Crypto wallet drainer attacks UK 2026

Signature-based attacks that drain MetaMask, Phantom, Rabby and other Web3 wallets. The victim signs what looks like a routine "connect" or "claim" transaction; the signature actually grants unlimited spend authority on key tokens. This page covers how drainers work, how to spot them before signing, what to do if drained, and how to prevent future attacks.

Last reviewed: 14 May 2026 · ScamSupport research

How wallet drainers work

A wallet drainer is a smart-contract attack pattern. The attacker creates a malicious dApp interface — typically posing as one of: a token mint page, an airdrop claim, a staking pool, a DEX swap, an NFT marketplace listing. The victim arrives via a phishing link (Twitter, Discord, fake search ad, fake email), connects their wallet, and is prompted to sign a transaction.

The transaction looks innocuous but actually grants the attacker permanent spend authority on one or more of the victim's tokens. Once signed, the attacker uses a separate transaction (sometimes seconds later, sometimes hours) to drain the authorised tokens. The victim has no further role — they just signed away access.

Three common signature variants:

  • Token approval with "unlimited" allowance — most common. Signing grants the attacker permanent ability to move any amount of that token.
  • Permit / Permit2 signature — off-chain signature that authorises future on-chain transactions. Newer, harder to spot, increasingly common.
  • SetApprovalForAll for NFTs — grants spend authority on all NFTs from a specific collection.

How the attack reaches you

Five common entry points:

  1. Phishing on social media. Twitter/X DMs from "support", Discord moderator impersonation, Telegram pump-group links. The link goes to a clone dApp.
  2. Fake airdrop claims. "You've been selected for [TOKEN] airdrop — claim your tokens here." The "claim" transaction is the drainer signature.
  3. Fake mint pages. An impersonated NFT collection's mint page. Connect wallet to "mint", actually signs an approval drainer.
  4. Fake search-engine ads. Google and Bing ads for "MetaMask login", "Uniswap", "OpenSea" can be bought by attackers; the destination is a clone interface.
  5. Browser-extension or wallet-extension compromise. Less common; involves the legitimate dApp interface being replaced or compromised at the user's device. Hardware wallet defends against this.

Spot a drainer before signing — 3 checks

1. Read the transaction details

MetaMask, Phantom, Rabby all display what's being signed. Look for red-flag keywords in the function name:

  • Approve / SetApproval / IncreaseAllowance — granting spend authority on a token. Suspect if not an obvious DEX/marketplace interaction you initiated.
  • Permit / Permit2 / SetApprovalForAll — granting broader authority via signed message. High-risk signatures; treat with extreme caution.
  • Transfer — direct token movement. Less common in drainers (too obvious) but disguised UI can hide it.

If the transaction's intent isn't obvious from what's displayed, don't sign. Real dApps describe what's being signed in plain terms.

2. Verify the contract address

Click into the transaction's "Data" view. Note the contract address being called. Check it on Etherscan / BscScan / Solscan / Arbiscan:

  • Was it deployed in the last 48 hours? High risk.
  • Is the source code unverified? High risk (legitimate dApps verify their contracts).
  • Is the contract already flagged on Revoke.cash, De.Fi, or community-maintained warning lists? Don't sign.

3. Use a security plugin

Free browser extensions that intercept signatures and flag known-malicious transactions before you sign:

  • Pocket Universe — pocketuniverse.app
  • Wallet Guard — walletguard.app
  • ScamSniffer — scamsniffer.io (also publishes weekly drainer-pattern data)
  • Web3 Antivirus — web3antivirus.io

Each works in real-time as a browser extension; install one (or two for redundancy).

If your wallet has been drained

Immediate (next 15 minutes)

  1. Move remaining tokens to a fresh wallet. Generate a new seed phrase; never reuse the compromised wallet. Open approvals mean other tokens in the wallet may also be at risk.
  2. If the attacker hasn't fully drained yet: race to move tokens before they do. Front-run by paying high gas. Some victims save substantial value this way.
  3. Save evidence. Screenshot the transaction history, save transaction hashes, note attacker wallet addresses.

Within 24 hours

  1. Revoke any remaining approvals on the compromised wallet at revoke.cash. This stops further drains via existing approvals.
  2. If you suspect malware on the device: move via a different device. Reinstall the wallet on a clean machine.
  3. File Report Fraud report at reportfraud.police.uk.
  4. Notify exchanges if any of your wallet's destinations were known centralised exchanges — they may be able to freeze the attacker's account.

Within 30 days

  1. Blockchain forensics — Chainalysis, TRM Labs, OXT.me can trace funds. Specialist crypto solicitors (TLW, CEL) take cases on no-win-no-fee.
  2. PSR claim if applicable — if the funds originally came from a UK bank transfer to buy crypto, the bank leg may qualify. PSR claim wizard.
  3. Watch for recovery scams. Drainer victims are heavily targeted by follow-up scammers. All upfront-fee recovery offers are scams. Recovery scam warning.
  4. Tax loss — UK HMRC treats crypto losses as Capital Gains losses; can offset other gains in current or future tax years.

