Wallet Drainer Attacks: How $500M Vanished in 2024

Why Drainer Attacks Are Not a Typical Wallet Hack

I get a lot of intake calls that start with "my wallet got hacked." When I dig into the details — the timing, the contract that received the funds, the chain of approvals before the drain — about three quarters of those cases turn out to not be hacks at all. They are drainer attacks, which is a different category and a different kind of investigation.

A wallet hack means the seed phrase or private key was compromised. The attacker controls the wallet. The victim's signing power is gone. A drainer attack is the opposite: the seed phrase is fine, the private key is uncompromised, the victim still controls the wallet. What the victim did was sign a malicious approval that gave the drainer's contract authority to move tokens out. The victim is the one who triggered the loss. The drainer just collected.

That distinction matters for two reasons. First, the forensic profile is dramatically richer. A key compromise leaves almost no breadcrumbs — you have a destination address and that is it. A drainer attack leaves a contract address on-chain that has interacted with hundreds or thousands of other victims, a collection wallet that aggregates proceeds, and a payout split that links the operator to the phishing crew. Every other victim of the same drainer is documented in the same contract's call graph. Your case is not isolated; it is one node in a network.

Second, the legal and law enforcement posture is different. A key-theft case is opportunistic; the attacker is hard to attribute beyond the destination wallet. A drainer case is industrial. The infrastructure operator has a brand, a Telegram channel, a customer base, and a years-long on-chain presence. Federal task forces aggregate drainer cases across jurisdictions because the same operator address is the target of many parallel investigations. For the victim-focused side of this same problem, see my piece on my MetaMask was drained — can it be traced; this article is the ecosystem teardown that explains who built the contract that drained you and who collected the cut.

By the Numbers: $500M+ Drained in a Year

A few framing notes on these numbers. First, every published total is a floor, not a ceiling. The figures attributed to Inferno, Pink, and the others count what researchers and victims have publicly disclosed. Drainer crews routinely operate across multiple chains (Ethereum mainnet, Base, Arbitrum, Polygon, BNB Chain, Optimism, and increasingly Solana) and across thousands of phishing campaigns; the long tail of unreported drains is structurally invisible until it surfaces in litigation or law enforcement aggregation.

Second, the dollar growth has dramatically outpaced crypto adoption. Drainer activity scaled sharply in 2023 and 2024 because the DaaS model lowered the technical barrier for the phishing crews. A crew that previously had to write its own malicious contract, host its own infrastructure, and figure out cross-chain mechanics can now buy the back end as a service and focus exclusively on the social engineering side — fake mints, fake airdrops, impersonated DeFi front-ends, hijacked Discord servers, sponsored search ads. Crews specialize in traffic, operators specialize in code. The industry split is what made the volume possible.

Third, the academic and threat-intelligence community has caught up. The 2025 ACM Internet Measurement Conference paper on the drainer ecosystem characterized the on-chain economics of DaaS in detail, and threat intelligence reports from SlowMist, ScamSniffer, Group-IB, Chainalysis, and others publish quarterly drainer activity summaries. The infrastructure is now well-documented; what remains scarce is the willingness or capacity to act on that documentation in jurisdictions where the operators live.

The Drainer-as-a-Service Model: How the Industry Actually Works

This is the section that explains why the same handful of names — Inferno, Pink, Angel, Pussy — show up across thousands of unrelated victim cases. The drainer ecosystem is not a loose collection of independent thieves; it is a small number of software companies with paying customers.

Two roles, one contract, automatic settlement

Every DaaS operation has the same two-role structure:

• The infrastructure operator writes and maintains the malicious smart contracts on every supported chain, runs the off-chain automation that scans victim wallets for high-value approved tokens, handles obfuscation and contract redeployment when addresses get flagged, builds dashboards that crews use to deploy their own phishing kits, supports new chains and new wallet standards (Permit2, EIP-712, Solana token standards), and monitors the payout pipeline. They are functionally a SaaS company. They have customer support channels, version releases, and competitive pricing against rival drainers.
• The phishing crew handles everything visible. They acquire the victim traffic (Google Ads on misspelled brand keywords, Twitter / X ad takeovers, hijacked Discord servers, compromised influencer accounts, malicious browser extensions), build the phishing site that impersonates the target brand, register the domain, manage the Cloudflare front-end that hides the actual server, and select the victim profile they want to drain.

