Wallet Drainers: How to Detect and Avoid Them

A wallet drainer is malicious code embedded in a website, browser extension, or app that aims to drain a connected crypto wallet. You connect your wallet and approve what looks like a routine action. Instead, the drainer asks for a signature or transaction that transfers your assets to the attacker.

Here is the part that catches people out. Drainers exploit legitimate blockchain features rather than breaking cryptography. Token approvals, permit signatures, and transaction batching all exist for good reasons. A drainer simply weaponizes them, dressing up a malicious request inside an interface built to look safe and familiar.

Once your wallet is connected to a malicious site, the drainer builds a request that moves value out of your control if you sign it. The exact technique varies, but a few patterns show up again and again.

• Malicious approvals. The site asks you to approve a token spend, often for an unlimited amount. That single approval lets the attacker transfer those tokens whenever they choose, even days later.
• Permit and signature phishing. Off-chain signatures such as Permit and Permit2 grant spending rights without an on-chain transaction. They look like a harmless message rather than a payment, so victims sign them readily.
• Blind signing. Hardware wallets sometimes display unreadable data. Drainers exploit this by hiding harmful instructions in a payload the device cannot translate into plain language.
• Drainer-as-a-service kits. Prebuilt toolkits let low-skill operators deploy a polished phishing site, detect the most valuable assets in a connected wallet, and drain those first. The kit author typically takes a percentage of every theft.

Many drainers also fake a successful first interaction or show bogus error messages to keep you clicking until a malicious signature finally goes through.

A drainer is only dangerous once it reaches you, so attackers put serious effort into distribution. The site itself may be technically simple while the social engineering around it is anything but.

• Fake airdrops. Messages promising free tokens push you to a claim page that requests a malicious signature instead of delivering anything.
• Phishing sites and typosquats. Lookalike domains mimic real exchanges, bridges, or DeFi protocols, often with a single changed character or a different top-level domain.
• Fake mint pages. During a hyped NFT launch, attackers spin up counterfeit mint sites and race to rank in search results and social feeds.
• Poisoned ads. Paid search and social ads can point to drainer sites that sit above the real project in results, exploiting the trust people place in the top link.
• Compromised Discord and X links. Hacked official accounts and servers post drainer links that appear to come from a project you already trust.

Urgency is the common thread. Limited supply, expiring claims, and exclusive access all exist to rush you past the moment when you would normally check.

Most drainer attacks give themselves away if you slow down and read what your wallet is asking you to approve. Train yourself to pause whenever a request feels even slightly off.

• A signature request you do not understand, especially one labeled Permit, Permit2, or showing raw hexadecimal data.
• An approval for an unlimited or unusually large token amount when you intended a small, specific action.
• A site reached through a DM, ad, or unsolicited message rather than a bookmark or the official site.
• A connect prompt that appears before you have done anything, or a page that demands a signature the moment it loads.
• Pressure to act fast: countdown timers, claims that the offer is ending, or warnings that you will miss out.

When the words in the request do not match what you expect to be doing, treat that mismatch as a stop sign, not a technicality.

Good wallet hygiene removes most of the risk that drainers depend on. The goal is to limit what any single mistake can cost you and to make every signature legible before you approve it.

• Use a hardware wallet for assets of meaningful value, and read the device screen rather than trusting the website.
• Keep a burner wallet with minimal funds for minting, claiming airdrops, and interacting with unfamiliar dApps. Never connect your main wallet to a site you have not vetted.
• Review and revoke approvals periodically using a tool such as revoke.cash, clearing any spending permissions you no longer need.
• Verify URLs manually by typing them or using saved bookmarks, and confirm the contract address on a block explorer such as Etherscan before interacting.
• Never sign blind. If a request is unreadable or its purpose is unclear, reject it and investigate.
• Ignore unsolicited offers. Treat surprise airdrops, giveaways, and DMs as hostile until proven otherwise.

Stack these habits and even a convincing fake site has little to work with, because your main holdings are never one careless click away.

If you suspect a drain, act quickly and methodically. Your first priority is to stop any further losses from approvals the attacker may still be able to use.

• Move any remaining assets to a fresh wallet generated on a clean device, ideally a hardware wallet.
• Revoke every outstanding token approval for the compromised address using a tool such as revoke.cash, since one drain often leaves lingering permissions.
• Stop using the compromised wallet entirely and assume its keys or session can no longer be trusted.
• Document everything: transaction hashes, the site or message that led you there, and timestamps, all of which you can confirm on a block explorer such as Etherscan.
• Report the incident to the affected platforms and, where relevant, to law enforcement and the project whose name was abused.

Be skeptical of anyone who contacts you offering to recover stolen funds. Recovery services that ask for upfront payment or your seed phrase are almost always a second scam aimed at the same victims.