Prevention setup

  1. Hardware wallet for serious balances. Ledger, Trezor. £50-150. Shows transaction details on a physical screen the attacker can't fake; signature requires physical button press.
  2. Separate hot and cold wallets. Cold = hardware, never interacts with dApps. Hot = browser wallet with small amounts for active trading.
  3. Security plugin always installed. Pocket Universe / Wallet Guard / ScamSniffer / Web3 Antivirus.
  4. Habit: never sign blind. If the transaction's intent isn't obvious, don't sign. Real dApps don't lose patience.
  5. Bookmark major dApp URLs. Never reach Uniswap, OpenSea, MetaMask via search results or social media links.
  6. Monthly approval revocation review. Revoke.cash; cancel any unused token approvals.
  7. Multi-sig for treasury or shared funds. 2-of-3 multi-sig means a single compromised signature can't drain the wallet.

Frequently asked questions

What's a wallet drainer attack?

A wallet drainer is a smart-contract-based attack where the victim is tricked into signing a transaction or approval that grants the attacker spend authority over their wallet's tokens. Once signed, the attacker drains funds with no further victim interaction needed. The most common variant is the malicious dApp (decentralised application) interface — fake mint pages, fake airdrops, fake DeFi yield pools — that present a transaction to sign which looks routine but actually approves unlimited spending on key tokens. Scam Sniffer reported wallet drainers as one of the fastest-growing crypto attack categories in 2024-2026.

What does signing a malicious transaction actually do?

It depends on the transaction shape. Three common drainer signatures: (1) Token approval with 'unlimited' allowance — the most common; signing grants the attacker permanent ability to move any amount of that token from your wallet. (2) Permit / Permit2 signature — newer signature standard where signing an off-chain message authorises future on-chain transactions; victims often sign these believing they're 'connecting' to a site. (3) Direct token transfer — less common; the transaction directly moves tokens out, which most wallets clearly display, but disguised UI can confuse this with 'verify' or 'claim' actions. All three result in the same outcome — funds extracted; the difference is the technical mechanism.

How do I spot a wallet drainer before signing?

Three checks before any signature. (1) READ the transaction details in the wallet popup. MetaMask, Phantom, and Rabby all show what's being signed; look for 'Approve', 'Permit', 'SetApprovalForAll' as red-flag keywords. Real interactions (swaps, mints) usually show specific token amounts and actions, not unlimited approvals. (2) Check the contract address being interacted with. Drainer contracts are often new (deployed in last 48 hours), not on Etherscan/BscScan with verified source code, and may already be flagged on Revoke.cash or De.Fi. (3) Use a security plugin — Pocket Universe, Wallet Guard, ScamSniffer, or Web3 Antivirus — all are free browser extensions that intercept signatures and flag known-malicious transactions before you sign.

My wallet has been drained — what now?

Act in this order. (1) Move any remaining tokens to a fresh wallet immediately. Once a malicious approval exists, every other token in the wallet is at risk. Generate a new wallet seed; never reuse the compromised wallet. (2) Revoke all token approvals on the compromised wallet — use Revoke.cash or Etherscan's approval-checker; revoke any open allowances. (3) Save transaction hashes for evidence. (4) Move funds via a fresh device if you suspect malware on the original device. (5) File Report Fraud report at reportfraud.police.uk. (6) Try blockchain forensics — Chainalysis, TRM Labs, OXT — to follow funds. Specialist solicitors take wallet-drainer cases on no-win-no-fee. (7) If the bank-transfer leg was involved (buying crypto via UK exchange first), start PSR claim. (8) Recovery is technically difficult but not impossible; document everything.

How do I prevent wallet drainers in future?

Four-layer defence. (1) Use a hardware wallet (Ledger, Trezor) for any amount you can't afford to lose — hardware wallets show transaction details on a physical screen the attacker can't fake. (2) Maintain separate 'hot' and 'cold' wallets — keep most funds in a wallet that NEVER interacts with dApps; use a small hot wallet for active trading. (3) Install a security plugin — Pocket Universe, Wallet Guard, ScamSniffer, Web3 Antivirus. Free; intercepts known-malicious signatures before you sign. (4) Habit: never sign blind. Always read what's being signed. If you don't understand, don't sign. Real dApps don't lose patience while you verify. (5) Bookmark major dApp URLs; never click links from social media to access them. (6) Periodically (monthly) revoke unused token approvals on Revoke.cash.

Are stolen crypto funds traceable?

Yes initially, but increasingly difficult as funds move. The blockchain is transparent — you can follow funds from your wallet to the attacker's address. From there, attackers typically route funds through (1) Tornado Cash or other mixers; (2) cross-chain bridges to less-tracked chains; (3) decentralised exchanges that convert tokens. After mixing, tracing becomes statistical rather than deterministic — specialised firms (Chainalysis, TRM Labs) can sometimes follow probabilistically to identified exchange clusters where seizure orders may be possible. Total recovery rates remain low (<5% industry-wide) but individual cases with strong evidence and fast action have succeeded. The trace is valuable evidence even when recovery itself fails.

Related scam guides

Related scam guides