Wallet Drainer Explained: How They Steal $200M+ Per Year (2026)

What a wallet drainer actually is#

A drainer is a smart contract deployed by attackers that:

1. Tricks the victim into signing a specific transaction or signature.
2. Uses that signature to transfer the victim's tokens to the attacker.

The drainer doesn't break encryption or steal seed phrases. It exploits standard ERC-20 approval mechanisms.

Modern drainers (Inferno, Pink, Angel) are sold as drainer-as-a-service: anyone can rent a drainer contract, deploy a fake DApp, and start hunting. The drainer operator takes 20–30% of stolen funds; the affiliate keeps the rest.

How an approval drainer works — step by step#

1. Attacker deploys the drainer smart contract on Ethereum mainnet. The contract has standard token-transfer functions that look harmless to casual inspection.
2. Attacker creates a fake DApp — maybe cloned from Uniswap, OpenSea, or a project announcing an "airdrop."
3. Victim visits the fake DApp via a search ad, compromised Twitter post, or Telegram link.
4. Victim clicks "connect wallet" — read-only access. Safe so far.
5. Victim clicks "mint NFT" or "claim airdrop." MetaMask shows a signature request.
6. The signature, decoded, is an approve() call granting the drainer contract unlimited spending permission on a specific token (often USDC, USDT, or WETH).
7. Victim signs. The approval is now stored on-chain forever.
8. Hours, days, or weeks later, the drainer contract calls transferFrom() to move the approved tokens to the attacker's wallet. No further victim interaction needed.

Why approval drainers are so hard to spot#

Standard MetaMask signature requests show raw hex data plus a token name and amount. To a non-technical user, an approval signature for $1,000,000 of USDC looks similar to a routine approval for swapping $50 of USDC. There is no big red warning.

The fake DApp also obscures intent: "click to claim free NFT" has no surface connection to "sign a token approval." The attack flow is socially engineered to maximize signing without comprehension.

Permit2 drainers — the gasless variant#

Permit2 is Uniswap's gasless approval system, designed to make trading cheaper. A single off-chain signature can authorize spending across many tokens. Drainers abuse this: a fake Uniswap interface gets you to sign a Permit2 signature that looks like a routine swap, but actually authorizes unlimited spending of every major token in your wallet.

Permit2 signatures are particularly dangerous because they don't show up in standard approval-list tools — they're off-chain until the attacker submits them. Defense requires extra vigilance: don't sign Permit2 messages on sites you haven't deeply verified.

EIP-7702 drainers — the 2025 frontier#

EIP-7702 (live on Ethereum mainnet since 2025) lets externally-owned accounts (EOAs) temporarily behave like smart-contract accounts. Used legitimately: better UX, batched transactions, gas sponsorship. Abused: attackers craft 7702 delegations that hand a malicious contract control over your account for the duration of a single transaction — long enough to drain everything.

Defense: don't sign 7702 delegations on unfamiliar sites. Modern wallets (Rabby, MetaMask 12+) show explicit warnings for 7702 signatures. Treat them as high-risk by default.

The 5 rules that prevent drainer attacks#

1. Bookmark every DApp. Always navigate to Uniswap, OpenSea, Aave via your bookmark — never search ads or social links.
2. Use Rabby or any wallet with transaction simulation. Rabby shows "You will lose 1,000 USDC" before you sign. MetaMask still shows hex in many cases. Switch.
3. Revoke approvals quarterly. Visit revoke.cash or Etherscan's token approval checker. Remove any approval you don't actively need.
4. Read every signature before approving. If you can't explain what the signature does in one sentence, don't sign.
5. Hardware wallet for holdings over ~$5,000. Even drainer signatures get filtered through the device screen — one more chance to read what you're approving.

What to do if you've been drained#

1. Immediately move remaining funds to a fresh wallet with a new seed phrase. The drained wallet is permanently compromised — any tokens with outstanding approvals to the drainer are still at risk.
2. Revoke all outstanding approvals on the compromised wallet via revoke.cash. This costs gas but prevents further draining.
3. Document transaction hashes — needed for tax-loss claims and law-enforcement reports.
4. Report to IC3.gov (US), Action Fraud (UK), or your jurisdiction's equivalent. Slim chance of recovery but creates evidence.
5. Report the drainer contract address to Etherscan, the MetaMask phishing list, and security firms (ScamSniffer, GoPlus).
6. Do NOT pay "recovery services." They're second-stage scams targeting drainer victims. Real recovery is via law enforcement, not paid services.

Why centralized exchanges don't have this problem#

When you trade on Binance or Coinbase, you don't sign approval transactions — the exchange holds the keys to your custodied account. The trade-off: you trust the exchange not to lose or freeze your funds (counterparty risk), but you don't expose yourself to approval drainer attacks.

Self-custody is the answer to exchange counterparty risk. Drainer-awareness is the cost of self-custody. Both models have risks; understanding them lets you balance.

Bottom line#

Drainers are now industrialized. The countermeasure isn't more software — it's a small set of boring habits: navigate via bookmark, simulate before signing, split funds across a hot and cold wallet, revoke old approvals on a calendar. Do those four and the drainer industry mostly works on other people, not you.

Next reads: Crypto phishing patterns · Anti-scam playbook · How to set up a Ledger.