Crypto Wallet Drainers: The Ultimate Guide to Security and Asset Protection

Crypto wallet drainers are a serious threat to your digital assets, and it's essential to understand how they work. They can drain your wallet by sending your funds to a malicious address.

You can't afford to be complacent, as even the most secure wallets can be vulnerable to these attacks. According to a study, 71% of cryptocurrency users have fallen victim to phishing scams.

To protect your assets, it's crucial to keep your wallet software up to date. This will ensure you have the latest security patches and features to prevent attacks.

Here's an interesting read: Ledger - Nano S plus Crypto Hardware Wallet

A drainer is a type of malware specifically designed to target digital cryptocurrency wallets.

It tricks users into giving access to their wallets, siphoning off funds, and often exploiting vulnerabilities in the wallet’s security protocols or decentralized applications (dApps).

A well-known incident occurred on December 17, 2022, when scammers used a fake website to trick an NFT collector into licensing their Bored Ape NFT.

Crypto wallet drainers are prevalent across the Web3 ecosystem, often targeting wallets through fake websites, phishing links, or counterfeit decentralized applications.

They lure victims into approving transactions that hand over control of their assets.

New examples emerge every day, and some target individuals by hacking social media accounts.

Other wallet drainers are covertly injected into well-known dApps.

Most wallet drainers try to emulate or impersonate a known brand in order to lure a user into entering and interacting with an application.

To count the victim's assets and determine how to discreetly extract maximum value from an address, most wallet drainers rely on web3 APIs.

These APIs encompass a range of sources, including OpenSea's API for obtaining information on NFTs held by the victim and the Moralis API for retrieving data on token positions and dollar prices.

The ultimate goal of every wallet drainer is to obtain transactions and signatures from the user.

Attackers adapt quickly and adjust their techniques as new technologies are deployed in the web3 ecosystem.

For instance, attackers have been observed transitioning from attempting direct asset theft through transfers or approvals to using more covert methods involving interactions with OpenSea Seaport contracts, token permits, Blur, and decentralized platforms like Uniswap and PancakeSwap.

Attackers aim to make the user experience of signing malicious transactions appear as normal as possible.

Users are often deceived into signing malicious transactions without hesitation, thinking they are legitimate activities.

Suggestion: Whats a Web3 Wallet

Crypto wallet drainers use various tactics to steal digital assets. Phishing scams are a common method, where attackers pose as legitimate entities to trick users into providing sensitive information.

Ice phishing is a particularly sneaky technique, where attackers convince users to sign fraudulent transactions that unknowingly grant them control over tokens. This tactic accounted for a significant percentage of crypto thefts in 2023.

Malicious smart contracts can also be used to drain wallets, often disguised as part of legitimate transactions. Fake airdrops and NFT drops are another tactic, where scammers lure victims with the promise of free assets, only to siphon off their funds once they connect their wallets.

Here are some of the most common types of crypto wallet drainers:

Phishing Scams are a common method used by wallet drainer perpetrators to steal digital assets. They pose as legitimate entities and trick users into providing sensitive information, such as private keys or wallet details.

Ice Phishing is another deceptive method where attackers convince users to sign fraudulent transactions that unknowingly grant them control over tokens. This tactic accounted for a significant percentage of crypto thefts in 2023.

Malicious Smart Contracts can also be used to drain wallets. Attackers disguise these contracts as part of legitimate transactions, and when a user interacts with the contract, they unknowingly grant access to their wallet.

Fake Airdrops and NFT Drops are also used to lure victims into connecting their wallets, which are then siphoned off. Scammers often offer free NFTs or cryptocurrency airdrops to unsuspecting users.

Here are some of the tactics used by wallet drainer perpetrators:

A native drain is a type of attack where a drainer shifts focus to draining native tokens from a wallet. This is done after executing the permit attack and having the assets approved for transfer.

The drainer initiates a straightforward transaction, moving ETH from one externally owned account (EOA) to another, with no calldata involved. This type of transaction is a common occurrence.

To avoid detection, the drainer uses a more sophisticated technique to mask their activity. The drainer routes the transaction through a middleware, such as the legitimate SushiSwap Router contract.

The target contract is the legitimate SushiSwap Router contract, and by decoding the calldata, we can see that this transaction calls the swapETHForExactTokens function. This function allows the caller to swap ETH for a specified amount of another token.

The path parameter reveals that the drainer is swapping between WETH and USDC. By routing the transaction through a legitimate contract like SushiSwap, the drainer obfuscates the true intent of the transaction.

This makes the attack harder to detect, as it appears to be a typical trade rather than a drain.

