Wallet Drainers: One Approval Click and Everything Is Gone
Wallet drainers turn routine approvals into asset theft through phishing kits, permits, delegation, and weak wallet UX.
There is a very human comedy about wallet drainers, and it is not a comedy of excesses because no one laughs. Years of industry sermons have taught users to tolerate browser warnings, wallet warnings, dApp warnings, token approval confirmations, blind signatures – the price to be paid for playing in Web3. Ethereum’s much-acclaimed delegate primitive was supposed to make everyone’s life easier until it became apparent that most of the mainnet delegation contracts were not account abstraction contracts after all but wallet sweepers. The security theater trainers taught their audience that no free crypto airdrop would be claimed without a permissionless signature on chain while turnkey wallet theft kits vendors marketed their round-the-clock support as a superior checkout experience for crypto evildoers.
There is always one metric that kills delusional optimism in the long run, and Scam Sniffer’s report this year demonstrated that with wallet drainer losses amounting to almost 500 million. The number of addresses initiated such attacks in 2024 is 2024 – 332 thousand. Next year’s numbers demonstrate a clear pattern as reported drainer phishing damage decreased by over eighty percent YoY to 83.85 million with an almost identical ratio in the reduced number of affected accounts.
Losses skyrocketed once again when memecoins and associated ETH transactions volume growth ramped up but the same moderation happened when the next wave of scams came. The smaller average loss per victim, still relatively substantial over 790 USD, shows how much the industry is willing to profit from the small-time actors at the bottom of the pyramid.
This is the reality that no security-marketing shill wants to admit: the ecosystem’s safety theater and the black-market infrastructure industry are two sides of the same coin. Some LinkedIn CVs list years of experience in safe custody, transaction simulations, and phishing detection while others mention drainer kit development, phisher bootcamp attendance, and Discord moderator gigs. An industry insider can quite reasonably update their résumé every six months to feature EIP-7702 permissionless phishing permit expertise and chainalysis-evading airdrop scam skills alongside their former auditing and smart contract security expertise if they switched from a crypto safety promoter to a dark web entrepreneur. This is the talent pool where everyone knows everyone, and every phishing farmer has a Tier-1 exchange employee to whom they can hand over a few hundred thousand USD in Ethereum to get them started in the business.
Users seldom become victims of scams because they are stupid but rather because the required confirmation window appeared too friendly. Wallets do not bother you with transaction details; instead, they remind you to subscribe to their newsletter while, in the background, detaching proxies, transferring NFTs, delegating execution rights, or approving the infinite spender. Crypto culture preached digital freedom and self-custody as the ultimate sovereignty unless the user is a fraudster themselves, but permissionless protocols now punish their native tokens’ holders with a deluge of permissionless approvals and permissionless smart contract executions every time one of their favorite projects launches a governance token or NFT collection.
Your amateur friend will tell you, in their nascent Web3 enthusiast conviction, that their “bank,” the mobile app with a red logo, has never been hacked, while your EIP-4844 experience is permanently shadowed by the five hundred and fifty thousand DAI loss in the flash loan attack. They are correct to assume that the permissionless self-custody dogma is not an adequate security measure for the ordinary Web3 user interacting with ordinary permissionless smart contracts, the kinds that regularly leak tokens or have zero-day exploits in their front-end code. The same EIP-7702 permit delegate that is the reason for half of the 2024 scams could, if executed correctly, allow the user to batch several transactions with approvals for the same chain for a fraction of the gas cost per account. The same TRON Energy mechanism that makes you think twice before sending ten USDT can, if executed correctly, allow a business to process hundreds of such transactions for the price of one.
Kits, Permits, and Delegation
The drainer market is best understood as a software industry, with potential customers being limited to known criminals. Inferno, Pink Drainer, Angel, Venom, Monkey, MS Drainer, Ace, and several other families are the providers, and their services consist of phishing websites, wallet detection scripts, asset scanning, smart contracts, panels, analytics, affiliate systems, and payouts to operators. In the most developed products, the customer receives an option to claim a portion of the proceeds directly from the victim’s address, usually between 15% and 30%. Researchers analyzing the Drainer-as-a-Service space on Ethereum found thousands of accounts profiting from the theft economy via known contracts, with Angel, Inferno, and Pink being the most prominent.
This creates a particular incentive structure for the drainer industry; one that rarely puts entire livelihoods at risk. One person may be responsible for creating and maintaining the phishing website, while another may handle the backend operations or be tasked with finding new victims. If an attacker manages to embed a fraudulent link in a project’s social media post or gain access to the company’s advertising budget, the rest is relatively straightforward: the wallet drainer kits handle most of the operations, including the display of the phishing page, the scanning of the user’s assets, and the collection of the proceeds. The victim count and conversion rate can be monitored, and a skilled attacker can analyze the performance of the campaign in detail, trying to identify the most effective messenger, channel, content, and timing. The support desk for the criminals is not an option or a ticket but a real person who assists other actors in the ecosystem in maximizing their profits from the drainer.
