This is a fundamental Web3 security rule, violation of which will guaranteed lead to loss of all funds.

What is Seed Phrase and How It Works

Seed phrase (mnemonic phrase) - 12 or 24 random words from which your private key is mathematically generated.

Technical explanation:

Seed Phrase → (via BIP39 algorithm) → Master Private Key → Public Key (wallet address)

Who knows seed phrase = who controls wallet completely and forever.

How dApp Interaction Should Work

Correct architecture (Wallet Standard):

• dApp sends request: "Sign this transaction"
• Wallet extension (Phantom/Solflare) shows you details
• You click "Approve" or "Reject"
• Wallet signs transaction with its private key locally
• dApp receives only signed transaction, but NOT the key

Key point: Private key never leaves your device.

Common Seed Phrase Extraction Schemes

Scheme 1: "Wallet Synchronization"

Phishing site shows:

⚠️ Your wallet is out of sync Enter your recovery phrase to re-sync [12-word input field]

Truth: Wallets don't require "synchronization" via seed phrase. This is completely fabricated concept.

Scheme 2: "Verification for Airdrop"

🎁 Congratulations! You're eligible for 50 SOL airdrop Verify your wallet to claim: [Enter seed phrase]

Truth: Real airdrops only require wallet connection (public address), not private data.

Scheme 3: "Fake Tech Support"

Scammers write in direct messages:

Hi, I'm from Phantom Support. We detected suspicious activity. Please provide your recovery phrase to secure your account.

Truth: Official wallet support NEVER requests seed phrase. This is rule #1 in their FAQ.

Scheme 4: "Migration to New Version"

⚠️ Solana upgraded to v2.0 Migrate your wallet now to avoid losing funds [Import old seed phrase]

Truth: Blockchain upgrades don't require manual wallet migration.

What to Do If You Already Entered Seed Phrase

Immediate actions (within 5 minutes):

• Create new wallet on clean device (preferably different computer/phone)
• Transfer ALL assets to new address as fast as possible:
  • First SOL
  • Then liquid tokens (USDC, popular coins)
  • NFTs last (if no time - sacrifice them)
• Increase Priority Fee to maximum so your transactions process faster than scammers' bots

Long-term actions:

• ❌ Old wallet considered compromised forever - even if you evacuated funds
• ❌ Seed phrase cannot be "changed" - it's hard-linked to wallet
• ✅ Use new wallet for all future operations
• ✅ Write new seed phrase on paper (not digitally!)
• ✅ Check device for malware (viruses can intercept seed phrases from clipboard)

Even legitimate dApps can request excessive permissions that become attack vectors when the application itself is hacked.

What are Token Approvals

Token Approval (Delegation) - mechanism allowing smart contract to spend your tokens on your behalf.

Why it's needed:

Example: You swap USDC for SOL via DEX.

• You give DEX permission "spend X USDC"
• DEX executes exchange
• Permission remains active for future swaps

Problem: If you gave "unlimited approval", DEX can deduct any amount of USDC at any time.

Types of Dangerous Permissions

Unlimited Allowance:

Approve: Unlimited USDC Contract: [DEX address]

Contract can deduct entire token balance whenever it wants.

Permanent Delegate:

Set Authority: Permanent Delegate Delegate: [Contract address]

Contract receives permanent control over account (characteristic of Token-2022).

Transfer Authority:

Approve Transfer Authority Tokens: All SPL tokens

Contract can transfer any of your tokens without additional confirmations.

How to Check Active Permissions

Method 1: Via Wallet Settings

Phantom:

• Settings → Trusted Apps
• View list of connected sites
• Click "Revoke" on unused ones

Solflare:

• Settings → Connected Apps
• Remove old connections

Limitation: Wallets show only connections, not token approvals.

Method 2: Via Specialized Tools

Services like "Solana Revoke" (similar to revoke.cash for Ethereum) exist:

• Connect wallet
• See list of all active approvals
• Can revoke permissions with transaction

Method 3: Via Block Explorer

In Solscan:

• Paste wallet address
• Tabs → "Token Accounts"
• Click on token → "Delegate" (if field filled - active permission exists)

Regular Permission Hygiene

Recommended frequency: Once every 1-3 months.

What to revoke:

• ✅ Old DEXs you no longer use
• ✅ Test dApps you tried once
• ✅ Dead projects (site not working, no activity)
• ✅ Suspicious contracts with unclear names

What to keep:

• 🟢 Actively used platforms (main DEX, lending)
• 🟢 Staking contracts with locked funds

Protection from Protocol Exploits

Even a legitimate DeFi protocol can be hacked. If you gave it unlimited approval, hackers get access to your tokens.

