Phishing losses in crypto jumped 207% in January 2026 compared to December 2025, and the pattern behind the spike is worth understanding. Attackers stopped trying to drain everyone with cheap mass campaigns. They started picking high-balance wallets, doing reconnaissance on individual targets, and crafting bespoke approaches that get past the defenses that worked against the broader version of the attack. The industry calls it whale hunting. The mechanics are familiar; the targeting is what changed. This piece walks through what a wallet drainer is, how the whale-hunting variant works, and what defenses still hold up against the more careful version of the attack.
A wallet drainer is a piece of code, usually a smart contract, that exists to move funds out of a victim's wallet once the victim signs a malicious transaction. The contract sits on a fake site, a phishing page, or a malicious DApp. When the user connects their wallet and signs what they think is an approval, a swap, or a minting transaction, the contract call underneath is something different: an unlimited approval, a transferFrom call to drain a specific token, or a signature delegation that lets the drainer move funds across the user's chain history. The mechanics haven't changed much in years. What changed is how attackers find and approach victims.
The traditional drainer playbook was a numbers game. Get tens of thousands of phishing emails out, hope a small fraction of recipients sign the bad transaction, collect the proceeds, move on. The math worked because connecting to a malicious DApp was relatively cheap and signing approvals was relatively common, so even a 0.1% conversion rate paid the operation. The math broke for two reasons. Defenses improved, with major wallets like MetaMask shipping transaction simulators and warning UIs that catch most generic drainer patterns. Browser extensions like Pocket Universe and Wallet Guard added another defensive layer. The cheap drainer approach started catching the same signals every time, which made the spam approach less profitable. Attackers responded by going up-market. Instead of casting a wide net, they started picking specific targets with high balances and crafting individual approaches. The shift was visible by the second half of 2025 and accelerated through early 2026, with phishing losses jumping 207% in January 2026 as the new pattern compounded.
A whale-hunting campaign starts with public on-chain reconnaissance. Attackers identify wallets with eight-figure balances, then look at the wallet's transaction history to figure out what the holder does. Active DeFi user? NFT collector? Cross-chain hopper? Each profile gets a tailored approach. A few patterns showed up consistently this cycle: - Fake airdrops with celebrity DMs: An account impersonating a project the target has interacted with messages them offering an airdrop for early users, with a sign link that looks legitimate. The signature is for an unlimited token approval. - Compromised influencer posts: An attacker takes over a real account through SIM swap or credential stuffing, then posts a fake link to the influencer's followers. Because the source is trusted, the warnings get clicked through. - Fake support threads: The target posts about a wallet issue in a Discord or X thread, and an attacker responds posing as project staff, linking the target to a fake support flow that ends in a malicious signature. - DeFi protocol upgrade scams: The attacker monitors major DeFi positions, sees the target holds a significant position in a protocol, and sends a notification mimicking the protocol's communication about an "upgrade" or "migration." The migration link signs the drainer. The common thread: the target's specific behavior is the bait. The attack doesn't look like spam because the attacker did their homework.
Three layers of defense hold up reasonably well against whale hunting, with the strongest setup combining them. 1. Transaction simulators catch a chunk of the damage. MetaMask Transaction Shield and similar tools simulate the proposed transaction before signing and flag suspicious outcomes (unlimited approvals, transfers to addresses with bad reputation, signature delegation to unknown contracts). The simulators don't catch everything: signatures that look benign in isolation but trigger malicious behavior in the destination contract can still slip through. They catch most of the obvious cases. 2. On-device address verification on a hardware wallet catches a different category. The drainer's effectiveness depends on showing one address on the user's screen while signing for a different one underneath. A hardware wallet with on-device display forces the user to see the actual address being signed, on a screen the host machine can't draw to. The clipboard hijacks and address-substitution attacks that compromised display can hide become visible. 3. Operational discipline is the third layer, and the one whale-hunting attacks rely on bypassing. The disciplines that hold up include: never sign a transaction you didn't initiate, never click DM-delivered links to sign anything, verify any URL hosting a wallet-connect flow against the project's official channels, and treat any "upgrade" or "migration" message as suspect until verified through a known-good channel.
Ryder One is built around the second layer. Every transaction is verified on the 1.6-inch AMOLED touchscreen with full readable detail, so what you see on the device is what you sign. The physical button is wired directly to the EAL6+ Infineon SLC38 secure element, so no software path can sign without your deliberate press. The host machine doesn't get to draw the address or the amount; the device does. For the whale-hunting playbook, that defense matters because the attack depends on signing for one outcome while believing you're signing for another. When the address on the device matches the address on your laptop and the transaction details match what you expected, the attack runs out of room. TapSafe Recovery handles the residual recovery question for the funds the device protects: 50% on the Recovery Tag, 50% in your phone's iCloud or Google Drive backup, optional 25% per Recovery Contact for the people you trust.
A few practical moves close most of the exposure. Audit your token approvals. Tools like Revoke.cash and Etherscan's token approval checker let you see every contract that has spending permission on your wallet. Revoke anything you don't recognize or haven't used recently. Long-term positions belong in cold storage. The wallets at greatest risk for whale hunting are the ones with high balances doing active signing. If part of your position doesn't need to be active, move it to a hardware wallet that doesn't connect to DApps at all. Treat unsolicited messages as suspect. Anyone DMing you about a sudden opportunity, an urgent migration, or a special access drop is doing the first step of a whale-hunting campaign. The friction of "verify through official channels" feels excessive in the moment and saves wallets every week.
Wallet drainers got smarter because the easy version got harder. Attackers shifted from broad spam to targeted approaches, and the targeting depends on public on-chain data anyone can read. The defenses that held against the broad attack still hold against the targeted one, with the strongest setup combining a transaction simulator, a hardware wallet with on-device verification, and operational discipline about what gets signed. If you hold a balance large enough that a targeted attack would be profitable for someone, you're a worthwhile target. The question is whether your signing surface gives the attack room to operate, or whether every transaction goes through a device that shows the truth before you sign.
Sign nothing you can't read. Ryder One verifies every transaction on its own screen, with a physical button wired directly to the EAL6+ secure element. The host machine doesn't get to draw what you're signing. See how it works.
The only crypto wallet you can install on a crowded subway.
Set it up in less than 60 seconds and just tap your phone to send, swap, and recover.
Share: