Crypto Wallet Drainer Scams on Discord
How wallet drainer malware and phishing links are distributed through Discord servers, compromised bots, and fake NFT or token mint announcements — and how to protect your crypto wallet from on-chain theft.
Part of: Wallet Drainer Scams
Last reviewed: 1 June 2026
Discord is the primary social infrastructure for NFT communities, cryptocurrency projects, and DeFi protocol users — which makes it the primary distribution channel for wallet drainer attacks targeting those communities. Unlike traditional phishing that steals a password, wallet drainer attacks trick the victim into signing a malicious transaction that authorises the attacker to transfer assets directly from their connected wallet. The theft is on-chain, irreversible, and does not require the attacker to know a password.
This guide covers how wallet drainer attacks are deployed on Discord — the fake mint announcements, compromised bot accounts, DM phishing, and malicious signature requests — and the specific wallet hygiene practices that prevent on-chain theft.
How this scam works on Discord
The most common Discord drainer pattern exploits a server's announcement channel. An attacker either compromises a server administrator's account, bribes a moderator, or takes over a bot used by the community to post a 'surprise mint' or 'exclusive airdrop' announcement. The post includes a link to a site that visually replicates the project's real website.
When a user visits the site and connects their wallet, they are prompted to sign a transaction. The signature request appears in the wallet extension as a standard approval, but the underlying contract call grants the attacker permission to transfer all NFTs or tokens of a specific type — or in more aggressive variants, executes a permit signature that drains ERC-20 token balances without any further interaction.
Direct message phishing is a secondary vector: a user in a server receives a DM claiming they won an airdrop, need to verify their wallet for a whitelist, or must claim a refund. The link leads to the same drainer infrastructure. Discord's DM settings can be configured to prevent unsolicited messages from non-friends.
Compromised bots — including widely used moderation and ticketing bots whose OAuth tokens were stolen — have been used to post malicious links to thousands of servers simultaneously before the compromise is detected.
Common red flags
- Surprise mint or exclusive airdrop announced in a Discord server — especially one you did not expect
- Announcement posted by a bot or account that has not posted before, or posted outside the server's usual communication style
- A wallet connection request that asks you to sign an 'approval' or 'permit' transaction you did not initiate
- A direct message in Discord promoting an airdrop, whitelist claim, or refund link
- A site that looks identical to a project's real website but has a slightly different domain
- An announcement with urgency — 'first 100 wallets only' — designed to prevent careful review
How to protect yourself
- Never click links in Discord announcement channels without verifying independently on the project's official website or verified social accounts
- Before signing any wallet transaction, read the contract call data — if you cannot understand what you are approving, do not sign
- Use a hardware wallet or a dedicated 'hot wallet' with minimal assets for Discord-connected activity — keep main holdings in a cold wallet
- Disable Discord DMs from non-friends: User Settings → Privacy and Safety → 'Allow direct messages from server members' → Off
- Use a wallet with a transaction simulation feature (Rabby, MetaMask with Blockaid) that previews what a transaction will actually do
- Regularly audit and revoke unused token approvals at revoke.cash or your wallet's built-in revoke tool
How to report it
- Report the compromised channel or account inside Discord: right-click the message → Report
- Report to the FBI IC3 at ic3.gov (US) if assets were drained — include transaction hashes and wallet addresses
- Report the malicious domain to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish
- Alert the project's official verified Twitter/X or website team so they can warn the community
Frequently asked questions
Can I recover crypto stolen by a wallet drainer?
Blockchain transactions are irreversible. Once assets have been transferred by a drainer contract, they cannot be recalled through any platform or bank process. Law enforcement reports and blockchain analytics firms have in some large cases traced and seized stolen assets, but individual recovery is rare. File a report with the FBI IC3 to contribute to any investigation.
What is a token approval and why is it dangerous?
A token approval (ERC-20 approve or permit) grants a smart contract permission to move tokens from your wallet up to a specified amount — sometimes unlimited. Malicious drainer sites request unlimited approvals and immediately use them to drain your balance. Revoking unused approvals regularly at revoke.cash removes these standing permissions before they can be exploited.