24/7 Web3 Incident Response: Minimize Damage, Recover Assets, Restore Trust

When a smart contract is exploited or a wallet is drained, every second counts. Our elite team of on-chain investigators and security engineers are your rapid-response unit to contain the threat and manage the crisis.

Activate Emergency Response Our IR Process
Web3 Security Shield An abstract representation of a shield protecting a decentralized network from threats.
Boston Consulting Group LogoeBay LogoNokia LogoUPS LogoCareem LogoEtihad Airways Logo

Why Errna?

Your On-Chain First Responders

Immediate Activation

Our 24/7/365 Security Operations Center (SOC) ensures a response within minutes of your call. We establish a dedicated war room to begin containment and investigation immediately, because every second matters.

Elite Expertise

Our team consists of battle-hardened smart contract auditors, on-chain forensic analysts, and cybersecurity veterans who specialize exclusively in Web3 technologies. We've dissected every major type of Web3 attack.

Advanced Forensics

We utilize proprietary tools and leading platforms like Chainalysis and Elliptic to trace stolen assets across multiple chains and through complex mixing services, maximizing the potential for recovery.

Full Lifecycle Management

We manage the entire incident from initial containment and eradication to recovery and post-incident hardening. Our goal is not just to fix the immediate problem, but to make you more resilient for the future.

Asset Recovery Focus

Our primary objective is the recovery of your digital assets. We coordinate with exchanges, law enforcement, and legal partners globally to freeze and reclaim stolen funds wherever possible.

Crisis Communication

We provide clear, strategic guidance on communicating with your community, investors, and regulatory bodies. Maintaining trust during a crisis is paramount, and we help you navigate the narrative.

Actionable Reporting

You receive a comprehensive post-incident report detailing the attack vector, funds flow, and actionable recommendations to prevent recurrence. This document is crucial for insurance claims and stakeholder updates.

Absolute Discretion

We operate with the utmost confidentiality. All communications and findings are handled securely, ensuring your privacy and protecting your reputation throughout the engagement.

AI-Augmented Intelligence

We leverage AI-powered threat intelligence platforms to rapidly identify attacker infrastructure, analyze malware, and predict their next moves, giving us a critical edge in the response effort.

Our Capabilities

Comprehensive Web3 Incident Response Services

Our services cover every phase of a security incident, from proactive preparation to post-breach recovery. We provide a structured, end-to-end solution to navigate the complexities of a Web3 crisis.

Incident Response Plan Development

We help you build a robust, actionable IR plan tailored to your specific protocol, assets, and team structure before an incident occurs.

  • Defines roles, responsibilities, and communication channels.
  • Establishes clear escalation paths and decision-making authority.
  • Includes playbooks for common Web3 attack scenarios (e.g., flash loan, oracle manipulation).

AI-Powered Threat Monitoring & Anomaly Detection

We deploy and configure advanced monitoring tools that use AI to detect suspicious on-chain and off-chain activity in real-time, providing early warnings of potential attacks.

  • Monitors smart contract interactions, transaction volumes, and governance proposals.
  • Alerts on unusual admin activities or wallet movements.
  • Integrates with platforms like Forta, OpenZeppelin Defender, and custom scripts.

War Room Simulation & Tabletop Exercises

We conduct realistic attack simulations to test your team's readiness and refine your incident response plan in a controlled environment.

  • Improves team coordination and decision-making under pressure.
  • Identifies gaps in your current security posture and response capabilities.
  • Builds muscle memory for effective crisis management.

Emergency Response Retainer

Secure priority access to our elite team with a dedicated retainer. This guarantees immediate response times and proactive threat intelligence tailored to your project.

  • Guaranteed Service Level Agreements (SLAs) for response time.
  • Reduced rates for emergency engagement hours.
  • Continuous, proactive monitoring and threat briefs relevant to your ecosystem.

Initial Triage and Breach Verification

Our first step upon engagement is to rapidly verify if a security incident has occurred, assess its initial scope, and determine the immediate threat level.

  • Quickly differentiate between a genuine attack, a bug, or a false alarm.
  • Provide an immediate high-level assessment of the situation.
  • Activate the appropriate response playbook based on verified information.

Smart Contract Exploit Containment

When a vulnerability is being actively exploited, we take immediate action to mitigate further losses, such as pausing contracts or executing white-hat hacks.

  • Leverage admin keys or governance mechanisms to pause vulnerable functions.
  • Strategically drain funds from vulnerable contracts to a secure multi-sig wallet.
  • Front-run malicious transactions to disrupt the attacker's efforts.

On-Chain Forensic Analysis

Our core investigative service. We meticulously trace the flow of funds and analyze transaction data to understand the attack vector and identify the attacker's wallets.

  • Map out the entire attack sequence from the initial exploit transaction.
  • Identify all wallets controlled by the attacker.
  • Track stolen funds through mixers, bridges, and decentralized exchanges.