Crafting and distributing drainers is a complex process, but it's essentially creating a malicious dApp that looks like a legitimate service. These dApps are designed to mimic trusted platforms or exciting new projects, making them difficult to spot at first glance.

Attackers use various methods to get users to visit these dApps, including spam ads on social media, phishing emails and DMs, and frontend hijacking. They flood platforms like Twitter and Reddit with fake airdrop promotions, and users often receive enticing messages claiming to offer huge rewards in exchange for connecting their wallets.

In more sophisticated attacks, hackers compromise legitimate websites and replace their front end with a malicious version, seamlessly diverting users to the drainer. For example, a malicious dApp disguised as a BNB Chain airdrop was used in one attack.

The communication between the frontend and C2 (Command and Control) is often encrypted, making it harder for security researchers to track the process. However, the malicious dApp alone isn't enough – the real trick lies in how it's distributed.

Here are some common methods used to distribute drainers:

The site claims to allow users to check their eligibility for an upcoming airdrop, playing directly into users' FOMO. This is a clever tactic to get users to connect their wallets without raising too many suspicions.

Everything about the site is designed to rush users into connecting their wallets, with a relentless prompt to do so as soon as they click on any button. This is a classic hallmark of an impersonating dApp.

The "Connect Wallet" dialog pops up immediately, no matter what button you click, whether it's "Check Eligibility", “Learn More”, or even a fake blog post. This is a deliberate design choice to get users to connect their wallets without thinking twice.

Just connecting your wallet usually won't drain your funds, but some sites might ask you to "sign a message" – that's a red flag! Our team has seen cases where people connected their wallet to a malicious website and got immediately drained after signing a contract.

The drainer begins performing onchain interactions after receiving instructions from the C2 servers, sending JSON-RPC calls to the wallet.

The drainer uses the wallet_switchEthereumChain method to force the user's wallet to switch to a different chain, in this case Arbitrum One, which is a red flag.

To gather data, the drainer issues eth_call JSON-RPC requests, which read data from onchain contracts. The drainer decodes the calldata to understand which function is being called.

The drainer queries the contract for the wallet's nonces and the contract's name, which is essential for EIP-2612, an ERC-20 extension that allows token approvals via off-chain signatures.

By leveraging EIP-2612, the drainer creates a signature that authorizes asset transfers without the user explicitly approving the transaction onchain.

The drainer issues the transaction using the eth_signTypedData_v4 JSON-RPC method, which signs a structured piece of data according to EIP-712 standards.

The permit authorizes the spender to transfer a massive amount of tokens from the user's wallet, giving the attacker full control to drain the victim's ARB tokens.

The drainer uses multiple methods to drain wallets, including native assets transfer with NetworkController Drainer, malicious usage of token methods, EIP-712 signatures, and employing Dex's for stealing assets.

The drainer has been involved in several notorious campaigns, including Venom Crypto Drainer, Inferno Drainer, and Pink Drainer, which have resulted in substantial losses for victims.

Onchain preparations are a crucial step in a drainer's attack plan. They involve interacting with the victim's wallet onchain to gather sensitive information.

The drainer begins by forcing the user's wallet to switch to a different chain using the wallet_switchEthereumChain method. This is a red flag, as it's a common trick used to target assets on another network.

The drainer then issues eth_call JSON-RPC requests to read data from onchain contracts. These requests specify which contract the data will be read from and the parameters of the call.

To understand which function is being called, the drainer decodes the calldata using tools like Arbiscan's Input Data Decoder. This reveals the specific function and parameters being invoked.

The drainer may call the nonces(address) function to gather the wallet's nonces. This information is essential for EIP-2612, an ERC-20 extension that allows token approvals via off-chain signatures.

The drainer may also issue another eth_call to gather the contract's name. By decoding the calldata, we can see that this retrieves the contract's name, in this case, "Arbitrum."

You might like: Chain Wallet Crypto

Permit farming attacks are a sneaky way for attackers to drain your wallet. They use a technique called EIP-2612 to create a signature that authorizes asset transfers without your explicit approval.

By leveraging EIP-2612, attackers can collect the data needed to craft their malicious permit transaction. This includes the nonce and contract name, which they can use to issue a transaction using the eth_signTypedData_v4 JSON-RPC method.

The permit authorizes the spender to transfer a massive amount of tokens from your wallet. This permit is the final objective of all the preceding transactions, giving the attacker full control to drain your wallet.

Each signed transaction means another token drained. This is why it's essential to be vigilant and monitor your transactions closely.

Additional reading: Is Trust Wallet Easy to Use to Send Crypto