The split is settled by the contract itself. When the victim signs the malicious approval and the drainer's automation calls transferFrom on each approved token, the contract routes the proceeds in a single atomic operation: the operator's commission portion (20-30%) goes to a long-lived operator-controlled address; the phisher's portion (70-80%) goes to the address the crew configured when they deployed their campaign. Neither side has to trust the other. The split is enforced by the same contract that does the draining.

Pricing, onboarding, and competitive dynamics

Drainer infrastructures are sold on Telegram-hosted marketplaces and through invite-only channels. Pricing structures vary but typically include some combination of:

• Setup or membership fee — sometimes a flat-rate access fee (a few thousand dollars in stablecoins) for access to the deployment dashboard, the kit templates, and the contract address generator.
• Revenue share — the 20-30% cut on every successful drain, settled automatically by the contract.
• Tier-based features — premium tiers offer additional chain support, custom branding for the phishing front-end, faster contract redeployment when addresses get flagged, and access to higher-value victim targeting tools.

Drainers compete with each other on technical capability (which chains they support, how quickly they roll out support for new wallet standards), on revenue split (some crews migrate when a competing drainer offers a lower commission), on contract longevity (a drainer whose addresses get flagged quickly by Etherscan and wallet-warning extensions is less valuable to the crew), and on operator reliability. The marketplace dynamic is real. When a major drainer "shuts down" publicly (Monkey Drainer in 2023, Inferno's announced shutdown in late 2023), competing operators run recruitment campaigns to absorb the displaced crew base.

Why the operator collects more than you think

A 20-30% commission sounds modest, but the operator's economics are extraordinary because they are aggregating across the entire customer base. A single drainer infrastructure serving fifty active phishing crews can sit on top of hundreds of independent campaigns simultaneously, accumulating commission from every drained wallet in real time. The operator does not have to pick a target, build a phishing site, run an ad campaign, or take any operational risk. They wrote the contracts, they collect the cut, they cash out.

This is the structural reason the operator's collection wallet is forensically priceless. It receives small percentage cuts from every drain across every customer crew. A single address, often long-lived, accumulating drained funds from hundreds of unrelated victim wallets — that pattern is unmistakable on-chain and is what makes drainer attribution feasible at scale.

How Victims Get Drained: The Malicious Signature

The mechanics of the actual drain are simple, which is exactly why they work. The victim does not need to be careless or gullible; they need to be in a hurry, distracted, or unfamiliar with what an EIP-2612 permit signature actually authorizes. Modern wallets have improved their signature warnings significantly in 2024 and 2025, but a meaningful share of victims still see only a generic "sign message" prompt with technical hex strings that do not visibly indicate "this grants unlimited spend authority over your USDC."

The four signature types drainers exploit

Four mechanisms account for nearly every drainer-driven loss. Knowing them is the difference between recognizing a malicious signature and signing it:

• ERC-20 approve. The classic on-chain approval. The victim signs a transaction (paying gas) that authorizes a spender contract to move up to a specified amount of one ERC-20 token. The drainer requests the maximum value (uint256 max, equal to roughly 1.16 × 10⁷⁷), which functionally means unlimited. Once approved, the drainer's contract calls transferFrom at any later time and the tokens leave.
• EIP-2612 permit. The dangerous one. Permit allows an off-chain signature to grant the same approval authority as approve, with no gas paid by the victim. Because the user is signing a message rather than a transaction, the wallet UX historically rendered it as something resembling "Sign-in with Ethereum," which feels harmless. The drainer takes the signed permit on-chain inside the same atomic call that drains the wallet.
• Permit2. Uniswap's universal permit mechanism, which extends EIP-2612-style off-chain approvals to nearly every ERC-20 even if the token contract itself does not natively support permit. Permit2 is excellent infrastructure for legitimate UX; it is also a drainer's preferred attack surface because of its breadth.
• ERC-721 / ERC-1155 setApprovalForAll. The NFT equivalent. A single signature grants the drainer the right to transfer every NFT the victim owns from a given collection. This is the mechanism that emptied most of the high-profile NFT thefts on OpenSea, Blur, and similar marketplaces from 2022 onward.

