What to Do If You Received Crypto From a Hacked Protocol

By Alexandr Kerya · · 5 min read

TL;DR - If a hacked protocol's funds reach your wallet, a screening tool can flag you and an exchange can freeze the deposit, even if you did nothing wrong.

This question spikes after every big exploit. On June 1, 2026, an attacker drained Gnosis Pay accounts through a flaw in a shared Safe module, and Gnosis pledged to cover all user losses. Stolen money rarely sits still. Attackers split it, swap it, and route it through dozens of wallets. Some of those hops end at people who simply sold a token or got paid for a freelance job. Last month, on-chain theft topped 625 million dollars across nearly one exploit a day.

How do stolen funds from an exploit end up in ordinary wallets?

After a hack, the attacker holds coins that every major exchange already watches. To cash out, they have to make the money look ordinary. That means moving it.

The path usually runs through several stages. First the funds get split across many fresh addresses. Then they pass through swaps, bridges, or a mixer to break the trail. Finally they re-enter the regular economy, paid to a counterparty, sold over the counter, or used to buy an asset from an unsuspecting seller.

That last seller could be you. If you sell a token, accept a payment, or receive an airdrop from one of these addresses, the tainted history follows the coins into your wallet. You never touched the exploit, yet the on-chain link is now part of your address's record.

Funds from a hacked protocol pass through intermediaries into your wallet, where a deposit screen flags them.Hacked protocolYour walletExchange deposit ⛔One on-chain hop is enough for a deposit screen to flag it.
Stolen funds move through intermediaries before landing in an ordinary wallet, where a deposit screen can still flag the link.

Can receiving hacked funds get your wallet flagged?

Yes. Screening tools score an address by looking at where its funds came from, not who you are. If an upstream address is tied to a known hack, that risk flows downstream to you.

Most tools treat stolen-funds exposure as a serious signal, close to mixer and sanctions exposure. The score is highest for a direct transfer from the hacker and fades with each hop. Even so, a careful exchange may flag a deposit that sits several hops from the original theft.

  • Risk inheritance: tainted coins carry their history into every wallet they reach.
  • Exchange policy: deposit screens compare incoming funds against known hack addresses.
  • Frozen withdrawals: a flagged deposit can trigger a source-of-funds review that locks your balance for days.
Risk tier ladder from clean to severe applied to stolen-funds exposure.CleanLowElevatedSevere
Screening tools rate stolen-funds exposure on a tier ladder: highest next to the hack, lower with each hop.

How do you check if your wallet received funds from a hack?

Start with the incoming transactions you did not expect, or any large transfer from a counterparty you do not know well. Each one has a source you can trace.

  1. Open the transaction in a block explorer and follow the sending address back a few hops.
  2. Compare those addresses against public hack and exploit records published by security firms.
  3. Check more than one chain, because attackers bridge funds across Ethereum, Base, Arbitrum, and others to shake off trackers.

Doing this by hand is slow, and a single address can branch into hundreds of paths. Rather than checking one hop at a time, screen the address with Plastron to see sanctions, mixer, and stolen-funds exposure across Ethereum and six chains at once.

What should you do if your wallet is already tainted?

Do not move the funds again. Forwarding them to an exchange or another wallet only spreads the taint and makes a clean explanation harder.

  1. Identify the exact transaction that introduced the exposure, including its hash and the source address.
  2. Save proof of why you received the funds, such as an invoice, a sale record, or a message from the sender.
  3. If an exchange froze a deposit, open a support case and share that documentation for the source-of-funds review.
  4. Keep suspect funds in a separate wallet so they cannot mix with clean holdings.

A reviewer works from a risk score and a transaction graph. If you can show the funds arrived from a counterparty who is themselves subject to checks at a regulated platform, the reviewer has a documented chain of custody to clear you.

How can you avoid receiving tainted funds in the first place?

You cannot vet every sender, but you can lower the odds.

  • Screen a counterparty's address before a large or unfamiliar payment, the same way an exchange screens you.
  • Be cautious with over-the-counter deals and surprise airdrops right after a publicized exploit.
  • Keep a clean wallet for savings and a separate one for trades with new counterparties.

None of this stops a smart-contract exploit, which is the protocol's job. It protects you from the second wave, when stolen money looks for an exit and lands on people who never saw the hack.

FAQ

Can my wallet be flagged if I never used the hacked protocol?

Yes. Flags follow the funds, not your intent. If coins with a hack in their history reach your address, the exposure attaches to your wallet regardless of how careful you were.

Does the risk fade as the funds move further from the hack?

Usually. Most screening models discount risk by hop distance, so a direct transfer scores far higher than a fifth-hop link. A strict exchange can still review a distant link, though.

Will Gnosis covering losses remove the flag on stolen coins?

No. Reimbursing victims does not change the on-chain history of the stolen coins. Those coins keep their tainted record even after the project makes its users whole.

How fast should I check after a big exploit?

Within a day or two. Laundered funds spread quickly, and checking early lets you avoid accepting or forwarding tainted coins before an exchange does it for you.

Disclaimer: This article is for educational and informational purposes only and is not legal, financial, tax, or compliance advice. Crypto carries risk; you act on this information at your own risk. Always do your own research and consult a qualified professional before making decisions. Views are the author's own and do not constitute financial, legal, or investment advice.

About Plastron

Plastron is a free, non-custodial wallet screening tool. It checks Ethereum and six EVM chains for AML and KYT risk — sanctions exposure, mixer contact, and stolen-funds proximity — and returns a risk report in seconds. It reads public on-chain data only: it never takes custody of funds and never asks for private keys.

How Plastron works and who runs it →

Keep reading

Can Your Wallet Be Frozen If You Receive USDT From a Scammer?Can a Wallet Be Flagged for Receiving Funds From a Mixer?Is DeFi Safe? What Wallet Screening Can and Can't CatchHow to Safely Buy Crypto Peer-to-Peer: A Buyer's Checklist