Permit-type approvals are one of the most impressive showcases of the infrastructure layer’s capacity to empower crooks while also providing value to honest participants. A regular token approval is a permissionless allowance of a spender to withdraw a certain amount of funds from the owner’s address, while a permit signature is a signed message that serves the same function but is submitted directly to the contract upon claiming the reward. In practice, the latter removes the need for an additional on-chain transaction and is therefore useful in gas-sensitive scenarios. The same design can be abused to circumvent security checks in a phishing domain by substituting a regular transaction with a signed message that appears to be harmless.
Permit2 is an interesting development because it empowers users to conduct more complex operations with greater flexibility, including spending tokens as the owner would, delegating execution, and routing transactions through trusted but not verified accounts. Users who have permitted such actions for a reliable contract can be victimized when a drainer impersonates it via a permit signature.
The EIP-7702 account delegation is a powerful feature that has already demonstrated its capacity to inflict damage in the hands of miscreants. The proposed standard is beneficial in many ways, allowing EOA accounts to enjoy some of the advantages of smart wallets without adopting their risk profile, but the attacks it enables are no less compelling. When a user delegates account execution to a contract, they begin routing all transactions through it, executing arbitrary code in the process. Similar to permit-based drainers, attackers can use EIP-7702 to redirect victim funds with minimal friction, exfiltrating the proceeds through the account delegate.
A drainer’s 7702 account compromise is effectively a 7702 account burn, with few options for salvage beyond the immediate transfer of assets to a new address. The user should treat the affected account as compromised, with all permissions revoked and balances transferred to the extent possible, and move on to a new seed, a new device, and a new set of allowed chains. These are inconvenient truths, but the alternative, the endless cycle of chain hopping in the hopes of recovering funds, is even worse. The average user should not have to navigate the technical debt of post-exploit account migration. They should not have to ponder the security implications of their wallet upgrades. In essence, people should not have to be crypto experts, which is the reason why they entrust their assets to multisignature contracts, hardware devices, and other specialized solutions. When it comes to account delegation and EIP-7702, the same principles should apply: the approval to delegate execution to another contract should be considered a transaction that permanently increases your attack surface.
Ethereum’s Preeminence and TRON Infrastructure
Ethereum retains its dominance in the high-value wallet drainer space because of the concentration of assets, DeFi positions, NFTs, and permissions in its ecosystem. Scam Sniffer’s on-chain tracking is just one example of the security space’s focus on Ethereum, as most industry reports note a higher number of affected addresses or larger losses for the chain during peak seasons. At the same time, TRON’s stablecoin infrastructure is better positioned to facilitate daily payments, exchange deposits, OTC purchases, and everyday remittances. Users seeking to minimize costs, including gas costs on Ethereum or Energy and Bandwidth on TRON, can use on-chain stablecoins as a medium, taking advantage of large programmatic deposits. This makes all parties – honest users, criminals, and legitimate businesses – dependent on the TRON Energy system, with its predictable consumption rates for every transaction.
Inferno Drainer is the most prominent example of the drainer-as-a-service business model, with many users falling victim to its phishing services over multiple chains. Group-IB attributed the operation to a known multichain scam group that deployed thousands of fraudulent domains in the process. Scam Sniffer’s report documents over $80 million in losses across the first wave of Inferno-related scams, with the company announcing its shutdown in late-2023. Check Point Research subsequently uncovered several ongoing campaigns utilizing the same infrastructure, which rebranded as Inferno Reloaded in early-2024, with improved evasion techniques.
According to Check Point’s research, there were over 30,000 wallets that suffered losses in one of the six-month campaigns, with at least $9 million in combined damages.
As expected, the infrastructure used in the scam was hardened against detection and analysis. The researchers noted that the C2 infrastructure was obfuscated or hidden behind proxy services operated by customers, while cashout addresses were regularly rotated to stay ahead of blocklist updates. Single-scam smart contracts were also used to distribute funds and evade monitoring, with one campaign observed impersonating a legitimate Collab.Land project during the verification process.
The Ledger Connect Kit campaign is the perfect showcase for the ways in which drainer phishing can affect honest users. In one of the incidents, an employee of Ledger was tricked into authorizing Ledger Connect Kit contracts, which subsequently distributed the drainer code to the affected apps. The Ledger incident report confirmed the presence of Angel Drainer malware in the affected kits, which used an 85/15 split between the exploiter and the drainer service. With over $600,000 in funds affected, the company announced its move away from blind signing toward more transparent practices.