The deceptive UI patterns crews use

The phishing front-end is engineered to make signing feel routine. The patterns I see most often in case intake:

• Fake airdrop "claim" — the site claims the victim is eligible for a token allocation worth thousands of dollars, with a countdown timer creating urgency. The "claim" button triggers a permit signature on a stablecoin or an LST the victim already holds.
• Fake mint pages — impersonated NFT collections, often timed against a real upcoming launch when the official site is not yet live and victims are searching for the URL.
• Hijacked Discord verification — a "verify your wallet to access the server" prompt that triggers a setApprovalForAll on a high-value collection.
• Fake DEX or DeFi front-ends — clones of Uniswap, 1inch, Aave, or Lido at lookalike domains, often promoted via Google Ads on the brand-name keyword, that ask for an "approval to swap" which is in reality an unlimited approval to the drainer.
• Address poisoning combined with drainer — the victim is conditioned to believe a lookalike address is theirs, then prompted to sign a "test transaction" to verify, which is actually the malicious approval. See the address poisoning attack pattern for the standalone version.
• Compromised influencer accounts — a hijacked X / Twitter account with hundreds of thousands of followers posts a "limited drop" link that resolves to a drainer site.

The common thread: the victim never sees a transaction prompt that says "send $40,000 of USDC to this stranger." They see a button that says "Claim" or "Connect Wallet," and they click it. The wallet's signature pop-up is the last line of defense, and for non-technical users that line is permeable.

Inferno Drainer: $80M+, Two Lives, and the Comeback

Inferno is the case study that defines the modern drainer era. The infrastructure went live around late 2022 and quickly became the dominant DaaS provider through 2023.

Group-IB's late-2023 research attributed approximately $80 million in stolen funds across roughly 137,000 victims to Inferno during its first active period. The infrastructure supported Ethereum, Polygon, Optimism, Arbitrum, BNB Chain, and several other EVM networks; it offered phishing crews a turnkey deployment dashboard and a real-time payout interface. The 20-30% commission split was standard, with some accounts indicating Inferno experimented with tiered membership pricing to absorb crews from competing drainers.

In November 2023 the Inferno operators publicly announced that the project was shutting down. The announcement was reported widely and was treated by some commentators as the end of the infrastructure. It was not. Through 2024, 2025, and into 2026, threat researchers documented continued activity from Inferno-linked contracts and operator wallets — some on the original infrastructure, some on what appeared to be a relaunched version under continued operator control. Reporting from SlowMist and other firms identified tens of thousands of additional drained wallets in the post-"shutdown" period and characterized the announcement as primarily public-relations theatre.

Inferno's significance to investigators is structural. Because the infrastructure has been operational for years across multiple chains, and because the operator-commission addresses have remained relatively stable across the operator's history, Inferno-linked cases consolidate cleanly. A new victim hitting an Inferno-deployed contract today still routes a percentage cut to operator-cluster addresses that are documented in research dating back two-plus years. The on-chain attribution does not have to be rebuilt for each case; the cluster is already mapped.

Pink Drainer: $85M and Counting

Pink Drainer emerged as a major DaaS provider in early 2023 and ran in parallel to Inferno through the period of maximum drainer activity. Cumulative attribution to Pink across published research and threat-intelligence summaries lands around $85 million in stolen funds across tens of thousands of victims, making it the second-most-prolific drainer infrastructure on the public record.

Pink's notable operational characteristics include consistent multi-chain support, an active marketing presence on the dark forums where drainer crews recruit, and a reputation among the crew base for reliable payout settlement. Pink has been linked to several high-profile single-victim losses where the malicious signature was a permit on a stablecoin position; in March 2026, public on-chain analysis flagged a roughly $117K movement out of victim wallets attributed to Pink-linked contracts in a single short window.

From a forensic perspective, Pink and Inferno present similar attribution surface area: a documented operator-cluster, a long-lived payout architecture, and a consistent commission-split fingerprint. The difference is largely brand and customer base — the underlying mechanic is the same.

Other Active Drainers: Angel, Pussy, Venom, and the Rest

Beyond Inferno and Pink, the active drainer market in 2026 includes a rotating cast of mid-tier infrastructures and several short-lived entrants. The names below are the ones most frequently attributed in casework and threat-intelligence summaries; the ecosystem evolves continuously.

