Your seed phrase was stolen from cloud storage
When you store your seed phrase in Google Drive, iCloud, Dropbox, or similar services, anyone who compromises your cloud account has full access to your wallet. Hackers specifically target cloud accounts knowing that people store sensitive information there.
How this attack works
Cloud accounts are a single, high-value target. If your seed phrase lives in iCloud, Google Drive, Dropbox, OneDrive, or a notes app that syncs to the cloud, then anyone who gets into that account gets your wallet — no malware on your devices required.
Attackers get in through reused or leaked passwords, SIM-swap-driven password resets, or phishing of the cloud login itself. Once inside, automated tools scan files and photos for 12- or 24-word phrases, private keys, and keystore files.
Because the theft happens on the attacker's machine, your own phone and computer look completely normal — which is why this often goes unnoticed until the funds move.
Warning signs
- •Your seed phrase, or a photo of it, was ever saved to a cloud-synced location.
- •You reuse the password on that cloud account, or it has appeared in a breach.
- •The cloud account doesn't have strong, app-based two-factor authentication.
- •Funds left with no suspicious activity on your own devices.
What to do right now
- •Create a brand new wallet with a fresh seed phrase
- •Write it down on paper or metal - never store it digitally
- •Keep it somewhere physically secure that only you can access
Not sure this is what happened to you?
Run the 2-minute diagnostic