What is a wallet drainer kit?

A wallet drainer kit is a packaged toolset that automates the theft of crypto from victim wallets through malicious signatures. The kit includes a phishing front-end, a smart contract that performs the drain, and an automated swap-and-launder back-end. Drainer-as-a-Service models share proceeds between the kit operator and the affiliate running the phishing campaign.

How much has been drained by wallet drainer kits?

Documented losses from drainer kits exceeded USD 400 million in 2024 alone, with the largest single drainer operations (Pink Drainer, Inferno Drainer, Angel Drainer, Monkey Drainer succession) each accounting for tens of millions. Many drainer operations are still active in 2026.

How do I prevent wallet drainer attacks?

Read every signature request carefully before approving, never sign blind eth_signTypedData_v4 messages from unknown sources, use a hardware wallet and verify on the device screen, and run a pre-sign AML check on the destination address and contract to catch known drainer infrastructure before signing.

Security · Pre-sign Updated Jun 2026

Wallet Drainer Kits — Detection & Prevention in 2026

Wallet drainer kits — the productised, Drainer-as-a-Service toolsets used to exfiltrate funds from victim wallets through malicious signatures — accounted for over USD 400 million in documented crypto theft during 2024 and remain the single largest attack category against active EVM and Solana wallets in 2026. The kits do not exploit private keys, smart-contract bugs, or chain consensus. They exploit one thing: users approving signatures they do not understand. This guide explains how drainer kits operate, which signature flows are vulnerable, the named drainer operations active in 2026, and the prevention workflow that combines hardware-wallet hygiene with pre-sign AML screening.

What a wallet drainer kit actually is

A drainer kit is a packaged software product sold or rented on darknet markets and private Telegram channels. The package typically includes:

A phishing front-end — HTML/JS that impersonates a legitimate dApp, NFT mint, airdrop claim, or governance vote.
A wallet-connect injection — standard WalletConnect or window.ethereum integration to interact with MetaMask, Rabby, Phantom, Coinbase Wallet, Trust Wallet.
A drainer smart contract — deployed on each target chain, designed to extract tokens, NFTs, and native balance once approved.
A signature-template engine — generates EIP-712 typed data messages that, when signed by the victim, authorise the drain.
An automated swap-and-launder back-end — moves drained assets through DEXs, bridges, and mixers to obfuscate destination.
Revenue sharing — the affiliate (the person running the phishing campaign) keeps 60 to 80 percent; the kit operator keeps 20 to 40 percent.

This is a fully commercial criminal supply chain. Affiliates do not need technical skill to deploy a drainer; they need traffic. They drive traffic through compromised X (Twitter) accounts, Discord raids, Google Ads on phishing-lookalike domains, and SEO on counterfeit dApp pages.

The signature traps that drain wallets

1. ERC-20 approve / permit / permit2

The classical drainer flow. The victim signs an ERC-20 approve or permit transaction granting unlimited allowance of a specific token to the drainer contract. The drainer contract then calls transferFrom to extract the full balance. permit and permit2 are particularly dangerous because they are EIP-712 signed messages (not on-chain transactions), so they can be obtained without gas and used silently later.

2. SetApprovalForAll (NFT drainer)

For NFTs, the drainer obtains setApprovalForAll for an entire NFT collection. The victim sees a generic "approve to interact with this NFT" prompt and signs. The drainer then transfers all NFTs in that collection.

3. eth_signTypedData_v4 with custom struct

The most insidious flow in 2024 and 2025. The drainer presents a custom EIP-712 typed data structure designed to look like a benign sign-in or governance vote. The actual struct authorises a specific token transfer or contract call. Wallets render the typed data fields, but most users do not read or understand them.

4. Direct transfer (legacy)

Older drainer kits would prompt a direct transfer of native ETH or a specific token. This is the most obvious flow and the easiest for users to catch. Modern drainer kits have largely moved past this because user awareness has improved.

5. Multicall and bundled approvals

The drainer presents a bundled call that combines multiple approvals or transfers in a single signature. The wallet UI may not fully decode the bundle, so the user sees only a summary that hides the malicious payload.

