You connect your wallet to a website that looks exactly like a popular NFT marketplace. You click “Claim Airdrop.” Your wallet prompts you to approve a transaction. You click confirm. Seconds later, your tokens and NFTs are gone — all of them, swept to an address you’ve never seen.
This is a wallet drainer attack, and it’s one of the most effective scams in Web3. Unlike seed phrase phishing, drainers never need your private key. They abuse legitimate wallet features with a single signature.
This field guide teaches you how to identify drainer sites before they drain you.
BLUF: Wallet drainers trick you into signing an approval transaction that grants unlimited access to your tokens. The four warning signs: (1) unsolicited airdrop or NFT claims, (2) domain that doesn’t match the real project, (3) approval prompt instead of a normal transaction, (4) urgency pressure. Never connect your main wallet to unfamiliar sites — use a burner wallet.
The Drainer Playbook
Bait: How They Get You to Connect
Drainer operators distribute malicious links through compromised accounts:
| Distribution Channel | Typical Message |
|---|---|
| Hacked Twitter accounts | ”We’re airdropping to early supporters! Claim at [fake-domain]“ |
| Compromised Discord servers | ”Limited mint live! 0.01 ETH — [fake-domain]“ |
| Telegram groups | ”Exclusive whitelist spot — connect at [fake-domain]“ |
| Google Ads | Ad for “Uniswap” pointing to uniswap-app.io |
| Direct DMs | ”You won! Claim your prize at [fake-domain]” |
The links lead to sites that are pixel-perfect copies of real dApps. The domain is slightly different — maybe an extra hyphen, a .io instead of .com, or a homoglyph character.
Hook: How They Get Your Signature
Once you connect your wallet, the drainer triggers a transaction prompt. The most common techniques:
1. Unlimited Token Approval
setApprovalForAll(0xDRAINER_CONTRACT, true)This grants the drainer contract permission to transfer all of your tokens of a specific type (usually ERC-721 NFTs). The wallet shows a generic approval prompt. Many users click “Approve” without reading.
2. Permit Signature
Using EIP-2612 permit, the drainer asks you to sign an off-chain message. This looks like a login or verification step but actually grants token spending approval. No gas, no visible transaction — until the drainer uses it.
3. TransferFrom with Disguised Data
The drainer constructs a transferFrom() call with your address as the sender. If you’ve previously approved the drainer’s contract (even months ago), this works instantly.
Sink: How They Cash Out
Once the drainer has your assets:
- Tokens are swapped for ETH on a DEX
- ETH is bridged to multiple chains
- Funds pass through mixers or cross-chain bridges
- Final cash-out via OTC desks or prepaid cards
Total time from signature to untraceable: 15-30 minutes.
How to Identify a Drainer Site
Check 1: The Domain
The single most important check. Compare character by character:
| Real | Drainer | Difference |
|---|---|---|
opensea.io | opensea-pro.io | Extra subdomain |
blur.io | blurr.io | Double consonant |
uniswap.org | uniswap-app.org | Extra hyphen |
aave.com | aave-claim.com | Wrong TLD pattern |
Bookmark legitimate sites and navigate from bookmarks only. Never click links from Discord, Telegram, or Twitter without verifying the domain.
Check 2: The Wallet Prompt
When your wallet shows a transaction prompt, look for:
| Sign | Safe | Drainer |
|---|---|---|
| Function name | swap, deposit, mint | approve, setApprovalForAll, permit |
| Gas estimate | Normal for the action | Unusually high or complex data |
| Contract address | Matches the official project | Unknown address |
| Token amount | Specific amount | unlimited or type(uint256).max |
Check 3: Use Transaction Simulation
Modern wallets simulate transactions before you sign:
- Rabby Wallet — Shows exact asset changes: “You will lose 3 ETH + 12 NFTs”
- MetaMask — Shows estimated changes with Snap extensions
- Frame — Full simulation with warning labels
If a “free claim” shows “You will lose everything,” it’s a drainer. Abort.
Check 4: Community Vetting
Before connecting to any unfamiliar dApp:
- Does the project have a verified Twitter with real followers?
- Is the contract audited?
- Are there independent reviews (not just the project’s own Discord)?
- Does the domain appear on wallet guard blocklists?
The Burner Wallet Strategy
The most effective defense: never connect your main wallet to unfamiliar sites.
How to Set Up a Burner Wallet
- Create a new wallet in your browser extension (separate account)
- Send only the funds you need for the specific transaction
- Connect this wallet to unfamiliar dApps
- If the wallet gets drained, you only lose the small amount you funded it with
- Never reuse a burner wallet across multiple unfamiliar sites
This costs nothing (creating a wallet is free) and limits your exposure to the amount you explicitly transfer.
Post-Incident Response
If you suspect you’ve signed a malicious transaction:
- Immediately move all assets from the connected wallet to a fresh wallet
- Revoke all approvals on revoke.cash or Etherscan Token Approval Checker
- Document everything — screenshots, URLs, transaction hashes, wallet addresses
- Report to Chainabuse, Wallet Guard, and the FBI’s IC3
- Check your other wallets — if you approved a drainer contract on multiple wallets, all are at risk
Frequently Asked Questions
Q: I connected my wallet to a suspicious site but didn’t sign anything. Am I safe? A: Likely yes. Simply connecting (sharing your public address) doesn’t grant any permissions. But disconnect anyway: Revoke site permissions in your wallet settings.
Q: Can antivirus or browser extensions stop drainers? A: Browser extensions like Wallet Guard, Pocket Universe, and Blockaid provide warnings. They’re helpful but not foolproof — new drainer domains are created daily. Treat them as a layer, not a guarantee.
Q: What about hardware wallets? A: A hardware wallet adds a physical confirmation step, which gives you time to think. But if you approve a malicious transaction on the device, the drainer succeeds. Always read the contract address and function on the device screen.
Q: Are big protocols like Uniswap and OpenSea safe? A: When accessed through their official domains (bookmarked), yes. The danger is in copycat domains. The protocol itself is safe — the attack is on the domain, not the protocol.