Crypto Gloss

Wallet Drainer

Definition:

A wallet drainer is a malicious smart contract or script that, once a user signs a transaction or off-chain permit signature, immediately sweeps all tokens and NFTs from the victim’s wallet to an attacker-controlled address. Unlike traditional hacks that exploit protocol code, wallet drainers target users directly — they rely on social engineering, phishing sites, and malicious NFT airdrops to trick users into signing what appears to be a harmless interaction. The drain happens in seconds; funds are typically irretrievable.

How It Works

Wallet drainers exploit legitimate Ethereum signing mechanisms rather than code vulnerabilities:

Method 1: Seaport / Blur Signature Abuse

The attacker creates a phishing site mimicking a legitimate NFT mint or marketplace. The user is prompted to “claim” something by signing an off-chain Seaport order. This signature — though it costs no gas — authorizes the transfer of the user’s NFTs to the attacker. The attacker fulfills the order on-chain, draining the NFTs.

Method 2: Permit Signature (EIP-2612)

ERC-20 tokens with permit support allow token approvals via off-chain signatures (no on-chain approve() transaction needed). A drainer presents a fake site that asks the user to sign a permit granting unlimited allowance to the attacker’s contract. The attacker then calls transferFrom() to take all tokens.

Method 3: Unlimited approve() + transferFrom()

The user is tricked into calling approve() on a malicious contract, granting it unlimited token allowance. The drainer contract immediately calls transferFrom() to pull all tokens.

Method 4: Malicious NFT Airdrop

An NFT is airdropped to the user. When they try to view or interact with it, the NFT’s metadata triggers a phishing site or wallet interaction request. Trying to sell or burn the unwanted NFT initiates the drain.

Drainer-as-a-Service

Wallet drainers have evolved into industrialized tools. Since 2022, underground markets offer “Drainer-as-a-Service” (DaaS): ready-made drainer kits that anyone can deploy for a percentage of stolen funds (typically 20–30%). Notable kits include Inferno Drainer (drained ~$80M before shutting down in 2023), Pink Drainer, Venom Drainer, and Angel Drainer.

Typical attack lifecycle:

  1. Attacker rents a drainer kit (or purchases access)
  2. Attacker runs a phishing campaign: fake social media, compromised Discord/Twitter accounts, Google Ads
  3. User lands on phishing site and connects wallet
  4. User signs a “harmless” signature request
  5. Drainer script monitors mempool and submits drain transaction
  6. Funds bridge through mixers (Tornado Cash) and OTC desks

Notable Incidents

  • Premint (July 2022): ~$400K in NFTs stolen after the Premint verification website was compromised to serve a malicious signing request.
  • Ledger Connect Kit (December 2023): Supply chain attack injected drainer code into the Ledger Connect Kit library, briefly affecting multiple DeFi frontends simultaneously.
  • Inferno Drainer (2023): Responsible for draining ~$80M across thousands of victims before the authors announced retirement.
  • Pink Drainer (2023–2024): Drained ~$85M in total; responsible for high-profile incident around EigenLayer airdrop phishing.

Prevention

  • Revoke approvals: Use tools like Revoke.cash or Etherscan’s token approval manager to revoke unnecessary ERC-20 allowances.
  • Read what you sign: Check the exact contract address and function being called before confirming any transaction or signature.
  • Use permit-aware wallets: Wallets like Rabby decode permit signatures and display exactly what allowance you’re granting.
  • Bookmark official sites: Never navigate to a project’s mint page via social media links. Always use bookmarked URLs.
  • Limit approvals: Set approvals to exact amounts rather than unlimited.

Related Terms

Sources

Last updated: 2026-04