This is one of the most pertinent showcases of the ways in which users can be affected by phishing: in this case, the drainer operators did not need to rely on fake domains or display deceptive messages. The victim was interacting with a legitimate Web3 interface but signed an unauthorized transaction during a period when their wallet was busy with other operations. Users are unlikely to review each signature as they would a contract interaction, and the fraudster only needs one moment of carelessness to remove a considerable sum from a victim’s address.
The largest on-chain loss attributable to a drainer in 2024 provides additional context for the challenges faced by users interacting with DeFi applications. In one of the incidents, a DeFi Saver and Maker vault owner signed a fraudulent transaction that transferred control of their DSProxy contract to a phishing address, which then attempted to steal the position and mint DAI. Scam Sniffer and SlowMist researchers linked the attack to the Inferno drainer ecosystem. Again, the victim of this attack is unlikely to have been deceived by a fake website, but the impersonated address managed to convince the user that the transaction was legitimate, ultimately stealing their assets with a single signature.
There is no need to imagine a dramatic narrative around this user, since the blockchain records tell a similar story. The attacker simply changed the proxy address for a DeFi position and redirected the victim’s funds to their own address. The chain itself will be the judge of whether this is fraud or not, but the user will not have an easy opportunity to reverse this transaction. This is the price paid by anyone who wants to engage in DeFi without accepting the risks of the space.
On-chain loss data plays a critical role in understanding the scale of the issue and prioritizing response measures, but it is also instructive to consider the infrastructure that makes these attacks possible. Academic and industry-led research into the Drainer-as-a-Service space has revealed numerous shared characteristics among the known wallet sweepers, including those utilizing permit-type approvals. In particular, researchers identified thousands of phishing domains that used similar kits to collect user funds before distributing them to known wallets. Similar patterns were observed at the smart contract level, with many drainer services utilizing shared code or infrastructure. When Tether and TRON teams collaborated with Chainalysis to conduct Operation Spincaster, they were able to uncover over 7,000 leads that ultimately helped freeze illicit assets, with several exchanges and users being able to recover significant funds. One of the reported successes was a timely intervention that prevented a six-figure loss by prompting the user to revoke the fraudulent approval. Example of an ad for such service on some shady website as usual (almost surely a scam on its own):
This is an appropriate conclusion for a discussion about wallet drainers, an industry that exemplifies the decentralized ethos of Web3 in all its beauty and ugliness. When you operate on a blockchain, you are responsible for securing your assets, and the moment you lose control of your wallet, you are expected to know exactly what to do next. It is not the fault of the ecosystem, which only facilitates interactions between users, that phishing has become so prevalent or that signatures are often weaponized by fraudsters. However, it is also true that the permissioned transactions rarely come with context, and the user is expected to have the technical proficiency to understand the implications of every on-chain movement. Even the most basic aspects of account security, such as regular wallet upgrades or hardware seed storage, are optional for everyone but realistic for few. The same ethos applies to account delegation or permit approvals: no matter the use case, the signature should be regarded as a financial transaction, with its consequences carefully weighed by the sender. There is no single action that prevents all scams and exploits, but the better-designed interfaces do make it harder for the victim to be surprised by the outcome.
Incentives, Regulation, and Last Click
The drainer industry is not driven by technical innovation but by demand: developers seek to maximize recurring revenue from fraudulent activity and affiliates, while platforms attempt to drive traffic and liquidity to their ecosystem. In particular, phishing campaigns are motivated to acquire new victims and encourage them to deposit funds on the targeted platform. Projects promote their services while limiting the visibility of their fake moderators and phishing domains, while users are lured with promises of tokens, whitelist spots, early access to products, and other rewards. FOMO is the most dangerous concept in crypto, and it greatly informs the behavior of scammers, who know that the best way to profit from an asset’s rise is to convince people that they have missed out on the opportunity. Pickpockets, ATM skimmers, and other traditional fraudsters operate on the same principle: they target the most prominent locations with the highest concentrations of potential victims.
Approval-based phishing strikes at the heart of self-custody by separating the persuasion from the execution. In a traditional bank heist, the victim may be convinced to send money to a fraudulent account, but they are still aware that the funds are leaving their account. Meanwhile, in a drainer scam, the victim is persuaded to give permission to move funds, which is a far more difficult concept to grasp in a philosophical sense. In practice, the victim may be completely unaware of the circumstances of the transaction, especially if it was initiated as part of an airdrop or a phishing domain that masqueraded as a legitimate service. The user may lose tokens, NFTs, proxy ownership, or account access with a single click of the wallet confirmation button, while the drainer receives their cut of the proceeds with equal ease.
Regulation can help in several ways but rarely eliminates the opportunity for exploitation. Know Your Customer procedures can hinder the ability to drain funds from a victim, especially if they hold substantial assets on an exchange, while domain seizures and hosting shutdowns can limit the options for would-be criminals.
Similarly, on-chain monitoring can identify suspicious transactions, enabling exchanges to freeze assets or inform victims of phishing attempts. In the stablecoin space, the issuance of new tokens can be curtailed when the recipient account has been identified as fraudulent or compromised, reducing the ability to move value across platforms. The involvement of regulators and private investigators, such as in the DOJ’s recent $225M USDT civil forfeiture complaint, can generate additional pressure on the perpetrators, preventing them from spending the ill-gotten gains or threatening further legal action. In practice, stablecoin blacklisting, chain analysis, exchange takedown, and asset freezing measures can greatly reduce the appeal of a drainer campaign, but they rarely eliminate the opportunity for fraud.
Regulatory crackdowns will encourage drainers and their affiliates to adopt new methods, tools, and jurisdictions to continue their activities. In particular, domains associated with phishing services are often rotated, with the operators employing multiple frontends to avoid detection. The same applies to the technical infrastructure used by drainers, with command servers hosted in jurisdictions with lax digital privacy laws and few oversight mechanisms. Even when a drainer’s website is taken offline or incorporated into a larger scam ecosystem, the operators are likely to find alternative ways to collect user funds and distribute them to their wallets. In many ways, law enforcement efforts only serve to increase the overall costs of a scam, without fundamentally disrupting the core economics of the operation. As long as there are users willing to invest time and money into crypto projects, there will be individuals who seek to benefit from their enthusiasm, whether by exploiting their wallets directly or manipulating them via phishing domains and fake social media accounts.
Wallet UX reform may be the most meaningful form of regulation, as it encourages users to operate securely while still enjoying the benefits of self-custody. In particular, a responsible wallet should clearly communicate to the user that a signature grants the recipient full permission to spend the specified amount of USDT, all of the tokens in a particular NFT collection, or modify a proxy address. It should make them aware that an account delegate may give unlimited authority to another contract, possibly on a different blockchain, and that a permit-type approval may last indefinitely or use EIP-7702 to extend these permissions in the future. Ideally, the wallet should highlight the value, token standard, quantity, destination address, expiration date, and chain for every signature, allowing the user to review the implications of the transaction.
Furthermore, the wallet should help the user contextualize the transaction and recognize when something is amiss. If the contract address is not familiar to the user, they should ask themselves whether they intended to interact with it. If the amount being signed is inconsistent with previous transactions, the user should double-check the details. If the request appeared out of context or the wallet interface looks different from usual, the user should be especially careful. People who engage in more complex financial activities using their crypto wallets, including staking, NFT trading, and DeFi interactions, are the ones who should pay particular attention to these nuances. As a general rule, their wallets should be secured with hardware, multisignature features, and other institutional-grade tools, and they should have an alternative signing method ready for use when necessary.
Users should not be heroes in the war against fraudsters. The best thing they can do is to operate safely, assuming that every interaction that requires a signature may be fraudulent. They should treat “verify wallet” prompts and airdrop claims with suspicion and carefully consider every wallet permission. In particular, requests for seed phrases should always be rejected, as they represent an immediate attempt to steal the user’s assets. The same caution should be exercised with EIP-7702 account upgrade prompts, as they can be used to compromise the wallet in a matter of seconds.
Crypto security resembles a bank heist movie in many ways, with users being portrayed as the vulnerable protagonists easily deceived by fraudsters. This is not an accurate reflection of reality, as self-custody wallets are essentially the digital equivalent of cash – they are as secure as the owner is responsible in holding them. Traditional banks and financial institutions are frequently the victims of fraud, but it is rarely because the average user is financially illiterate or unprepared to protect their assets. On the contrary, banks are attractive targets precisely because they hold large sums of money, and even a seemingly insignificant error on the part of an employee can lead to a heist. In the same way, every signature in a crypto wallet should be reviewed carefully, as it can be the difference between a routine transaction and the irreversible loss of funds.
There is also a mundane user-facing side to security, found in the details of actual operations, not headline events. Smart users considering a TRON transaction using Tether will care about how much it costs as much as about some attack surfaces; if you are not in the business of claiming some mythical "claim button", but rather have real money transfers on your mind, Netts Pricing is one of those mundane services that serve this exact purpose. It allows you to estimate the costs of renting Energy on TRON, with rates aggregated across providers, see the time-dependent offers, including 1-hour, 5-minute Energy windows, associated fees, and have an alternative in case one provider declined your order. As of the snapshot moment, 65 thousand Energy for a single USDT transfer on the ramp spot cost approximately 1.690 TRX, with cheaper off-peak hours options available; this is the type of detail an honest user would research before actually trying to make some "claim now" scam.