Wallet-Drainer Scams via Ethereum & Stablecoins
How malicious smart-contract approvals drain Ethereum wallets of all stablecoin and token holdings in seconds.
Part of: Wallet Drainer Scams
Last reviewed: 1 June 2026
Wallet-drainer attacks exploit the ERC-20 token approval mechanism built into Ethereum. When a user signs an 'approve' transaction, they authorise a contract address to move tokens on their behalf. Legitimate DeFi protocols use this for trading; scammers deploy malicious contracts that immediately call 'transferFrom' to empty the wallet once approval is granted.
Because stablecoins such as USDT and USDC are high-value, liquid, and held in vast quantities across retail wallets, they are the primary target. Victims often do not realise they have approved a malicious contract until their balance reads zero.
How this scam works on Ethereum & stablecoins
Victims typically arrive at a drainer contract through a phishing link posted in a Discord server, a fake NFT mint announcement, a sponsored social media post for a fictional airdrop, or a cloned version of a popular DeFi protocol URL. The site looks identical to the legitimate service and prompts the user to connect their MetaMask or WalletConnect wallet.
The approval transaction is presented with vague language such as 'confirm ownership' or 'claim airdrop'. Once signed, the malicious contract calls unlimited approval and drains all stablecoins and tokens within the same block. Some drainers use Permit2 or EIP-712 signatures that bypass the standard approval UI entirely, meaning the victim sees only an off-chain signature request with no gas cost — making it feel harmless.
Common red flags
- An airdrop or NFT mint promoted through Discord DMs or unofficial channels
- A DeFi site URL that differs from the canonical address by one character or uses a different TLD
- Wallet prompts asking you to 'approve' a contract you cannot identify on Etherscan
- Signature requests that reference 'Permit', 'DAI_DOMAIN_SEPARATOR', or 'allowance' without clear context
- Urgent countdown timers pressuring you to claim before the airdrop 'runs out'
- Sites that request wallet connection before showing any substantive content
How to protect yourself
- Bookmark official DeFi and exchange URLs; never follow links from social posts or DMs
- Before signing any approval, check the contract address on Etherscan — newly deployed contracts with no history are dangerous
- Use a hardware wallet for large holdings; sign every transaction on the device screen
- Regularly audit and revoke token approvals using tools such as Revoke.cash or Etherscan's token approval checker
- Keep a separate 'burner' wallet with minimal funds for interacting with new or unverified protocols
- Never sign off-chain 'Permit' or EIP-712 messages from sites you did not navigate to yourself
How to report it
- Report the malicious contract address to MetaMask's phishing list at github.com/MetaMask/eth-phishing-detect
- Submit the scam URL to Google Safe Browsing and Cloudflare's phishing reporting tool
- File a report with the FBI IC3 or your national cybercrime unit including the transaction hash
Frequently asked questions
Can I recover tokens drained by a malicious approval?
Once a drainer contract has transferred your tokens, the transaction is irreversible on-chain. Freezing is possible only for centralised stablecoins: Tether (USDT) and Circle (USDC) have blacklisted addresses in documented high-profile cases, but this requires them to act voluntarily and is not guaranteed. Decentralised tokens are unrecoverable. Revoking the approval after the drain prevents future transfers but does not reverse completed ones.