A crypto drainer is a type of malicious smart contract or script designed to empty a victim’s wallet by exploiting the token approval mechanism on EVM-compatible blockchains. Unlike hacks that target exchange infrastructure, drainers target individual users. A single signature on a malicious transaction is often all it takes. The attacker does not need your recovery phrase. They need only your approval.
A simple way to think about a drainer is that it turns one misleading permission prompt into an open tab on your wallet. You believe you are approving a harmless step for a swap, mint, or claim, but what you actually leave behind is ongoing permission that the attacker can use later to pull assets out.
This content is for educational purposes only and should not be considered financial or investment advice.
How Token Approvals Work
On Ethereum and EVM chains, ERC-20 tokens use a permission system called token approvals. When a DeFi protocol needs to move tokens on your behalf (for example, to execute a swap or provide liquidity), you sign an approval transaction that grants it permission. This approval is stored on-chain and persists until it is explicitly revoked.
Normal protocols request approval for a specific amount needed for the transaction. Drainers request unlimited approval (technically the maximum uint256 value). Once granted, the malicious contract can transfer every token in your wallet at any time, not just for the transaction you thought you were authorizing.
The intuitive distinction is important: phishing steals something secret from you, while a drainer abuses a permission you willingly signed. That is why people sometimes miss the danger. Nothing “breaks into” the wallet. The wallet follows the permission you gave it.
How Crypto Drainer Attacks Are Delivered
Drainers are embedded in a variety of deceptive delivery mechanisms. The most common include:
- Fake airdrop claim pages. Ads on Twitter/X or targeted messages promoting a “token airdrop” link to a site that prompts you to connect your wallet and sign an approval to “claim” tokens that do not exist.
- Compromised Discord servers. Many NFT and DeFi projects have had their Discord servers hacked. Attackers post fake “mint” or “whitelist” links that resolve to drainer sites.
- Fake NFT minting sites. Lookalike sites for legitimate NFT drops (often using domain typosquatting) prompt approvals under the pretense of minting.
- Malicious browser extensions. Some crypto-targeted extensions injected drainer approval requests into legitimate DeFi interfaces.
In most cases, the delivery mechanism is simple social engineering: creating urgency or excitement (limited airdrop, exclusive mint) that makes users rush through the wallet approval screen without reading it carefully.
What Drainer Kits Are
The rise of drainer kits has industrialized wallet drain attacks. A drainer kit is a ready-made software package sold or rented on underground forums that includes everything needed to run a drain campaign: the smart contract, the frontend delivery site, analytics to track victims, and wallet-targeted filtering to prioritize high-value wallets for execution.
Operators pay a percentage of drained funds (often 20 to 30 percent) to the kit developer. This means someone with minimal technical knowledge can deploy a drainer campaign by simply paying for access to a kit and setting up a fake airdrop promotion. The barrier to entry is low, which is why drain attacks have become widespread since 2022.
Practical Usage: Check Approvals Before You Sign
- Read every approval prompt carefully. Check which contract is requesting approval and what amount is being approved. Reject unlimited approvals from unknown or newly launched contracts.
- Use a hardware wallet. Hardware wallets display the approval contract address and amount on the device screen. This makes it harder to mindlessly confirm malicious approvals, though you must still read and verify the screen output.
- Use a separate DeFi wallet. Keep only the funds you intend to use for active DeFi in a hot wallet. Store long-term holdings in a separate, rarely connected wallet.
- Revoke old approvals regularly. Use Revoke.cash or Etherscan’s token approval checker to audit and revoke approvals you no longer need. Old unlimited approvals are persistent attack surface.
- Verify before clicking. Never interact with airdrop or mint links from Discord, Twitter DMs, or emails. Go directly to the project’s official site from a saved bookmark or a verified link in the project’s official announcement channel.
If you want the wallet-side definition behind that second defense, What Is a Hardware Wallet? explains why the trusted screen matters. A hardware wallet does not block a drainer automatically, but it gives you a better place to notice that the approval request is not what you intended.
For a closely related follow-up, see Crypto Wallet Phishing Attacks: How Attackers Target Your Wallet.
For more on how drainers compare to phishing, which targets seed phrases rather than approvals, see Phishing vs Smart Contract Drains.
Can You Recover Drained Funds?
In almost all cases, no. Blockchain transactions are irreversible. Once a drainer contract executes the transfer, the tokens are gone. Attackers typically move drained funds through mixers or bridge to different chains within minutes of execution.
Some centralized exchanges may assist law enforcement in freezing accounts that receive stolen funds, but this rarely results in full recovery and requires identifying the attacker’s exchange account, which most sophisticated attackers avoid creating. The practical reality is that prevention is the only effective strategy.
Risks and Common Mistakes
The most common mistake is treating an approval prompt like a harmless login click. On EVM chains, an approval is persistent permission stored on-chain. If you approve an unknown spender for an unlimited amount, the attacker can wait and drain the wallet later, after the fake mint page or airdrop site has already disappeared.
Another mistake is assuming a hardware wallet or a well-known chain makes the transaction safe automatically. A hardware wallet still signs whatever approval you confirm, and Ethereum, Base, Arbitrum, or any other EVM chain all use the same approval pattern. The protection comes from reading the spender, amount, and contract purpose before signing, then revoking approvals you no longer need.
Frequently Asked Questions
Can a drainer steal ETH directly?
Standard ERC-20 approvals do not cover native ETH. However, some advanced drainer attacks use “Permit” or “Permit2” signatures to obtain approvals without an on-chain transaction, or use other on-chain mechanisms that can transfer native ETH in combination with token approvals. Advanced drainers can sometimes drain both ETH and tokens in a single interaction.
What is the difference between a drainer and a rug pull?
A rug pull is when a project team abandons the project and takes investor funds, typically by removing liquidity or executing a backdoor in the contract. A drainer targets individual user wallets through malicious approvals. They are different attack models targeting different victims.
Does using Ethereum mainnet vs Layer 2 affect drain risk?
Drainers operate on any EVM-compatible chain, including Arbitrum, Optimism, Base, and Polygon. The approval mechanism exists on all of them. Layer 2 networks have lower gas costs, which can make it easier for attackers to execute drains quickly. No EVM chain is inherently safe from this attack category.
Will Metamask or my wallet warn me about drainers?
Some wallets have integrated security warnings for known malicious contracts. Metamask has built-in scam detection that flags known drainer sites. However, these systems cannot catch every new drainer deployment, especially freshly launched ones. Wallet warnings are a helpful layer but should not replace your own judgment about what you are signing.
Are hardware wallets immune to drainer attacks?
No. A hardware wallet requires you to sign every transaction, which is protective, but if you sign a malicious approval on a hardware wallet without reading the approval details, the drainer works exactly the same. Hardware wallets help by displaying the contract address and approval amount on the secure screen, giving you the information you need to refuse. The user must use that information.
