The compromised wallet still holds the name's NFT. Only that wallet can sign a transfer — ENS can't sign for you and can't reverse a transaction. Recovery comes down to getting one transfer out before a sweeper bot eats the gas.
Important: Don't send ETH to the compromised wallet until you're ready to transfer the name in the same session. Sweeper bots can steal any ETH that arrives, often within seconds.
Do this first
Stop using the compromised wallet. Don't sign anything from it. Don't send ETH to it.
Make a fresh wallet. New seed phrase, ideally a different device. This is where the name is going.
Check ownership. Open the ENS App with no wallet connected. Search your name and open the Ownership tab. The next step depends on what you see.
Find your path
What you're seeing | What it means | Path |
Owner is still the compromised wallet, no sign of a sweeper bot | You could possibly sign one transaction out before a bot is set up | Standard transfer |
Owner is still the compromised wallet, ETH disappears within seconds of arriving | Sweeper bot is active; standard transfer won't work | If a sweeper bot is active on the wallet |
Owner is still the compromised wallet, name is in Grace Period (expired, within 90 days) | Transfers are blocked until the registration is active | See the Grace Period note below |
Owner has changed | Attacker already moved the name | Not recoverable through ENS |
Name shows a recent registration date and looks different | Probably expired and re-registered, not stolen | Read Was it really stolen? |
How to check for a bot: send a small amount of ETH to the compromised wallet. If it stays for more than a few seconds, no active bot. If it disappears within seconds, a bot is on it.
Grace Period note: transfers don't work during Grace Period. Extending tips off anyone watching the wallet, so coordinate with the bot check before doing anything. See What is a Grace Period? for the mechanics.
Standard transfer
With ETH in the compromised wallet for gas and no bot active, change Owner first — that's the critical move. Once Owner is on your new wallet, the attacker can't take the name, even if Manager and ETH Address are still pointing at the compromised wallet.
Open the ENS App and connect the compromised wallet.
Search your name, open the Ownership tab, and click Edit Roles.
Change Owner to the new wallet's address. Leave Manager and ETH Address as they are for now. Approve in your wallet.
Wait for the Owner transaction to confirm — 1–2 blocks (12–24 seconds); busy networks can take longer.
Once the Owner change is confirmed, the name is safe. From your new wallet, open Edit Roles again (or use Send) and bring Manager and ETH Address across.
Why not use Send for all three at once? Send moves all three roles in one go, but in this order: ETH Address, then Manager, then Owner. The Owner change is the one that protects the name — leave it for last and a sweeper bot or attacker has a window to step in before you get there. Doing Owner on its own first means the name's safe before anything else moves. See How do I edit the roles on my ENS name? for the full Edit Roles flow.
If the ETH disappears before you can sign the Owner change, a bot is active — stop and try one of the paths below.
If a sweeper bot is active on the wallet
Wait it out
Bots sometimes go quiet after weeks or months. Watch the wallet without sending anything. Now and then, test with a tiny amount of ETH, ready to transfer the name the moment it stays. The attacker can transfer the name in the meantime, and the name may expire while you wait.
Pay gas in tokens the bot hasn't touched
Some wallets let you pay gas in tokens that aren't ETH. Ambire is the best-known one; other smart-contract wallets do this too. If the compromised wallet still holds tokens the bot hasn't taken — often on L2 chains the bot isn't watching — you may be able to sign the Owner transfer using those tokens. No ETH needs to arrive at the wallet, so there's nothing for the bot to grab.
For this to work:
The compromised wallet has to be a smart-contract wallet that supports paying gas in non-ETH tokens.
The wallet has to still hold eligible tokens the bot hasn't drained.
You have to still control the wallet's signer (seed phrase or key — exposed, but yours).
If all three are true, this is the simplest bot-active path. If not, move on.
Flashbots Rescue (technical)
Bundle the funding ETH and the transfer transaction into a single Ethereum block, so the bot has no gap to grab the gas. Two tools:
FlashbotsBundlerUI — React app for building Flashbots bundles.
flashbots-ens-rescue — Tool specifically for ENS recovery.
Important: Flashbots tools aren't built or maintained by ENS. They're community and third-party tools. Use at your own risk.
Let it expire and re-register
Last resort. If other paths fail and the name isn't urgent, let the registration lapse. Anyone can extend any .eth name (the attacker can too). After the 90-day Grace Period the name enters Temporary Premium and has to be registered as new — not extended. Someone else may register it the moment it's available. See What happens to a .eth name when it expires?
Was it really stolen?
A few situations look like a hack but aren't.
"My NFT was burned"
If your name expired and someone else picked it up after the 90-day Grace Period, the original NFT gets burned and a fresh one is minted to the new owner. That's the normal way .eth expiry works, even though it looks like a hack from the outside. Check the registration date in the Ownership tab; if it's recent, the name was re-registered, not stolen.
"The Owner changed without my signing"
If the Owner in the ENS App is a different wallet than yours, a transaction was signed from your wallet — either by you, or by someone with access to your seed phrase. ENS can't reverse it. Treat the original wallet as fully compromised: rotate everything that uses the same seed phrase, and revoke any open token approvals using How do I revoke token approvals?
"What's a sweeper bot?"
Software an attacker runs against a compromised wallet. The moment any ETH arrives, the bot tries to broadcast a transaction sending it back out — so quickly that there's no time to sign a legitimate transfer first.
What ENS can't do
A few requests the support team gets a lot:
Reverse a transaction. Blockchain transactions are permanent.
Sign a transfer on your behalf. Only the wallet holding the NFT can sign.
Transfer a name in Grace Period. The registration has to be active.
After you've recovered the name
Set up the cold/hot wallet pattern so the same thing can't happen again. Keep the Owner role on a cold wallet that never connects to apps, and keep the Manager and ETH Address on your daily hot wallet. The name keeps working — records edit, funds arrive, your Primary Name shows up — but a drained hot wallet can't take the name away.
If you lose access to the cold wallet, the name can't be recovered. Back up the seed phrase the way you would for any high-value asset.
Full setup in What's the safest way to hold an ENS name?
Good to know
Don't send ETH to a compromised wallet — sweeper bots can steal funds within seconds.
ENS can't reverse transactions, restore access, or transfer names for you. Only the wallet holding the NFT can sign a transfer.
A name can't be transferred during Grace Period — the registration has to be active.
If the Owner has changed in the ENS App, the attacker already moved it. ENS can't reverse that.
When an expired name is re-registered by someone else, the old NFT is destroyed — this looks like a hack but isn't.
What's next?