Attack Vector Identification & Root Cause Analysis

We reverse-engineer the attack to pinpoint the exact vulnerability, whether it's a smart contract flaw, a compromised private key, or a frontend exploit.

  • Deconstruct malicious transactions to understand the exploit logic.
  • Analyze off-chain infrastructure (servers, domains) for compromise.
  • Determine the root cause to prevent similar attacks in the future.

Malware and Phishing Analysis

If the incident involves off-chain components, we analyze any malware, phishing kits, or malicious code used by the attackers to gain access.

  • Reverse-engineer malware to understand its capabilities and extract indicators of compromise.
  • Identify attacker command-and-control (C2) infrastructure.
  • Provide signatures and IOCs to block further malicious activity.

Threat Actor Profiling

We gather intelligence on the threat actor or group behind the attack, using both on-chain and off-chain data to understand their motives, tactics, and potential identity.

  • Link on-chain addresses to known hacking groups.
  • Analyze transaction patterns to profile the attacker's sophistication.
  • Provide intelligence to support law enforcement investigations.

Asset Recovery & Law Enforcement Coordination

We work tirelessly with global exchanges and law enforcement agencies to freeze and recover stolen assets identified during our forensic investigation.

  • Prepare detailed forensic reports for submission to authorities and exchanges.
  • Leverage our network of contacts at major centralized exchanges.
  • Provide expert witness testimony if required for legal proceedings.

Crisis & Community Communications Support

We help you craft a clear, transparent, and strategic communication plan to manage your community, investors, and the media during a crisis.

  • Draft incident reports, post-mortems, and public statements.
  • Advise on the timing and content of disclosures to maintain trust.
  • Prepare your team for AMAs and community Q&A sessions.

Secure Redeployment & Hardening

After containment, we assist your development team in patching vulnerabilities and securely redeploying your smart contracts or infrastructure.

  • Provide specific code-level recommendations to fix the vulnerability.
  • Conduct a targeted security audit of the patched code before redeployment.
  • Recommend architectural changes to improve overall security posture.

Post-Incident Report & Remediation Plan

You receive a comprehensive report that serves as the definitive record of the incident, with actionable steps to prevent it from happening again.

  • Detailed timeline of the attack and response efforts.
  • In-depth analysis of the root cause and contributing factors.
  • A prioritized list of security improvements for your roadmap.

Insurance Claim & Legal Support

Our detailed forensic reports provide the technical evidence required to support cyber insurance claims and any potential legal action against the attackers.

  • Quantify financial losses with verifiable on-chain data.
  • Provide clear, jargon-free explanations of complex technical exploits.
  • Collaborate with your legal counsel to build a strong case.

Our Methodology

A Structured Approach to Chaos

Step 1: Preparation

Building Resilience Before the Attack

The most effective response starts before an incident. We work with you to develop IR plans, conduct tabletop exercises, and establish monitoring to ensure you're ready.

Step 2: Detection & Analysis

Identifying the Threat, Fast

Upon activation, we immediately analyze alerts and on-chain data to confirm the breach, identify the attack vector, and understand the scope of the compromise.

Step 3: Containment

Stopping the Bleeding

Our first priority is to stop further damage. This may involve pausing contracts, moving funds to safety, or isolating compromised systems to limit the attacker's access.

Step 4: Eradication

Removing the Attacker

Once contained, we ensure the threat is completely removed from your environment. This includes patching vulnerabilities and ensuring no backdoors remain.

Step 5: Recovery

Restoring Operations & Trust

We guide you through the process of safely restoring services, redeploying secure contracts, and communicating with your community to rebuild confidence.

Step 6: Post-Incident

Learning and Hardening

We deliver a detailed post-mortem report and work with your team to implement long-term security improvements, turning a crisis into a catalyst for greater resilience.

Proven Track Record

Real-World Crisis Management

Case Study: Containing a $25M Flash Loan Attack on a DeFi Lending Protocol

Industry: Decentralized Finance (DeFi)

Client Overview: A mid-sized DeFi lending protocol with over $100M in Total Value Locked (TVL), providing borrowing and lending services on the Ethereum mainnet. They were known for their innovative interest rate models but had a complex codebase that integrated multiple external oracles.

"When our TVL started draining, it was the worst moment of my life. Errna's team was in our Discord war room in under 15 minutes. They were the calm, expert voice in the storm. Their speed in containing the exploit and tracing the funds was incredible. They didn't just save our protocol; they saved our company."
- Alex Royce, Founder, DeFi Protocol

The Problem

The protocol suffered a sophisticated flash loan attack combined with oracle price manipulation. The attacker exploited a logic flaw in how the protocol calculated collateral value during periods of high network congestion, allowing them to borrow assets far exceeding their collateral's actual worth, resulting in a rapid $25M loss from the main lending pools.

