Wallet Drainer Scams
Malicious smart contracts trick you into signing a transaction that transfers all your tokens and NFTs to a scammer.
Last reviewed: 1 June 2026
What this scam is
A wallet drainer is a type of malicious smart contract designed to steal the entire contents of a cryptocurrency wallet in a single transaction — or a small sequence of transactions — once the victim has been tricked into signing a malicious approval.
Unlike conventional theft that requires stealing a password or private key, wallet drainers work by exploiting the legitimate permission system built into blockchain protocols. When you interact with a decentralised application (dApp) or NFT marketplace, your wallet asks you to sign approval transactions that grant a contract permission to move your tokens on your behalf. This is normal behaviour — it is how DeFi and NFT trading works. Wallet drainers abuse this system by constructing approvals that grant unlimited or sweeping permission to a malicious contract.
The moment you sign, the drainer contract executes. It can transfer all approved tokens, NFTs, and sometimes native currency out of your wallet in one block. Because this is a signed, legitimate blockchain transaction, it is irreversible.
Wallet drainer attacks have become increasingly automated. Kits sold in underground markets allow technically unskilled operators to deploy drainer contracts and build phishing sites with minimal effort. This has contributed to a significant increase in drainer-based attacks across all major blockchains.
Victims typically have no warning until they check their wallet and find it empty. The transaction that caused the drain may appear in their wallet history as something they signed — but they were deceived about what they were signing.
How it works
The attack begins with luring you to a phishing site or getting you to interact with a malicious smart contract. Common lures include fake NFT mint pages, fake DEX or bridge interfaces, fake airdrop claim pages, compromised project websites, and malicious links shared in Discord servers or via direct message.
Once on the malicious page, you are prompted to connect your wallet and then to sign a transaction or approval. The prompt may say 'Mint', 'Claim', 'Connect', or 'Verify wallet'. What you are actually signing is an `approve` or `setApprovalForAll` transaction that grants the malicious contract unlimited permission to move your ERC-20 tokens or all your NFTs.
In more sophisticated attacks, a `Permit` or `Permit2` signature is requested — these do not require a blockchain transaction to authorise (no gas fee), making them harder to identify as dangerous. The signed message is relayed off-chain and used by the attacker to drain the wallet.
Some drainers also request a `signTypedData` call that encodes complex permissions in a format that wallet interfaces display poorly — the user sees a summary that does not clearly describe what is being authorised.
After signing, the drainer contract executes immediately, sweeping tokens and NFTs to an attacker-controlled wallet. Stolen assets are typically sold or swapped within minutes.
Why this scam works
Wallet drainers succeed because approval transactions are a normal, necessary part of using DeFi and NFT platforms. Users are accustomed to signing approval requests without reading every detail — the process has been normalised.
Wallet interfaces (MetaMask, Phantom, and others) have improved their warnings for unusual approvals, but attacker prompts are designed to minimise visible warning signals. A user excited about claiming an airdrop or minting a sought-after NFT is focused on completing the action quickly, not scrutinising the underlying call data.
The speed of execution means there is no window between signing and loss. Once the transaction is confirmed, recovery is not possible through any technical means.
A typical pattern
A person receives a message in a Discord server for an NFT project they follow, announcing a surprise free mint for existing holders. The message includes a link. The site looks identical to the project's real website. They connect their wallet and click 'Claim'. Their wallet shows a signing request described as 'Verify ownership'. They sign. Within seconds, all NFTs and tokens in their wallet are transferred to an unfamiliar address. The Discord message was posted by a compromised moderator account, and the site was a drainer deployed hours earlier.
Common red flags
- Link to a 'mint' or 'claim' page shared via Discord or social media message
- Website URL that differs slightly from the real project domain
- Wallet prompt requesting `setApprovalForAll` on a new or unknown site
- Approval request for an unlimited token amount on a site you have not used before
- Request to sign a message with no gas fee on an unexpected site
- Urgency — 'claim window closes in 10 minutes'
- Surprise announcement of a free mint or airdrop through a DM
- Site prompts wallet connection immediately upon loading, before any action
- No verifiable audit or on-chain contract source code available
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Surprise mint live for holders — claim your free [token] before midnight: [fake link]
Airdrop snapshot taken. Claim your [amount] [token] allocation now: [fake link]
Verify your wallet to receive your whitelist allocation: [fake link]. Connect and sign to confirm.
Exclusive holder benefit — free NFT claim for wallets with [token]. Claim at [fake link].
We are migrating to v2. Connect your wallet at [fake link] and approve the migration to secure your funds.
Gas-free signature required to verify eligibility. No ETH needed — just sign the message: [fake link].