6. Solana versioned-transaction drainer

On Solana, drainers use versioned transactions with address-lookup tables to obfuscate the actual transfer destinations. Phantom and Solflare may display only the summary. The instruction breakdown reveals the drain. Read Phantom wallet Solana AML.

The named drainer operations active in 2026

Several drainer kits operate as identifiable brands. Cluster databases tag their infrastructure:

Inferno Drainer — Among the highest-volume kits of 2023 to 2024. Officially disbanded by its operators in late 2023 but successor operations continued under new branding.
Pink Drainer — Active from 2023, documented victims include high-profile crypto Twitter accounts. Disbanded publicly in 2024; infrastructure remains tagged.
Angel Drainer — Successor or competitor to Pink, active through 2024 and 2025.
Monkey Drainer / Venom Drainer — Earlier-generation operations whose tagged infrastructure remains in OSINT databases.
Solana-specific drainers — Multiple smaller operations targeting Phantom and Solflare users via fake airdrops and meme-coin claims.
Telegram-based drainer bots — Targeting Telegram crypto wallets directly through fake mini-apps.

When a drainer "disbands," the contracts and addresses remain on-chain and remain tagged. The operators usually rebrand and redeploy. The cluster tags propagate forward.

Real losses — documented cases

Drainer losses are publicly traceable. Examples:

Late 2023 — A single victim lost USD 4.4 million in WBTC and ETH after signing a malicious permit2 approval on a counterfeit airdrop page.
Q1 2024 — A Pink Drainer campaign extracted USD 8 million over several weeks from victims across compromised X accounts of crypto influencers.
Mid-2024 — A Solana drainer campaign tied to a fake meme-coin launch extracted USD 2.1 million from Phantom users.
Ongoing 2025-2026 — Aggregate drainer losses continued at roughly USD 25 to 50 million per month across all chains, dominated by EVM with significant Solana share.

Infection vectors — how victims encounter drainers

Compromised influencer accounts

The largest single category. A crypto-Twitter influencer's account is compromised (SIM swap, credential stuffing, session hijack). The attacker posts an "airdrop" or "claim" link to the influencer's followers. Followers trust the source and click. The drainer captures whatever they sign.

Fake dApp clones

Counterfeit versions of legitimate dApps (Uniswap, OpenSea, Blur, Magic Eden). Typo-squatted domains, Google Ads on competitor keywords, or compromised legitimate domains that redirect through the drainer.

Phishing emails impersonating airdrops

"You qualified for the X airdrop, claim before deadline." Particularly effective during legitimate airdrop windows when users are primed to expect claims.

Discord and Telegram raids

Compromised admin accounts post links in legitimate project channels. Project members trust the source and click.

QR codes on counterfeit hardware-wallet packaging

A growing physical vector: counterfeit Ledger or Trezor packaging includes QR codes that link to drainer pages. Particularly dangerous because the victim believes they are setting up genuine hardware.

Pre-sign AML screening for drainer detection

Drainer contracts and the addresses they direct funds to are aggressively tagged by OSINT databases. When a drainer campaign runs, the infrastructure typically gets tagged within 24 to 72 hours of the first victim. By the time you encounter the drainer, its contract address may already be in databases.

The pre-sign workflow:

A signature request appears in MetaMask, Rabby, Phantom or your hardware wallet UI.
Before signing — copy the contract address or recipient address from the signature prompt.
Paste it into AegisAML running on Windows.
Review the AML report. Look for drainer-cluster tags, scam-deployer flags, or mixer adjacency.
If clean, proceed to sign. If flagged, do not sign. Disconnect the wallet.

This catches drainer infrastructure that has been previously identified. It does not catch first-victim attacks from brand-new drainer deployments. For that, the wallet-hygiene practices below are the primary defence.

Wallet hygiene for drainer prevention

1. Read every signature request

Read the contract address. Read the function being called. Read the typed-data fields. Most drainer prevention reduces to attention. If you do not understand what you are signing, do not sign.

