What Is a Crypto Wallet Drainer and How Do They Work
Wallet drainers don't need your seed phrase or your password. They need one signature โ and they're engineered to get it.
You click a link in a Discord server. The site looks like the NFT mint you've been waiting for. You connect your wallet, click the mint button, and MetaMask pops up asking you to approve a transaction. It looks normal โ an approval, like the ones you've seen before. You click Confirm.
Within seconds, every token in your wallet is gone. You just used a wallet drainer โ a smart contract built specifically to empty wallets the moment it gets approval.
The mechanics: how a drainer actually drains
Token approvals are a legitimate part of DeFi โ you approve Uniswap to move your tokens during a swap, for example. Drainers exploit this same system.
The attack flow looks like this:
- 1.You visit a phishing site โ a fake mint, a fake airdrop claim, a compromised project link
- 2.The site asks you to connect your wallet โ standard behavior, not suspicious yet
- 3.A transaction pops up requesting approval for a contract address you don't recognize
- 4.The approval amount is set to the maximum possible โ all of your tokens, not just what the site needs
- 5.Once you confirm, the drainer contract immediately calls transferFrom() to sweep your balance
- 6.The transaction completes in the same block โ by the time you see it on Etherscan, it's done
The variants you need to know about
Basic ERC-20 drainers are the most common, but the ecosystem has expanded:
- โขNFT drainers โ use setApprovalForAll to take your entire NFT collection in one transaction, then sell or move it
- โขPermit signature drainers โ exploit EIP-2612's off-chain signing to get approval without an on-chain transaction first. You sign what looks like a harmless message, not a transaction
- โขSeaport order drainers โ craft a valid OpenSea-compatible order that trades your valuable NFTs for nothing
- โขMulti-token drainers โ scan your wallet first, then construct a single transaction that drains all approved tokens at once
What the transaction looks like before you sign
The warning signs are in the approval details โ but only if you look:
- โขThe spender address is a contract you've never interacted with before
- โขThe approved amount is set to the maximum uint256 value (looks like a huge number)
- โขThe transaction has no apparent purpose โ you're "approving" without a corresponding action
- โขPaste the spender address into Etherscan โ drainer contracts often have no verified source code and show multiple victim wallets in their transaction history
What actually prevents drainer attacks
- โRead every approval before signing โ the spender address, the amount, and whether you know what this contract does
- โNever click links in Discord, Twitter DMs, or Telegram to reach a site you want to transact on โ type the URL directly
- โCheck that the site URL matches exactly what you expect โ one character off is a phishing site
- โApprove limited amounts instead of unlimited when protocols allow it
- โMaintain a separate "hot" wallet for DeFi with only what you're actively using โ not your main holdings
Frequently asked questions
How does a wallet drainer work?
It gets you to sign an approval for a malicious contract, then immediately uses that approval to sweep your tokens. The entire drain happens in one block โ no second chance to stop it.
Can a wallet drainer steal ETH directly?
Not through approvals โ those only work on tokens. To steal ETH, drainers need you to sign a transaction that sends it, or they use Permit2 signatures with ETH sweeping. Native ETH requires a different attack path.
What should I do if my wallet was drained?
Immediately revoke all approvals from a clean device, move any remaining funds to a new wallet, and don't reuse the compromised address. The drainer contract still has approval until you revoke it.
Read approvals before you sign them
GuardianAI intercepts every MetaMask approval and explains in plain English who's asking, what they're getting access to, and whether the amount looks suspicious. Free Chrome extension.
Get GuardianAI โ It's Free