What Are Wallet Drainers? How They Work and How to Protect Yourself

Scam Sniffer's 2025 annual report logged $83.85 million in losses from wallet-draining phishing targeting 106,000 victims. In the first half of 2025 alone, crypto users lost $410.75 million to phishing attacks, with a common pattern: users click legitimate-looking links, connect wallets, and approve transactions that drain funds. The targets: NFT collectors, DeFi users, and ordinary crypto holders who clicked the wrong link in a Discord server or on X. 

Wallet drainers don't hack the blockchain. They don't need to. They trick you into handing over permission to spend your entire wallet balance in a single click. This guide explains exactly how they work and how to defend against them.
 

How Wallet Drainers Work

A wallet drainer is a malicious dApp or phishing flow that gets users to connect a wallet and approve a transaction, or to grant unlimited wallet approval, which drains funds.

Here's the core mechanic. The site looks legitimate, you connect your wallet, and the prompt asks for private keys, seed phrases, or wallet approvals. If you approve a draining transaction or unlimited token access, the attacker can move assets. One approval can be enough. The attack doesn't require your seed phrase. It doesn't require your private key. It only requires your approval.

The key point is simple: not every dangerous approval looks obvious. Permit-based signature attacks accounted for 38% of losses among incidents exceeding $1 million in Scam Sniffer's 2025 wallet-drainer data.

Signature-based drainers are the awkward upgrade path. Instead of showing you a standard on-chain approval transaction, the phishing site may ask for an off-chain signature under a label such as "Verify Wallet" or "Claim Airdrop." The prompt can feel lower risk because it doesn't look like a token transfer and may not create the same obvious approval trail you expect from a standard ERC-20 approval.

That is the trap. A signature can still authorize token spending through permit-style approval flows. In a Permit2-style attack, the danger lies in the scope of the permission: the signature can grant a contract broad access to tokens covered by an existing allowance path. You won't always see a clean "Send 100 USDC" prompt. You may see a message request that looks administrative, while the result gives the attacker a route to move funds quickly.

The same pattern shows up in simpler approval attacks. A malicious dApp does not need to break cryptography if it can persuade you to approve the wrong spender. The blockchain will treat the permission as valid because the wallet signed it. That is why the safest question is not "Does this site look professional?" It is "what permission am I granting, to whom, and for how long?"
 

How Drainers Are Delivered: Attack Vectors

The mechanics above only work if you interact with the malicious site. Getting you there is the other half of the attack.

Fake token or NFT airdrops can be sent directly to wallets, mimic known collections with subtle naming errors, and redirect users to phishing sites when they interact with the asset. This is why random assets in your wallet deserve suspicion, not curiosity.
 

Impersonation messages and fake profiles are particularly dangerous because they exploit trust. Scammers promote fake airdrops using fake profiles, bots, or impersonations of known crypto personalities. During the Celestia TIA launch, a fake profile named calestiatoken impersonated CelestiaOrg and asked users to submit Ethereum addresses, even though Celestia is not an Ethereum-based project.

The same launch showed how fast a copycat wave can form. The vault records dozens of Celestia lookalike sites appearing during the Celestia airdrop. That matters because users often search for claim pages under time pressure, then click the first official-looking result. A drainer only needs one rushed visit.

Fake airdrop claim pages can replicate official claim sites with nearly identical names, layouts, and logos. Users should verify official websites, blogs, and social channels before acting on airdrop information.

Spoofed websites and phishing messages commonly appear through sponsored search results or social media ads, impersonation messages over email, Telegram, Discord, and X, fraudulent airdrop tokens, WalletConnect phishing, and email phishing.

The warning signs are consistent: small account-name differences, spelling errors, low follower counts, and announcements that never appear on the project's verified channels.

Checking and Revoking Dangerous Approvals

You've probably accumulated more active approvals than you realize. Every DeFi interaction you've ever made may have left an open approval on-chain, and some of those approvals are unlimited.

Step 1: Audit your approvals.

Use an approval-review tool you trust and verify the URL before connecting a wallet. Use a bookmark if you frequently check approvals. A fake approval-audit site is just another phishing page with better timing.

Review the active approvals shown for each chain you use. The goal is simple: see which contracts can spend which tokens, how much they can spend, and whether the approvals still match what you actually use.

Start with unlimited approvals. These are the approvals that grant a contract broad spending authority rather than a fixed amount. Then check old approvals from protocols you no longer use, unknown contracts, and large fixed approvals that no longer make sense.

If the tool shows Permit2 or signature-based allowances separately, review those too. Treat unknown spenders, broad token access, and allowances from old dApp sessions as higher priority than a fresh approval you still use every week. For a practical monthly review, split approvals into three buckets. Keep the permissions for protocols you actively use, reduce or revoke large permissions that no longer match your current activity, and remove anything tied to unknown contracts or old campaigns. The aim is not to make DeFi impossible to use. It is to prevent old permissions from becoming quite a liability.

Step 2: Revoke suspicious approvals.

Revoke access to untrusted apps and unused approvals. Revoking usually requires an on-chain transaction, which incurs gas costs. Prioritize unlimited approvals first, then large approvals, then stale approvals from old DeFi sessions.

That cost is the trade-off. Paying a small gas fee to close a stale approval is usually better than leaving an old contract with spending rights forever. If gas is high, queue the revocations and handle the riskiest allowances first: unlimited amounts, unknown contracts, then protocols you haven't used in months.

When interacting with new protocols going forward, avoid unlimited approvals when a smaller approval is enough for the transaction. Make this a monthly habit. The practical rule is direct: if a random token tells you to visit a site to "claim" or "unlock" it, treat it as a scam. No legitimate protocol needs your seed phrase or private key to process an approval.

Drainer Defense Checklist

These aren't abstract best practices. Each one maps to a specific attack vector described above.

• Bookmark all DeFi dApps you use. Never find them via search or links from Discord, X, or Telegram.
   
• Verify URLs character by character before connecting your wallet. Check the exact domain, not just the visual appearance.
   
• Review wallet approvals regularly. Revoke access to untrusted apps and unused unlimited approvals.
   
• Never sign a "Verify Wallet" or "Claim Airdrop" message from a site you didn't navigate to directly via your bookmark.
   
• Confirm announcements on a project's verified channels before acting on any airdrop or mint information, not just influencer posts.
   
• Use a hardware wallet for significant assets. The physical tap or button press is a last-line checkpoint.
   
• Keep a dedicated "burner wallet" for new or unverified protocols. Never connect your main wallet to unknown dApps.
   
• Keep wallet apps, operating systems, and browsers up to date. Updates frequently patch security vulnerabilities.
   
• Separate your funds: smaller, active-use amounts in a hot wallet; larger, long-term holdings in cold storage.