The market is fluid. Drainer infrastructures emerge, get publicly named, get sanctioned or otherwise pressured, "shut down," and either rebrand or are absorbed by competitors. What stays constant is the structural pattern: a small number of operator infrastructures providing back-end capacity to a larger and more dispersed population of phishing crews, all settled through smart contracts with enforced commission splits.

The Forensic Attribution Path: Mapping the Operator Behind Hundreds of Victims

This is the section I always return to in scoping calls because it is where the value of forensic work actually lives. The investigator's job is not to "recover" funds — that is a recovery-promise framing I do not use. The job is to produce an attribution package that connects the victim's individual loss to the infrastructure operator behind hundreds of parallel cases, in a form that supports civil action, exchange subpoenas, and federal aggregation.

Step 1: Identify the drainer contract

The trace starts with the victim's drain transaction hash. The transaction call data identifies the contract that executed the transferFrom calls. That contract is the drainer's deployment for the campaign that hit the victim. In some cases the contract is a freshly-deployed proxy or a campaign-specific wrapper; in others it is a long-running shared contract used by multiple crews simultaneously.

From the contract address, the investigator pulls the full call history. That history reveals every other victim the same contract has touched, the timestamps of each interaction, the chains it has been deployed on, and the addresses it has paid out to. The contract is, in effect, a public ledger of the campaign.

Step 2: Map the payout split

Every drainer contract executes the operator-and-phisher split atomically. The investigator follows the proceeds from each victim drain through the split and tags the two receiving addresses: one as the operator commission wallet (small percentage, consistent across many victims, long-lived address), the other as the phisher payout wallet (larger percentage, consistent for a single campaign or crew but often distinct across campaigns).

This tagging is what unlocks the network view. The operator commission wallet is the chokepoint — it receives small cuts from every victim of every crew using the same drainer infrastructure. Once you have the operator address, you can look at the inverse: who else in the contract's history paid commission to this same address? Each one is another phisher campaign; each one is another set of victims.

Step 3: Cluster expansion across the operator's history

From the operator commission address, cluster expansion via standard heuristics (common-input, change-output, address reuse, time-correlated movements) builds out the operator's broader address network. Operator wallets typically move proceeds through internal consolidation chains over days or weeks, ultimately depositing at one or more centralized exchanges where the operator cashes out. The deposit-side address at the exchange is the high-value forensic terminus — that is the address tied to a real account-holder who can be subpoenaed.

The phisher payout wallets follow a parallel track. Each crew typically routes its share through a smaller hop chain — sometimes a single intermediary, sometimes a peeling chain, sometimes through a CoinJoin or cross-chain swap. Tron-USDT remains the dominant off-ramp rail for the phisher side because of low fees and minimal KYC friction at the swap layer. Methodology for the Tron leg is covered in our stolen USDT recovery piece.

Step 4: The deliverable

The investigator's output is a written evidence package: the on-chain trace from the victim's wallet through the drainer contract through the split through every hop to the off-ramp exchange, with the methodology and confidence levels documented; the attribution of operator and phisher addresses to specific drainer infrastructure (Inferno, Pink, Angel, etc.) where supported by clustering and prior research; the cluster expansion showing other victim addresses linked to the same operator within a defined timeframe; and the procedural recommendations for next steps (exchange freeze requests, IC3 / FBI Virtual Assets Unit notification, civil pleading framework, John Doe complaint structure).

That package is what an attorney attaches to a Section 1782 application, what a federal investigator uses when aggregating across complaints, and what a victim's counsel produces when negotiating with an exchange compliance team. None of those steps are guarantees of restitution. All of them are downstream of the attribution work and impossible without it. Investigators offer this through engagements like digital asset tracing and crypto scam investigation.

What Victims Should Do in the First 24 Hours

If you are reading this in the immediate aftermath of a drain, this is the action checklist. Do these in order.

Hour 0 to 2: Move what is left, revoke approvals

• Move every remaining asset to a brand new wallet generated on an uncompromised device. Any tokens or NFTs the drainer did not sweep, plus any residual ETH or native gas token, should leave the compromised wallet immediately. The drainer often retains approvals on tokens you did not realize were approved and will return to drain residual balances over the following hours, days, and weeks.
• Revoke approvals on every chain the compromised wallet was used on. Use revoke.cash, the wallet's built-in approval manager, or the Etherscan / Basescan / similar block explorer's token-approval checker. Revoking does not reverse the drain; it prevents the drainer from sweeping additional approvals it still holds.
• Disconnect any browser extension wallets from active dApps. Clear cached connections.

