Wallet compromise runbook

A compromise indicator is unauthorized transactions you didn't initiate (visible on app.hyperliquid.xyz or your block explorer). Random pop-ups on a website are NOT a compromise indicator — those are phishing attempts.

If you actually see unauthorized activity, assume the worst and act fast. If you're not sure, take a screenshot and review with a fresh head — most 'compromise alerts' are phishing scares.

Generate a brand-new mnemonic on a clean device (ideally a fresh MetaMask install on a different computer, or a hardware wallet you haven't connected to anything yet). DO NOT use the compromised wallet's MetaMask to set up the new one — the attacker may already have the seed.

From the compromised wallet (you still hold the keys until the attacker uses them), withdraw all USDC from Hyperliquid to the new wallet's address (or to a temporary holding address you control). Speed matters — initiate the withdrawal action immediately.

Once funds are in the new wallet, the compromised wallet has nothing left to steal. But the agent wallet (Botely agent wallet) is still registered against the old owner address. Doesn't matter for fund safety, but is hygiene.

Revoke from /app/settings → "Revoke" button, then run `approveAgent with a fresh agent <id> --from <old-owner-keyname>` from the CLI to also remove on-chain. The fee is paid by the old owner — that's fine.

Update Botely to point at the new owner address: in /app/settings the wizard now uses your new MetaMask account. Re-run the wizard to register a new agent wallet tied to the new owner.

Update the bot's .env (Phase 0) or wait for Phase 1 auto-pickup. Restart the bot.

Update HL_MAIN_ADDRESS in the bot's .env if it was hardcoded to the old address.

Where did the leak happen? Common vectors: (a) seed typed into a fake MetaMask lookalike site, (b) seed photographed and stored in cloud (Google Drive, iCloud, GitHub Gist), (c) malware on the device running MetaMask, (d) physical access to a written seed.

Whatever caused it, don't repeat it. For high-value wallets, consider switching to a hardware wallet — the seed never leaves the device's secure element. See the mnemonic-best-practices guide.