My MetaMask wallet was drained after I signed something. What are the first steps?

First steps after the drain

• Treat the wallet as compromised and stop using it for storage.
• Move any remaining assets to a new wallet from a clean device if it is still safe to do so.
• Disconnect risky dapps and review approvals on the relevant chain.

Evidence to collect

• The draining TXIDs, approval transactions, wallet address, chain, and the site that requested the signature.
• Screenshots of the website, chats, ads, or messages that led to the signature.
• A timeline showing when you connected the wallet, what you signed, and when the transfers started.

Why this happens

• Many drains happen through malicious approvals, permit signatures, phishing pages, or fake support workflows.
• The signature may not look like a transfer, but it can authorize later spending.

What helps recovery efforts

• A clear path of the stolen funds, especially if they hit an exchange or swap service with compliance controls.
• Fast reporting backed by explorer links and screenshots.