Hour 2 to 6: Preserve evidence

• Save the drain transaction hash. This is the highest-value artifact. Note all chains affected.
• Save the drainer contract address. Visible in the transaction's "to" field on the explorer.
• Save the destination address(es) where your funds went.
• Save the phishing URL and any screenshots of the site. The URL itself, the social media post that linked to it, the Discord message, the search ad — preserve all of it.
• Save communications. Any DMs, emails, or chats that led you to the phishing site. Original artifacts, not retyped.

Hour 6 to 24: Report and engage

• File an IC3 report at IC3.gov regardless of the dollar amount. Cumulative reports against the same contract or destination address feed the FBI Virtual Assets Unit's aggregation. See our piece on how to report a crypto scam to the FBI for the full procedure.
• File a local police report — you will need it for any insurance claim or civil pleading.
• Notify your exchange. If the destination address has any prior or pending interaction with a known exchange, the exchange's compliance team can sometimes flag it.
• Engage independent forensic counsel if the loss is material (typically $5K+). Do not engage anyone who promises guaranteed recovery — that is the secondary scam. See avoiding wallet drainers in our knowledge base for the prevention side and can you sue a crypto scammer for the civil action question.

For the broader post-incident framework that applies regardless of attack vector, see Coinbase account hacked for the centralized-exchange parallel and honeypot scam for the related malicious-token category. For the standalone signature-fraud case file, my MetaMask drained trace guide walks through the single-victim version of this playbook.

Case Aggregation: Why Your Single Loss Connects to a Federal Case

A point I make in almost every drainer scoping call: your individual loss, however large or small, is not a standalone case. It is one of hundreds or thousands of parallel cases tied to the same operator infrastructure. Understanding that changes both the realistic expectations and the right strategy.

Why aggregation matters

A single drained wallet of $5,000 or even $50,000 rarely justifies a standalone federal investigation on dollar-value grounds. Federal task forces are resource-constrained and prioritize cases by total impact, organizational complexity, and the existence of clear attribution. A single victim case often does not clear that threshold. The same case viewed as one of 800 parallel victims of the same Inferno-deployed contract is a different proposition entirely. The aggregate loss across the contract's victims may run into the tens of millions; the operator address consolidates a documented portion of every drain; the phishing crew has a traceable footprint across multiple campaigns. That is a federal case.

The mechanism for aggregation is largely IC3. Every IC3 report filed against the same destination address or contract gets cross-referenced internally; the FBI Virtual Assets Unit and partner task forces use that aggregation to build the priority list. A victim who files IC3, who provides the drainer contract address and the operator-side wallet, and who shares the forensic attribution package if one exists, is contributing to a case file that may already include dozens of other complaints against the same infrastructure. The marginal value of any single complaint is small; the aggregate is what unlocks action.

Civil aggregation

The civil track has the same property. John Doe pleadings naming the operator-controlled addresses, asset-tracing actions through Section 1782 against the off-ramp exchange's home jurisdiction, and class or quasi-class formations across multiple victims of the same drainer infrastructure all benefit from the structural shape of the case. The on-chain attribution is identical for each victim; the cost of the underlying analysis amortizes; the legal pleadings can incorporate the same forensic record. For the civil-action question more broadly, see can you sue a crypto scammer.

What the victim contributes

The victim's role in aggregation is to file, preserve, and connect:

• File the IC3 report and any state attorney general or consumer protection complaint that applies, with the drainer contract address and the destination wallet explicit.
• Preserve every artifact — the transaction hash, the contract, the destination, the phishing URL, the social referral.
• Connect with other victims of the same contract where possible. Discord servers, Reddit threads, X / Twitter posts referencing the same phishing campaign are all aggregation surface area. The drainer's contract address is a public ID that ties parallel victims to each other.

For a closely related case category that follows the same aggregation logic, see our analysis of token bundling scams — another category where a single deployer wallet is the chokepoint that links many victims.

Frequently Asked Questions