Common variations
- NFT drainer — targets `setApprovalForAll` to steal entire NFT collections
- ERC-20 token drainer — uses unlimited token approvals to drain fungible tokens
- Permit/Permit2 drainer — off-chain signature request drains without an on-chain approval step
- Multi-chain drainer — phishing site attempts drains across several networks simultaneously
- Compromised project site — real website is hacked and a drainer is injected
- Fake bridge or migration — 'upgrade your tokens' lure requiring a draining approval
How to verify before you act
Before signing any wallet transaction, read the full approval details in your wallet interface. Look for approvals that specify 'unlimited' or very large amounts, or `setApprovalForAll` calls. These grant sweeping permissions and should only be signed on verified, trusted platforms.
Verify the website address carefully before connecting your wallet. One character differences in domains are common drainer lures. Bookmark the real URLs of platforms you use regularly and always navigate via bookmarks, not search results or links from messages.
Be especially cautious of any site reached via a link in Discord, Telegram, or Twitter/X — even if posted in official-looking channels, as these are frequently compromised.
Use a service that allows you to audit and revoke token approvals (several exist for major blockchains) regularly, and revoke approvals you no longer need.
Payment methods used
- Signed wallet approvals (no payment — the theft is via smart contract)
- Cryptocurrency and NFTs stolen via malicious approval
Who is usually targeted
- NFT collectors
- DeFi users with significant token holdings
- Crypto users following active communities on Discord
- Anyone expecting an airdrop or token claim
What to do immediately
- Do not sign any additional transactions on the suspicious site — disconnect your wallet immediately
- Go to a reputable token approval checker for your blockchain and revoke all approvals granted to the suspicious contract
- If assets have already been drained, document all transaction hashes immediately — they cannot be recovered but are needed for reporting
- Transfer any remaining assets to a new wallet address not associated with the compromised one
- Do not respond to anyone offering to recover your drained wallet — this is a second scam
- Report the phishing site to the real project team so they can warn their community
- Report to your national fraud reporting authority with all on-chain evidence
How to prevent it
- Bookmark official project URLs and only access them via your own bookmarks
- Never follow links from Discord or social media to a site where you will connect your wallet
- Read every wallet approval carefully — reject unlimited approvals on unknown sites
- Revoke unused token approvals regularly using an on-chain approval manager
- Use a hardware wallet which requires physical confirmation for approvals
- Consider maintaining a separate 'hot' wallet for interacting with new projects, holding only what you need
- Enable wallet security warnings and keep wallet software up to date
Evidence to preserve
- Transaction hashes for the approval and any drain transactions
- The malicious contract address
- The URL of the phishing site
- Screenshots of the wallet prompt you signed
- The source of the link (Discord message, DM, tweet) with timestamps
- Wallet address that was drained and destination wallet address
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Can my wallet be drained without me doing anything?
No — a drainer requires you to sign a transaction or approval message. Simply visiting a website cannot drain your wallet. The attack requires your signature, which is why drainers rely on deception rather than technical exploits.
Can I get my NFTs or tokens back after a drain?
Blockchain transactions are irreversible. Once assets have been transferred via a signed approval, they cannot be recovered through any technical means. Do not pay any service claiming otherwise.
What is a token approval and why is it dangerous?
Token approvals grant a smart contract permission to move your tokens on your behalf. They are legitimate and necessary for DeFi and NFT trading. Drainers exploit this by tricking you into signing an approval to a malicious contract, which then immediately sweeps your wallet.
How do I check and revoke my existing approvals?
Several tools allow you to view and revoke token approvals on major blockchains — search for 'token approval checker' for your specific blockchain. Connect your wallet, review the list, and revoke any approvals you do not recognise or no longer need.
Is a hardware wallet safe against drainers?
A hardware wallet requires physical button confirmation for every transaction, making it harder to be tricked into signing. However, hardware wallets do not protect you if you intentionally sign a malicious approval — the protection is procedural, not absolute.
Someone in a Discord DM is offering to help me recover my drained wallet — should I trust them?
No. Recovery offers targeting people who have been drained are a well-known second scam. They will either charge fees and deliver nothing, or ask you to connect a new wallet to a drainer site, stealing whatever you have left.
Why do Discord servers get compromised so often?
Discord moderator and admin accounts are targeted by phishing because they have posting permissions that make scam messages appear credible. A message from a 'mod' account in an official server carries trust that attackers exploit. Always verify announcements via a project's official website.
Is crypto irreversible by design?
Yes. Blockchain finality means confirmed transactions cannot be reversed by any central authority. This is a core feature, not a bug, but it also means there is no equivalent of a bank chargeback. Prevention is the only reliable protection.