Key Challenges

  • The attack was ongoing, with the attacker attempting to drain more funds.
  • Stolen funds were immediately being funneled through Tornado Cash.
  • The client's team was overwhelmed and unsure of the correct containment steps.
  • Community panic was spreading rapidly on social media, causing a bank run on the remaining assets.

Our Solution

Our team was activated and immediately took control of the response:

  1. Immediate Containment: We guided the client's multi-sig holders to execute a pre-planned contract pause function, halting all borrowing and withdrawal activities within 30 minutes of engagement.
  2. On-Chain Forensics: We deconstructed the complex series of transactions, pinpointing the exact oracle and logic flaw. We traced the stolen funds to specific Tornado Cash deposit addresses.
  3. White-Hat Counter-Exploit: We identified an additional $5M in funds that were vulnerable but not yet taken. We developed and executed a white-hat exploit to rescue these funds and move them to a secure company-controlled multi-sig wallet.
  4. Crisis Communication: We drafted a clear, concise initial statement for the community, acknowledging the issue, confirming containment, and outlining the next steps, which immediately helped to calm the panic.
95%
of Remaining TVL Secured
$5M
Funds Rescued via White-Hat Hack
$35M
Time to Full Containment

Case Study: Unraveling a Widespread Phishing Campaign Targeting NFT Holders

Industry: NFTs & Digital Collectibles

Client Overview: A popular NFT marketplace on the Solana blockchain, hosting several blue-chip collections and processing thousands of transactions daily. Their brand was built on user trust and a seamless trading experience.

"We saw a flood of support tickets about drained wallets and had no idea where to start. Errna's team not only identified the source of the phishing attack within hours but also provided us with the data to help law enforcement and proactively warn our users. Their expertise in both on-chain and off-chain forensics was a game-changer."
- Amelia Norton, Head of Security, NFT Marketplace

The Problem

A sophisticated phishing campaign was targeting the marketplace's high-value users. Attackers created a convincing replica of the client's website and used compromised social media accounts to promote a fake "special mint" event. Users who connected their wallets to the phishing site had their most valuable NFTs and tokens drained via malicious `setApprovalForAll` transactions.

Key Challenges

  • The attack was distributed, affecting individual users rather than the protocol itself.
  • The phishing sites were numerous and being taken down and re-hosted rapidly.
  • Identifying the full scope of affected users and stolen assets was difficult.
  • The marketplace's reputation was at severe risk due to the perception of insecurity.

Our Solution

Our response focused on both technical analysis and community protection:

  1. Off-Chain Infrastructure Takedown: We analyzed the phishing sites, identified the hosting providers and domain registrars, and initiated abuse reports to get them taken down. We also identified the attacker's C2 server.
  2. On-Chain Analysis: We wrote scripts to scan the blockchain for all malicious `setApprovalForAll` transactions originating from the phishing contract, creating a comprehensive list of all affected user wallets and stolen assets.
  3. Victim & Asset Database: We compiled a database of over 200 affected wallets and cataloged more than 500 stolen blue-chip NFTs, providing a clear picture of the financial impact.
  4. Proactive Community Warning: We provided the client with the attacker's wallet addresses and malicious contract details, allowing them to issue a specific, detailed warning to their community and help users revoke the malicious permissions.
200+
Victim Wallets Identified
12
Phishing Domains Neutralized
80%
Reduction in Losses After Warning

Case Study: Responding to a Private Key Compromise of a Web3 Gaming Treasury

Industry: Blockchain Gaming (GameFi)

Client Overview: A well-funded Web3 gaming studio with a live play-to-earn title. They managed a large treasury of their native game token and stablecoins in a Gnosis Safe multi-sig wallet, intended for ecosystem development and player rewards.

"Seeing our treasury wallet being drained was terrifying. We suspected a compromised key but couldn't prove it. Errna methodically secured our remaining assets, identified the compromised individual through forensic analysis, and guided us in setting up a far more secure custody solution. Their professionalism turned a potential company-ending event into a crucial security upgrade."
- Carter Fleming, CTO, Web3 Gaming Studio

The Problem

The company's 3-of-5 multi-sig treasury wallet was compromised. An attacker, having gained control of one of the key-holder's private keys, initiated a transaction to change the wallet's ownership structure, successfully tricking two other signatories into approving it. This gave the attacker full control, and they began systematically draining the $8M treasury.

Key Challenges

  • The compromise was internal, involving a trusted key-holder's credentials.
  • The immediate priority was to rescue any funds the attacker hadn't yet moved.
  • Identifying which of the five key-holders was compromised was critical but sensitive.
  • The company needed to rebuild its entire custody and governance process from the ground up.

