- by Ryder Team
Wallet Drainers Took $494M in 2024. Here's How.
Wallet Drainers Took $494M in 2024. Here's How.
- by Ryder Team

# Wallet Drainers Took $494M in 2024. Here's How the Scam Works.
You click an airdrop link from a Twitter reply. The site looks like the project's real page (down to the favicon). Your wallet pops up asking you to sign what looks like a routine approval, so you sign. Seconds later every token in the account is gone. That's a wallet drainer, and in 2024 Scam Sniffer counted $494 million stolen this way from around 332,000 addresses, a 67% jump in dollar losses year over year. The kits behind those thefts are sold on Telegram as a service, and their operators keep evolving faster than most wallets can warn you.
Below is what a wallet drainer is, which crews run the biggest operations, the specific signature tricks they use, and where a hardware wallet with on-device transaction display breaks the attack.
A wallet drainer is a malicious script or smart-contract toolkit hosted on a phishing site that pushes you to sign a transaction transferring your assets to an attacker. The victim thinks they are minting an NFT, claiming an airdrop, or approving a swap. The signature they produce does something else: it hands unlimited spending rights over one or more tokens to a wallet the attacker controls.
The attack has three moving parts. First, a lure: a fake airdrop page, a hijacked Discord post, a poisoned Google ad, a deepfaked Twitter reply from a founder account. Second, a website that mimics a familiar dapp interface and connects to your hot wallet. Third, a signature prompt that looks reasonable but authorizes a drain. Because most software wallets show only the raw hex or an abbreviated description, the malicious approval slips through as one more click in a normal-looking flow.
Once the signature clears, a sweeper contract executes within seconds. Every token covered by the approval leaves the wallet in one bundled transaction, usually with priority fees high enough that even a fast bot can't front-run the drainer's own bot.
Drainers are a scam-as-a-service industry. Operators sell access to kits and take a cut of the loot, usually 20% to 30%. A handful of crews have dominated the space over the last three years.
Monkey Drainer ran from August 2022 until February 2023 and made roughly $16 million from 18,000 victims before shutting down after crypto sleuth ZachXBT exposed the operator (see Bank Info Security's breakdown). Inferno Drainer picked up the market next. Between November 2022 and November 2023, Group-IB traced roughly $87 million stolen from 137,000 victims across 16,000 phishing domains, with Scam Sniffer putting the figure around $81 million; when Inferno's operators announced a shutdown in late 2023, Check Point later documented the same infrastructure reappearing in 2025 and dominating with roughly 40 to 45% market share.
Pink Drainer stole around $85 million from 21,000 victims before announcing its own retirement in May 2024. Angel Drainer emerged in parallel with Inferno and briefly absorbed Inferno's client base during a handoff period in 2024. New kits appear as old ones burn out; the underlying business model keeps working because the signature tricks it sells still fool people who trust what their wallet screen shows them.
Three signature primitives do most of the damage.
Permit (EIP-2612). Permit is an off-chain signature that authorizes another address to spend your ERC-20 tokens. It was designed to save gas by removing the need for a separate approval transaction. Scam Sniffer's 2024 breakdown found that 56.7% of drainer thefts used a Permit signature. Because the signature happens off-chain, nothing appears on the block explorer until the attacker later submits it, which is why many victims see no warning between "sign this" and "your USDC is gone."
setApprovalForAll. This is the standard ERC-721 or ERC-1155 approval call used by legitimate NFT marketplaces. When granted to a malicious contract, it lets the contract move every NFT and every future NFT of that collection out of the wallet at will. Fake mint sites often present this as the "connect to mint" step; the signature reads as boilerplate marketplace behavior, so users approve without thinking.
OpenSea Seaport orders and gasless listings. Attackers craft Seaport orders that price a valuable NFT at 0 ETH and route the payment to themselves. The victim signs a message that looks like a listing confirmation. When the order gets executed against the signature, the NFT transfers for nothing.
A fourth pattern, `setOwner` and delegate calls, is showing up more often. Scam Sniffer flagged that 31.9% of 2024 thefts involved contract-ownership changes where the drainer swaps the admin of a proxy contract or vault. On the newer EVM chains Blast and Base, phishing volume climbed through 2024 and into 2025 because both networks pulled in fresh users faster than wallet security tooling could catch up.
The playbook is boring, and it works.
Bookmark the correct URLs for the dapps you use. Never navigate to a mint or claim page from a tweet, a Discord DM, a Google ad, or a Telegram link. Attackers buy paid ads and register typo-squatted domains that render pixel-identical to the legitimate site. When a dapp asks for a signature, expand the details in your wallet: if the request is a Permit or a setApprovalForAll, look at the spender address and confirm it matches the dapp's published contract. If your wallet only shows a raw hash or a description like "signTypedData_v4," treat that as a red flag and cancel.
Revoke old approvals every few weeks. Tools like Revoke.cash or Etherscan's token approval checker show every spender your wallet has ever authorized. A signature you gave to a mint site two years ago can still be used to drain that token today unless you revoke it. Split your funds: keep long-term holdings in a cold wallet that is never connected to random dapps, and keep a smaller "browsing" hot wallet with only the balance you can afford to lose.
The one defense that scales across every trick above is refusing to sign anything you can't read in plain English. Every drainer depends on the victim clicking "confirm" on a screen that hides the underlying meaning. Take that trust away and the attack fails.
Ryder One is our hardware wallet. Its 1.6-inch AMOLED touchscreen renders every transaction and every signature request in readable detail: the function being called, the token, the spender address, the amount. Anti-blind-signing is the design principle: what you see on the device is what you sign. Software wallets can lie about what a signature does because malware on your phone or laptop controls what the browser renders; the Ryder One screen is driven by its EAL6+ secure element, which the malware can't touch.
The physical button on Ryder One wires directly to the secure element. No signature leaves the device without a press that the chip can verify came from a human, not a script. When a phishing site asks for a Permit signature, the Ryder One screen shows you the actual spender and the actual amount before you press. When a fake mint asks for setApprovalForAll, the screen names the collection and the operator. If those details don't match what the dapp claims to be doing, you decline before the sweeper contract ever gets its signature.
Backup is handled by TapSafe Recovery, our alternative to the seed phrase model that has cost users their savings in a different attack pattern. The Recovery Tag holds 50% of your wallet, and an encrypted backup in your own iCloud or Google Drive holds the other 50%. Neither piece grants access alone. The BIP-39 seed phrase is still available on-device as a last resort, so you're never locked to Ryder hardware. Paper seed phrases stored in a drawer are fragile; metal seed plates upgrade the medium but leave a single object as the point of failure; TapSafe removes that single point of failure entirely.
Ryder One costs $229 and includes the Recovery Tag, a Qi wireless charger, and a travel pouch in the box. Firmware and secure-element design have been audited by Halborn, one of the more respected blockchain security firms.
Wallet drainer crews stole around half a billion dollars in 2024 by getting people to sign approvals they couldn't fully read. The kits will keep rotating, the phishing pages will keep improving, and every new chain will bring a fresh cohort of users who haven't learned the signature-phishing playbook yet. The defense that keeps working across every version of the scam is a screen the attacker can't lie to. A hardware wallet with on-device signature display makes blind signing physically impossible, and that's where self-custody stops being theoretical.
If you hold anything worth draining, run it through cold storage with a device that shows you what you're approving. Ryder One is built for that.
SEO

The only crypto wallet you can install on a crowded subway.
Set it up in less than 60 seconds and just tap your phone to send, swap, and recover.
Share: