🕳️ What is a wallet drainer?

If you’ve not heard of it then that’s likely a good thing as it means you haven’t (yet 😬) been hit by one!

Simply put it’s the tech used when a bad actor drains everything from your wallet; your ETH, those NFTs you’d forgotten were in there from 2022, and all those random tokens which are now worth $0.01.

The process behind wallet draining is typically in a few steps:

1. They lure you in

Using fake airdrops advertised on Twitter

Or putting phishing links behind paid adverts on Google

Or through emailing you suspicious links in any of the myriad of campaigns I see and write about weekly!

Their whole aim is to get you to click a link and then they can start step 2.

2. They get you to connect your wallet and sign a dodgy transaction

Once you’re on their expertly crafted phishing website everything will be optimised to get you to hit that ‘Connect wallet’ button and sign into your Metamask/Rabby/Rainbow wallet; because once you do a seemingly innocent ‘signature request’ will pop up and — if you click it — will put the wallet draining into action.

That’s because what is built to look like a simple signature request that reveals your cryptocurrency address to the website is actually hiding much more nefarious actions.

It’s likely to instead by one of the following functions:

• approve(spender, amount) where the amount is set to unint256.max and will grant the malicious actor unlimited spending access to all our ERc20 tokens.
• setApprovalForAll(spender,true) which allows the scammer to transfer all your NFTs
• transferFrom() which simply sends assets from your account to theirs

You should definitely keep a wary eye out for any of these functions when signing a transaction or in your wallet extension if you’re connecting to a crypto website. However bad actors try to make this glance check harder by using misleading UI labels to fool the browser extensions, inflating the calldata with lots of metadata to make it harder to see the wood for the trees, and even using sneaky tactics like self destructing smart contracts to hide their activity.

With the new account abstraction-related functionality in EIP-7702 (included in the recent Pectra upgrade on Ethereum) is also a new attack vector to keep a watch for. This EIP (Ethereum Improvement Proposal) is the ability for normal Ethereum accounts (referred to as EOAs — Externally Owned Accounts) to have smart contract like abilities — without being a smart contract themselves. One aspect of this is the ability to delegate certain controls for your account to other services or accounts. This is useful when wanting to set up subscriptions, do batch transactions, allow services to do repeat activity etc; however attackers could look to exploit this delegation behaviour by creating malicious services or products and prompting you to sign what looks like a specific delegation but it’s actually using the SetCode function to delegate full control to the bad actor.

3. They take everything

If you do sign the doggy transaction then you might watch as your entire wallet contents disappears to a new location:

The result of an entire NFT collection being drained after signing a malicious transaction — with padded calldata to try to hide the true nature of the function

However not all wallet drainers will act right away. Some will deliberately wait and hide there undetected either to remove assets when you’re not monitoring your wallet or when higher value assets are later placed in there!

Who’s Behind Wallet Drainers?

Some of the scammers behind this activity could be basement scammers who ‘got lucky’ with their DIY approach and found their way into your account. However it’s now possible to buy Drainer-as-a-service technology on the dark web which are professional products that come with:

• Phishing site templates
• Telegram bots
• Victim/profit tracking dashboards
• Automated fund-handling tools
• Laundering scripts

The software has reviews from other scammers who have used it and the sellers even provide customer support to help the scammers successfully use it!

Scammers buy the “kit” from the developer and then they’ll be invited to the developer’s private Telegram/Discord where they give them the build artefacts. The scammers then need to create the lure and market it to try to attract potential victims. However one notable element of this is the revenue sharing approach whereby the affiliate (the scammers) shares a portion of their scammed funds with the developer. This can be 10–30% of the stolen funds so a big pay day for drainer-as-aservice developers!

This makes it accessible for low technically literate affiliates to scam and is sadly very financially successful for the drainer creator.

There are different ‘strains’ of drainer technology with big names such as Inferno Drainer, Angle Drainer and Pink Drainer.

Inferno was one of the first major drainers which appeared in early 2023 and offered a full dashboard, phishing templates and wallet connection spoofing. It’s thought to have been used by over 700 affiliate scammers and drained over $300m! However in October 2023 the operator posted on their Telegram channel saying

“We’re officially shutting down. No more updates. Thanks for the ride.”

However it looked like the code had been sold or handed off to a new drainer in the market — Angel. It came back with new features and improvements! Multichain capabilities, access for affiliates and improved obfuscation for the dangerous functions being called. Angel exited the market in July 2024 when a security firm claimed to have de-anonymised the core developers however they returned just a few weeks later with an advanced version they called AngleX now targeting TON and Tron with improved obfuscation tools. There’s a new Inferno version popping up in 2025 which has so far drained over $9m and includes self destructing contracts, pays a huge affiliate fee of 30% and has a one line deployment.

In parallel to Inferno and Angel was another notorious drainer-as-a-service, Pink. This was thought to be created by a former security researcher turned attacker and was known for a more targeted social engineering approach on locations like Discord and Twitter. An estimated 21,000 wallets were compromised to the tune of $85m! Pink exited the market in May 2025 after they hit their target revenue and posted on Telegram:

“After this message’s publication, we will begin winding down all of our infrastructure. All stored information will be wiped and securely deleted.”

However, in an ironic twist of fate, just the next month they fell prey to an address-poisoning scam and lost 10ETH to an attacker.

How Successful are Wallet drainers?

In the Scam Sniffer 2024 Report a huge $494 million in losses were attributed to wallet drainers, compromising more than 332,000 wallets in a single year.

As noted above, Pink was able to drain $85m before they exited the market in 2024 and there’s headline stories such as the below which show that very large amounts can be stolen using drainers-as-a-service:

Most of these operations are believed to be based in Russia, Eastern Europe, and Southeast Asia, where they benefit from loose cybercrime enforcement, bulletproof hosting, and the widespread use of encrypted Telegram channels.

Two recent wallet drainer attacks are the:

• June 20th Cointelegraph website compromise where a fake airdrop was shown to users promising them over $5000 of a fake token, however any users who connected their wallet were hit!

• The same day the CoinMarketCap website was also compromised; with a fake prompt for users to ‘verify their wallet’. This led to 110 victims losing a combined $43,000.

So how can you stay safe from wallet drainers?

Originally published at https://www.linkedin.com.