Examples from history:

• 2022, Slope Wallet: Server hack → private key leak → $8M lost
• 2023, various DEXs: Contract vulnerability → user drain with active approvals

Protection strategy:

• Never give unlimited approvals (if protocol requires - use limited amounts)
• Revoke permissions immediately after use (if not planning to return soon)
• Use separate wallet for DeFi experiments (don't store main funds there)

Early detection of compromise can save part of your funds.

Early Signs (Wallet Not Yet Drained)

🔴 Unknown transactions in history

You see outgoing transfers you didn't make. Especially suspicious:

• Transfers at night (when you were sleeping)
• Round amounts (10.00 SOL, 100.00 USDC)
• Sends to unfamiliar addresses

Action: Immediate evacuation of remaining funds.

🔴 New permissions (approvals) without your knowledge

Check Trusted Apps in wallet settings. If you see connections to sites you don't remember - possible compromise.

🔴 Wallet settings changed

• RPC endpoint changed to suspicious one
• Added new "addresses for automatic sending"
• Changed display currency or language (sign of access from another country)

🔴 Strange warning tokens appearing

Sometimes white-hat hackers (ethical researchers) send tokens with names like:

"YOUR-WALLET-IS-COMPROMISED-MOVE-FUNDS-NOW"

This isn't scam - it's attempt to warn you.

Late Signs (After Theft)

❌ SOL balance = 0 or close to zero

Exactly enough left for one fee - typical drainer signature.

❌ All valuable tokens disappeared

USDC, USDT, popular memecoins withdrawn. Only illiquid tokens remain.

❌ NFTs transferred to unknown address

Valuable NFTs gone, only spam pictures remain.

Types of Drainer Bots

Slow drainer:

• Withdraws funds gradually (10-20% per day)
• Hopes victim won't notice immediately
• Gives time for evacuation if detected

Fast drainer:

• Empties wallet in 1-5 minutes
• Automated script, triggers on first incoming transfer
• Almost impossible to intercept

Sweeper-bot:

• Monitors all incoming transactions
• If you try to top up compromised wallet - instantly withdraws
• Makes self-rescue impossible

Evacuation Tactics from Compromised Wallet

If wallet is compromised but funds not yet withdrawn:

Plan A: Evacuation via Rent Recovery

Locked SOL in empty accounts (5-20 SOL) may remain on wallet. Hackers rarely take rent as it requires complex operations.

Strategy:

• Scan compromised wallet via Read-Only
• Prepare rent return transaction
• Top up wallet with minimum gas (0.005 SOL) and SIMULTANEOUSLY send return transaction
• Specify high Priority Fee so your transaction processes first

Plan B: Jito Bundles (Advanced Technique)

Jito - Solana MEV infrastructure allowing guaranteed transaction order:

• Create bundle of two transactions: top-up + rent return
• Send via Jito RPC
• Both transactions enter block simultaneously

Requires: Technical skills and MEV understanding.

Plan C: Accept the Loss

If less than 0.1 SOL remains on wallet, evacuation attempt may cost more than result.

Before buying, selling, or burning a token, it's critical to check its contract for signs of fraud.

What RugCheck Verifies

Mint Authority (Token Creation Right):

🟢 Disabled - creator cannot print new tokens (good)
🔴 Enabled - creator can print infinite quantity, crashing price (bad)

Freeze Authority (Freeze Right):

🟢 Disabled - no one can freeze your balance
🔴 Enabled - creator can block all token operations

Top Holders (Largest Holders):

🟢 Distributed - top-10 own <30% of supply
🟡 Concentrated - top-10 own 30-60%
🔴 Dangerous concentration - top-3 own >70% (dump risk)

Liquidity Lock:

🟢 Locked - liquidity locked in smart contract for N months
🔴 Unlocked - creator can withdraw liquidity anytime (rug pull)

Contract Verification:

🟢 Verified - source code published and matches bytecode
🔴 Unverified - impossible to check what contract does

Interpreting Ratings

RugCheck Score: Low Risk (0-3 flags)

✅ Can interact
Examples: USDC, popular memecoins like BONK, WIF

RugCheck Score: Medium Risk (4-6 flags)

⚠️ Requires caution
Example: New token with Mint Authority active but low holder concentration

RugCheck Score: High Risk (7-10 flags)

🔴 Not recommended to interact
Example: Freeze Authority active + top-1 holder owns 90%

RugCheck Score: Critical (10+ flags)

🚫 Guaranteed scam
Example: All red flags + unverified contract

Practical Application During Cleanup

Before burning spam token:

• Click "Check RugCheck" in cleanup tool interface
• If you see Critical or High Risk - burn safely
• If you see Low Risk - make sure it's actually junk, not valuable token

Before buying token:

• ALWAYS check via RugCheck before first purchase
• If you see Freeze Authority enabled - decline (may be frozen after purchase)
• Check token age (new tokens = higher risk)