HELP! Victim of sweeper bot help please!

I have 2 (two) nodes on Allnodes:
#ETH001 of 32 ETH created on 07.02.2022
#RPL001 of 16 ETH created on 07.02.2022

My wallet address is:

A couple of hours ago today I just received this notification from Allnodes on Telegram:
:arrows_counterclockwise: Withdrawal changed for #RPL001
Old: 0x47730…c5f8550 ( (Node Address)
New: 0x60d8E…8bc194f (

Without really understanding the situation, I went to the computer and urgently opened my wallet (I had some ETH there), to my surprise the balance in ETH had disappeared.
In my Metamask wallet. there is only my RPL. I think my ETH was stolen and whoever did it also changed the withdrawal address of node #RPL001, but they didn’t touch my RPL.
So I made a transfer of some ETH to that wallet to be able to pay the commission to protect my RPL but oh surprise, I barely transferred about 0.005 ETH, in less than 3 seconds they flew to another wallet. It was instant!

Well, I remember that when I made the first #ETH001 node of 32 ETH, I did it from my Metamask wallet
0x47730Ef452712168a1d05f4E5c4c123dcc5f8550 and that on that occasion I did it with the help of a Youtube tutorial but I also remember that some “validation keys” were created in the process and that Windows PowerShell also threw a mnemonic (seed phrase) that I wrote on a piece of paper that I have with me . Likewise, a “JSON file” encrypted with a password that it owns (on another computer) was also generated.

When I made the second node #RPL001 of 16 ETH I also did it from my Metamask wallet 0x47730Ef452712168a1d05f4E5c4c123dcc5f8550 and a password-encrypted “JSON file” was generated (which I also have on another computer).

  1. What could have happened here…?
  2. My 2 (two) nodes are compromised, since I created them with the same Metamask wallet address 0x47730Ef452712168a1d05f4E5c4c123dcc5f8550?
  3. Should I assume that I just lost the ethereum from my wallet, the 16 ETH node or also the 32 ETH node…?
  4. Why is the ETH remote automatically transferred to that wallet?
  5. What can I do about it?
  6. I have a “Ledeger Nano S” in which I store some BTC. can i use that same ledger to import my metamask wallet? Will doing so not affect the security of my Ledger? I don’t want my BTC to be stolen.
  7. Of course, I have the seed of that Metamask wallet, if I import it with it, would Ledger have full control of the wallet again?
  8. When I looked at the 16 eth minipool, I realized that the thief changed the withdrawal address to his own. How do I change it again, considering that the thief had access to my wallet?

I think I’ve been a victim of sweeper bot :sob: :sob: :sob:

I’m really sad, I hope you can help me.


I’m very sorry you’re going through this, but I think you’re out of luck.

Only the current withdrawal address can change the withdrawal address. This is an important security feature with the withdrawal address being the ultimate line of defense.

The only thing I can think of is negotiating with the hacker to get back something. For example, if they send you X, then you’ll exit and if not you’ll let the validator leak forever.

I think your 32 eth validator is safe, as it does not appear to be a rocket pool validator.

You should, as soon as you can, look into CLWP and updating from 0x00 to 0x01 withdrawal credentials. Make sure to use a secure wallet (ideally a hardware wallet).

Unfortunately, the 16 eth validator is likely lost, as @Valdorff mentioned.