What to Do If You Suspect a Security Incident
If you believe your BitGo account, wallet, or API access token may have been compromised — or if you notice unauthorized activity — take immediate action. Speed is critical. The steps below will help you contain the situation, preserve evidence, and work with BitGo to secure your account.
IMPORTANT: bitgo.com is our only home page. No one from BitGo will contact you outside of the @bitgo.com alias. When in doubt, you can always reach out directly to support@bitgo.com team to ask if a message is from someone associated with BitGo.
Signs of a Potential Security Incident
You should follow this guide if you observe any of the following:
- Transactions you did not authorize
- Login alerts or session activity from unfamiliar locations or devices
- Suspicious emails, phishing attempts, or social engineering targeting your BitGo credentials
- A team member's account or device may have been compromised
- API access tokens that may have been exposed or leaked
- Unexpected changes to wallet policies, user permissions, or whitelisted addresses
Step 1: Freeze Your Wallet(s)
If you suspect a wallet has been compromised, freeze it immediately. Freezing prevents BitGo from co-signing any outgoing transactions on that wallet.
- Navigate to the affected wallet in the BitGo UI.
- Go to Settings (access via the three dots in the top right hand corner of the wallet page)
- Click Freeze Wallet.
- Select a freeze duration and confirm.
Note: Freezing a wallet prevents BitGo from co-signing transactions. However, if an attacker has obtained both your user key and your backup key, they could sign transactions without BitGo's involvement. This is why securing your keys and using strong access controls is essential.
Step 2: Freeze Your Enterprise (if needed)
If the compromise may affect multiple wallets or users across your organization, freeze the entire enterprise. This stops BitGo from co-signing any transactions for all wallets under that enterprise.
If the enterprise freeze option is available in your Enterprise Settings in the BitGo UI, use it to freeze your enterprise and select a duration. If you freeze indefinitely, the enterprise will remain frozen until you complete video ID verification with BitGo to lift the freeze.
Step 3: Revoke Compromised API Access Tokens
If you suspect an API access token has been exposed or is being used by an unauthorized party, delete it immediately.
- Log in to the BitGo UI.
- Go to Personal Settings > Access Tokens.
- Identify the compromised token and delete it.
Note: You will need an active login session to delete an access token — an API token cannot delete another API token. After deleting the compromised token, create a new token with appropriate scopes and IP restrictions.
Best practice: When creating replacement tokens, always apply IP address whitelisting, use the minimum scopes necessary, and set a reasonable expiration.
Step 4: Secure Your Account Credentials
Take these steps to prevent further unauthorized access:
- Reset your BitGo login password. Go to Personal Settings > Authentication > Update Password to change it.
- Secure your email account. Change the password on the email address associated with your BitGo account. Enable 2FA on your email if you haven't already.
- Review the 2FA for your BitGo Account. If you suspect it has been compromised, go to Personal Settings > Authentication > 2-Factor Authentication to remove the compromised device and set up a new one.
- Review user access. Check the list of users on your enterprise and wallets. Remove any users who should no longer have access or whose accounts may be compromised.
Step 5: Contact BitGo Support
Report the incident to BitGo Support as soon as possible — ideally in parallel with the containment steps above. Our contact and 24x7 emergency escalation process can be found here
Step 6: Preserve Evidence
Before making further changes to your account, document what you can:
- Generate a User Access Review (UAR) Report. This is a clean snapshot of who has access to an org: every member, their roles, email, and date added. It was built for compliance and audit reviews, and you can filter by date range and export. To access UAR Reports, go to "Reports" → "+New Report" → "+User Access"
- Note any unauthorized transaction IDs and the wallet addresses involved (both sending and receiving).
- Record the approximate time you first noticed suspicious activity.
- Save any suspicious emails, login alerts, or communications you received.
- Take screenshots of unexpected account changes (policy modifications, new users added, etc.).
This information will help BitGo's team investigate the incident and will be important if you need to involve law enforcement.
Step 7: Conduct an Internal Investigation
After containment, review your organization's security posture:
- Determine how the compromise occurred (phishing, credential leak, insider threat, compromised device, etc.).
- Identify which wallets, users, and systems were affected.
- Assess whether any funds were lost or are at risk.
- Depending on the severity and your jurisdiction, consider involving local law enforcement.
Account Recovery
Once the incident has been contained and investigated, BitGo Support will work with you to restore access to your account. This process typically involves:
- Verification of your identity through video ID verification with an organization owner or authorized signer.
- Confirmation that remediation steps (password resets, 2FA changes, user access review) have been completed.
- Lifting of any wallet or enterprise freezes.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article