2. Use a dedicated "hot" wallet for unknown dApps

Compartmentalise. Hold material funds in a hardware-wallet account that you only use for known counterparties. Use a separate burner wallet for unknown dApps, airdrop claims, and experimental interactions. A drained burner is annoying; a drained primary is catastrophic.

3. Hardware-wallet verification on the device screen

If you sign on a Ledger or Trezor, the malicious payload still has to display on the device screen. Read the device screen. Verify the contract address and the function name match what the host application says. Host compromise becomes much harder to weaponise if you trust only the hardware screen. Read Ledger and Trezor AML scan.

4. Revoke unused approvals periodically

Tools like Revoke.cash, Etherscan's token approvals page, or Rabby's built-in revoker let you see which contracts have active allowances and revoke them. Quarterly revocation reduces the blast radius if you ever sign a malicious permit.

5. Be sceptical of urgency

"Limited time," "claim before deadline," "exclusive whitelist" are red flags. Drainer campaigns engineer urgency to short-circuit verification. Legitimate dApps rarely require split-second decisions.

6. Verify URLs character-by-character

Drainer phishing uses Punycode look-alike domains and typo-squatted variants. The URL bar is the first line of defence. Bookmark legitimate dApps; do not navigate from links in posts or DMs.

7. Disconnect after use

Disconnect WalletConnect sessions when you finish. Persistent sessions are a passive attack surface.

What to do if you have been drained

If a drainer has signed funds out of your wallet:

Stop all interactions with the affected wallet immediately — disconnect from all dApps. Do not sign anything else from this wallet.
Move remaining funds to a fresh wallet — if any balance remains, transfer to a new wallet you create from a fresh seed. The compromised wallet may have outstanding approvals you have not yet seen exploited.
Document the drain — transaction hashes, drainer contract address, signature data.
Report to relevant authorities — FBI IC3, Action Fraud (UK), national cybercrime hotlines. For amounts over USD 50,000, engage a crypto-savvy attorney.
Tag the drainer publicly — submit to Etherscan labels, ScamSniffer, MetaMask's phishing list.
If your remaining wallet faces CEX deposit holds — document the drain as part of your compliance file. Inflows from a known drained-wallet history may face CEX deposit holds.

Pre-sign AML screening that catches known drainer infrastructure — free, on Windows

AegisAML indexes drainer cluster tags, scam-deployer addresses, and mixer infrastructure across Ethereum, EVM L2s, Solana and other chains. Run the check in 10 seconds before you sign. Locally. No account.

Install AegisAML for Windows

Related security and pre-sign guides

For the broader pre-sign workflow read MetaMask pre-sign AML screening. For the related but distinct address-poisoning attack read address poisoning attack prevention. For categorical scam-deployer screening read scam and phishing address checker. For Solana-specific drainer patterns read Phantom wallet Solana AML.

Frequently asked questions

Can a drainer drain my hardware wallet without me approving anything?

No. Drainers require a signature. A hardware wallet that is plugged in but idle, with no signature in progress, is safe. The risk emerges when you connect to a malicious dApp and approve a signature. The hardware wallet protects the private key; it does not protect you from approving a malicious payload.

Does Revoke.cash protect me from drainers?

Revoke.cash removes existing token approvals. It does not prevent you from signing a new malicious approval. Use it for hygiene after the fact and quarterly maintenance, not as a real-time defence.

Are drainer kits illegal everywhere?

Yes. Operating a drainer kit, affiliating to drain victims, or buying access to drainer infrastructure are criminal activities in every major jurisdiction. Multiple drainer operators have been arrested or are under active investigation in 2024 and 2025.

Will MetaMask warn me about drainers?

MetaMask integrates with multiple phishing-protection services and displays warnings for known malicious domains and contracts. The warnings are not comprehensive — brand-new drainer deployments may not yet be in MetaMask's databases. Rabby has similar but distinct protections. Treat wallet warnings as one signal, not the only signal.

Can I be drained without an internet connection?

No. The drainer needs to receive your signature, which requires network connectivity. Air-gapped signing (Keystone, ColdCard) provides additional friction because the signing device never directly communicates with the dApp.