Our Solution

Our approach blended rapid on-chain action with careful digital forensics:

  1. Asset Rescue Operation: We monitored the attacker's wallet. When they moved a large portion of funds to a centralized exchange, we immediately contacted our network at the exchange, providing the transaction hash and evidence, leading to a freeze of $3.2M.
  2. Digital Forensics: We conducted a forensic analysis of the devices and cloud accounts of all five key-holders. We discovered sophisticated spear-phishing malware on one employee's laptop, which had been used to exfiltrate their wallet's private key.
  3. Secure Custody Redesign: We architected a new, more robust treasury management system for the client, incorporating hardware security modules (HSMs), institutional-grade custody solutions, and stricter operational security (OpSec) protocols for transaction approvals.
  4. Evidence Package for Law Enforcement: We compiled a complete evidence package, including the malware analysis and on-chain data, for the client to provide to federal law enforcement for criminal investigation.
$3.2M
Funds Frozen at Exchange
100%
Certainty on Compromise Source
75%
Improvement in Security Score Post-Remediation

Client Voices

Trusted in a Crisis

"Errna's response was nothing short of phenomenal. They were professional, incredibly fast, and their on-chain forensic skills are second to none. They turned a catastrophic situation into a manageable crisis and helped us communicate effectively with our community."
Avatar for Ava Harrington
Ava Harrington
CEO, DeFi Protocol (Enterprise)
"As a CISO, I've worked with many IR firms. Errna's Web3-native expertise is a class apart. They understood the nuances of smart contracts and cross-chain tracing in a way no traditional firm could. They are now our go-to partner for all blockchain security matters."
Avatar for Benedict Hale
Benedict Hale
CISO, Crypto Exchange (Strategic)
"The moment we suspected a private key was compromised, we called Errna. Their team guided us through securing our remaining assets and meticulously uncovered the source of the breach. Their discretion and technical depth gave our board the confidence we needed."
Avatar for Claire Baxter
Claire Baxter
Head of Operations, Web3 Gaming Co (Enterprise)
"We engaged Errna for a proactive IR plan. The tabletop exercise they ran was an eye-opener. It exposed critical gaps in our process that would have cost us millions. Now, we sleep better at night knowing we have a plan and a world-class team on standby."
Avatar for Dante Cole
Dante Cole
Founder, NFT Platform (Startup)
"The post-incident report from Errna was incredibly detailed and actionable. It was instrumental for our insurance claim and for demonstrating to our investors that we had taken comprehensive steps to harden our security. True professionals."
Avatar for Eliana Pratt
Eliana Pratt
COO, Crypto Investment Fund (Strategic)
"What impressed me most was their communication. In a high-stress situation, they provided calm, clear, and constant updates. We never felt in the dark. They managed the technical response and the human element of the crisis perfectly."
Avatar for Felix Prince
Felix Prince
CTO, Metaverse Platform (Enterprise)

Tools of the Trade

Our Forensic & Security Technology Stack

Questions?

Frequently Asked Questions

Do not announce it publicly. First, gather your core team in a secure, out-of-band communication channel (like Signal), not your company Slack or Discord. Second, contact us immediately. Third, do not attempt to move funds or alter contracts unless you are 100% certain of what you are doing, as this can alert the attacker and complicate the investigation. Preserve all logs and relevant data.

Our SOC is staffed 24/7/365. For clients on our Emergency Retainer, we guarantee a response and war room setup within 15 minutes. For new clients, we can typically engage and begin initial triage within one hour of the first contact and contract execution.

No one can guarantee 100% recovery, and you should be wary of anyone who does. However, our rapid response, advanced forensic capabilities, and strong relationships with exchanges and law enforcement significantly increase the probability of freezing and recovering a portion, or in some cases all, of the stolen assets. The faster you engage us, the higher the chance of success.

Costs vary depending on the complexity and duration of the incident. We offer two main models: a proactive Emergency Retainer for a fixed monthly fee that provides priority access and reduced hourly rates, and a per-incident emergency engagement which consists of an initial activation fee and subsequent work billed hourly. We provide a clear statement of work and cost estimate after the initial triage.

Yes. We are not a law enforcement agency, but we collaborate closely with them. We prepare detailed, evidence-based forensic reports that are admissible in legal proceedings and provide the technical expertise that law enforcement agencies need to pursue criminal charges and asset seizure warrants against threat actors.

Absolutely. Many Web3 incidents stem from off-chain security failures like compromised keys, phishing, or malware. Our team includes digital forensics experts who can analyze devices, logs, and cloud services to determine the root cause of the key compromise, alongside our on-chain team who will trace the resulting fund movements.

Under Attack? Every Second Counts.

Don't wait for the damage to escalate. Our expert Web3 Incident Response team is on standby 24/7 to help you contain the threat, trace the funds, and begin the recovery process. Contact us now for immediate, confidential assistance.

Request Immediate Assistance