Bad actors chasing cryptocurrency keep evolving their playbook—private key grabs, smart contract exploits, price manipulation, and more. In this environment, drainer crypto schemes have surged. These wallet drainer operations have harmed newcomers and veterans alike, including public figures Mark Cuban and Seth Green. Some crews have extracted several million dollars from victims, as outlined below.
Continue below to learn about:
- What Crypto Drainers Are
- The Impact of These Scams
- Bitcoin’s First Known Drainer
- How to Avoid Drainers
What Is a Crypto Drainer?
A crypto drainer is a phishing kit built for Web3. Rather than capturing usernames and passwords, operators impersonate dapps or NFT mints, prompt users to connect a crypto wallet, and trick them into signing token approvals or smart contract permissions that hand over control of funds. In practice, an “approval” (or signature-based permission, such as a permit) can authorize a contract address to spend a user’s tokens up to a specified limit; drainers rely on victims granting that permission to a malicious contract or a contract the attacker controls. The typical flow is: a victim is lured to a convincing landing page, connects a wallet, is presented with a routine-looking request to sign, and then the attacker uses the newly granted permission to transfer tokens out—often within seconds. Once approved, the attacker can sweep assets immediately. Many campaigns also rely on lookalike domains and cloned front ends that make the signing prompt feel like a normal step in a legitimate process.
Drainers commonly fall into a few buckets: smart contract drainers that focus on token approvals and permissions, phishing drainers that impersonate legitimate dapps, malicious browser extensions or wallet plugins that alter what users see or sign, and blockchain-specific variants that target particular ecosystems (for example, Ethereum tokens or Bitcoin Ordinals users).
Common signs of a drainer attempt include unusual wallet-connection requests from unfamiliar sites, unexpected prompts to approve token transfers or broad permissions, “limited-time” airdrop or NFT mint offers that require a wallet connection, the sudden disappearance of assets after interacting with a dapp, and warnings surfaced by wallet security checks or other security tooling during the signing flow.
Drainers are becoming more common as Web3 and DeFi adoption grows, more value sits in hot wallets for day-to-day activity, social engineering lures get more polished, and drainer kits are increasingly packaged and sold by anonymous groups or individuals, lowering the barrier to launch new campaigns.
Shown below is a drainer that posed as the SEC, which we identified in January 2024 shortly after the agency’s legitimate Twitter/X account was compromised. The fake site urged visitors to link a wallet to claim bogus airdrop tokens.
The Impact of Wallet Drainers
Tallying total losses is challenging because many incidents go unreported. Still, we analyze clusters first flagged by Chainalysis customers as phishing or wallet drainer activity, along with related addresses tracked in our dataset.
Drainer campaigns evolve faster than most teams can publish warnings: attackers constantly re-skin the same signing flows to match whatever users are currently excited about.
Quarter over quarter, the value siphoned by these operations has at times outpaced ransomware, a crypto crime category that has grown quickly in recent years.
| Destination Type | Description | Trend Since 2021 |
|---|---|---|
| Mixing services | Used to obfuscate the origin and trail of stolen assets before cash-out. | Risen |
| Centralized exchanges | Used as liquidation and conversion points to reach cash-out routes. | Declined |
| Gambling services | Occasionally used as an additional laundering step, typically at smaller volumes. | Smaller volumes |
In 2022 and 2023, most stolen value moved through DeFi rails—decentralized exchanges, bridges, and swap platforms—because the tokens typically targeted by drainers are easy to move on-chain. Bitcoin, by contrast, is less practical for these workflows.
Recovering funds stolen by drainers is rare and difficult, particularly once assets have been swapped or routed through multiple services. In some cases, however, blockchain analytics can help trace flows, and there are occasional interventions when funds reach cash-out chokepoints, such as actions by exchanges or law enforcement. Acting quickly after an incident can materially affect whether any interruption, freezing, or attribution is possible.
No specific companies are named as being “involved” with drainers. Instead, these schemes are typically run and monetized by anonymous groups or individuals, including sellers of drainer kits. At the same time, security firms and analytics providers track drainer infrastructure and publicize indicators that help users and platforms reduce exposure.
Bitcoin’s First Known Crypto Drainer
Although most operations target the Ethereum ecosystem, we recently observed a rare drainer on the Bitcoin blockchain. The actors built a counterfeit page mimicking Magic Eden, the primary NFT venue for Bitcoin Ordinals. As of April 2024, the scheme had taken roughly $500,000 across more than 1,000 malicious transactions.
Even though Bitcoin is less commonly used for Web3 interactions, additional Bitcoin-focused drainers have already preyed on Ordinals traders.
How to Avoid Wallet Drainers
As these scams mature, Web3 teams and users should adopt layered defenses to reduce risk:
- Use Web3 security extensions such as Wallet Guard to flag phishing pages and evaluate risks tied to a cryptocurrency wallet.
- Store high-value assets in an offline wallet, moving funds to a hot wallet only when needed.
- Treat links in chat rooms or on social media with caution, especially if they are not from an official project account.
- If you must connect to an unfamiliar site, create a temporary wallet with no assets and use that instead.
- If a drainer steals assets, act quickly to cancel any pending transactions or revoke token approvals. Open a trusted token-approval management tool for the relevant network (for example, your wallet’s built-in approval manager, a reputable approval-checker service, or a block explorer’s token-approval page). Review allowances and permissions. Revoke anything you do not recognize, as well as any approvals granted around the time of the incident. Then contact your wallet provider for support, report the incident to the relevant platforms or authorities, warn others in the community about the scam’s domain and behavior, and monitor the wallet for any further suspicious activity.
