Wallet Drainer Scams Explained
Wallet drainers are malicious scripts that trick users into signing transactions or messages that transfer their assets to attackers. These scams have grown increasingly sophisticated, costing victims hundreds of millions of dollars annually. Understanding how drainers work is the most effective defense against becoming a victim.
Table of Contents
How Wallet Drainers Work
Wallet drainers operate through malicious websites that present deceptive transaction requests to connected wallets. The attack typically begins when a victim visits a phishing site — often disguised as a legitimate NFT mint, airdrop claim, or DeFi protocol. When the user connects their wallet, the drainer script analyzes the wallet's contents to identify valuable assets. It then prompts the user to sign one or more transactions that appear innocuous but actually grant the attacker permission to transfer assets. Modern drainers use techniques like setApprovalForAll to approve all NFTs in a collection with a single signature, Permit2 signatures that authorize token transfers without on-chain approval transactions, and multicall contracts that batch multiple draining operations into a single transaction. The sophistication of these attacks means even experienced users can be caught if they sign without carefully reviewing the transaction details.
Common Drainer Attack Types
Approval-based drainers trick you into granting unlimited token spending approval to an attacker-controlled contract. Once approved, the contract can transfer your tokens at any time without further interaction. Signature-based drainers use off-chain message signing like EIP-712 typed data or Permit2 to authorize transfers without visible on-chain approval transactions, making them harder to detect. NFT drainers specifically target setApprovalForAll, which grants blanket permission to transfer all tokens in an NFT collection. Airdrop bait drainers send worthless tokens to your wallet, and when you visit the associated website to claim or sell them, the site requests draining signatures. Ice phishing drainers impersonate legitimate protocols with nearly identical interfaces, redirecting transactions to attacker contracts. Some advanced drainers combine multiple techniques, first requesting a seemingly harmless signature that actually authorizes a complex series of transfers across multiple tokens and NFT collections simultaneously.
How to Identify Drainer Attempts
Red flags include any unexpected transaction requests, especially setApprovalForAll requests from unfamiliar contracts. Be suspicious of websites asking you to sign messages or transactions immediately after connecting — legitimate dApps typically require specific user-initiated actions before requesting signatures. Watch for URLs that closely mimic popular protocols with subtle differences like character substitutions or additional subdomains. Free mint claims, surprise airdrops, and urgent limited-time offers are common lures. If a transaction simulation shows token transfers or approvals you did not expect, reject it immediately. Wallets with built-in transaction simulation like Rabby are invaluable — they show you exactly what a transaction will do before you confirm. Check the contract address in the transaction request against the official protocol's verified contracts. Any discrepancy between what the website says the transaction does and what your wallet displays should be treated as a confirmed scam attempt.
Protection and Recovery
Prevention starts with using wallets that simulate transactions and display clear warnings about risky operations. Rabby, MetaMask with Blockaid protection, and hardware wallets with on-device verification all help you understand what you are signing. Never grant unlimited approvals — use exact amounts when protocols require approval. Regularly audit and revoke approvals using Revoke.cash, Etherscan's approval checker, or your wallet's built-in approval manager. Use separate wallets for different risk levels: a burner wallet for exploring new dApps, a main wallet for trusted protocols, and a cold storage vault for long-term holdings. Enable browser extensions like Wallet Guard or Pocket Universe that warn about known phishing domains. If you are drained, act immediately — transfer remaining assets to a new address, revoke all approvals on the compromised address, and report the phishing site. Track stolen assets using blockchain explorers and report to relevant authorities, though recovery chances are unfortunately low for most victims.
Frequently Asked Questions
Can a wallet drainer steal my crypto without me doing anything?
No. Wallet drainers require you to actively sign a transaction or message. Simply visiting a malicious website cannot drain your wallet unless you interact with a signature request. However, if you have previously granted unlimited token approvals to a compromised contract, that contract could drain those approved tokens without further interaction.
What should I do if I get drained?
Immediately transfer any remaining assets to a new, clean wallet address. Revoke all token approvals on the compromised address using Revoke.cash. Do not reuse the compromised address. Report the incident to the platform where you encountered the scam. While recovering stolen crypto is extremely difficult, reporting helps warn others and may aid law enforcement investigations.
Are hardware wallets immune to drainers?
Hardware wallets protect against malware-based attacks but not against social engineering. If you connect your hardware wallet to a malicious dApp and sign a drainer transaction on the device, your assets can still be stolen. The hardware wallet shows you what you are signing — the protection comes from carefully reviewing transaction details on the device screen before confirming.