Wallet drained from a signature,
recovery depends on where the funds went next.
Wallet drain attacks differ from investment-platform fraud because there's no platform to recover from — the attacker stole approval to move funds directly out of the victim's wallet, often through a single malicious signature on a spoofed minting page, fake airdrop claim, or impersonation of a legitimate dApp. Recovery is possible when the drained funds land at a regulated exchange or known wallet cluster; less so when they go straight into mixer infrastructure.
The victim visits a site that appears to be a legitimate project: an airdrop claim page, an NFT minting site, a DeFi interface. The site asks the victim to connect their wallet and sign a transaction. The signature looks routine. In fact it grants the attacker's contract approval to transfer specific token balances out of the wallet at any time the attacker chooses.
Immediately or hours later, the attacker calls the contract and drains the approved tokens to a wallet they control. The victim's first warning is often the wallet balance dropping to zero in a single transaction, with no further interaction required.
The drained funds are usually moved through one or more bridging or swap protocols within minutes, both to obscure the trail and to convert to an asset (often ETH or stablecoins) easier to launder. From there the funds may go to a privacy mixer, a non-cooperative exchange, or — sometimes — to a regulated exchange where recovery becomes realistic.
Spans the spectrum from experienced DeFi users to first-time NFT minters. Wallet drains often hit people who consider themselves crypto-savvy — the attack relies on the assumption that "I would never fall for that", which lowers the verification step on the specific spoofed site that gets through. Loss sizes vary enormously, from a few hundred dollars in test tokens to seven-figure DeFi positions.
Signals victims and bystanders should know.
- 01
Wallet-connect request from a domain you didn't reach via the project's official channel
Spoofed minting and airdrop sites are typically promoted through compromised Discord channels, fake Twitter accounts, or paid Google ads. Always reach the dApp through the project's verified official link.
- 02
Urgency framing — "claim within 24 hours" or "limited supply"
Engineered to prevent you from verifying the URL. Legitimate projects have multi-day claim windows and don't pressure participants.
- 03
Signature request asks for a token approval, not a specific transaction
A token "approve" or "setApprovalForAll" signature gives the contract ongoing permission to move your tokens. This is normal for legitimate DEX use, but malicious contracts also use it. Always inspect what the signature is approving and to which contract.
- 04
Asks for your seed phrase or private key
No legitimate service ever needs your 12 or 24-word recovery phrase. Any prompt for these is an immediate drain attempt regardless of how legitimate the surrounding page looks.
The first 24 hours matter most.
- 01
Move remaining funds to a new wallet immediately
If your wallet was drained, the approval may still allow continued draining of other tokens you still hold. Generate a new wallet (with a fresh seed phrase) and move everything not yet drained.
- 02
Revoke pending approvals on the old wallet
Use Revoke.cash or similar to revoke any outstanding token approvals on the compromised wallet. Even if you're moving funds out, leaving the approval active risks future draining of any tokens that arrive back at that address.
- 03
Document the transaction hashes
The malicious approval transaction and the subsequent drain transaction are on-chain forever. Note the hashes; they are the evidence basis for any recovery action.
- 04
Notify the relevant exchanges and chains
If the drained funds landed at a known regulated exchange, contact their compliance team immediately. Some exchanges can freeze the receiving wallet within hours if action is initiated quickly.
- 05
Open a CryptoLeek case review
We trace the drain and tell you within 24 hours whether the destination is recoverable. Wallet drains have a particular pattern that benefits from fast professional escalation.
301 platforms in our public registry match this pattern.
myetnherwallet.com
myetnherwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetnherwallet.com.
myetjherwallet.com
myetjherwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetjherwallet.com.
myethwerwallet.com
myethwerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethwerwallet.com.
myethrrwallet.com
myethrrwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethrrwallet.com.
myethuerwallet.com
myethuerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethuerwallet.com.
myethrerwallet.com
myethrerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethrerwallet.com.
myethnerwallet.com
myethnerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethnerwallet.com.
myethjerwallet.com
myethjerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethjerwallet.com.
myethgerwallet.com
myethgerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethgerwallet.com.
myethewrwallet.com
myethewrwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethewrwallet.com.
myethewrallet.com
myethewrallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethewrallet.com.
myethesrwallet.com
myethesrwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethesrwallet.com.
myetherwzallet.com
myetherwzallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwzallet.com.
myetherwxallet.com
myetherwxallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwxallet.com.
myetherwwllet.com
myetherwwllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwwllet.com.
myetherwwallet.com
myetherwwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwwallet.com.
myetherwsallet.com
myetherwsallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwsallet.com.
myetherwlalet.com
myetherwlalet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwlalet.com.
myetherweallet.com
myetherweallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherweallet.com.
myetherwazllet.com
myetherwazllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwazllet.com.
myetherwawllet.com
myetherwawllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwawllet.com.
myetherwasllet.com
myetherwasllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwasllet.com.
myetherwaqllet.com
myetherwaqllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwaqllet.com.
myetherwapllet.com
myetherwapllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwapllet.com.
Questions victims of this pattern ask us most.
Can I get drained crypto back? +
I revoked the approval but my tokens are already gone. What now? +
How fast do I need to act after a wallet drain? +
Lost crypto to this pattern?
The free 24-hour case review tells you what's recoverable.
We trace the funds on-chain, identify where they ended up, and tell you within a day whether recovery is realistic.
The vocabulary this pattern uses.
Definitions of the terms that come up across this guide. Each links to the full glossary.
An attack in which an operator gains the right to move tokens out of a victim's wallet — usually via a malicious token approval or stolen private key — and transfers the wallet's balance to an address they control.
A wallet attack where the victim signs a `setApprovalForAll` or unlimited `approve` transaction on a spoofed dApp, granting the attacker contract permission to move specific tokens out of the wallet at any later time.
A subscription model in which a development team builds and maintains a wallet-drain smart contract and admin panel, then leases it to affiliates who run the front-end phishing sites and split the proceeds with the developers.
A phishing variant exploiting Uniswap's `Permit2` signature standard, in which a victim signs an off-chain message that the attacker then submits on-chain to drain approved tokens — with no gas or on-chain trail until the actual drain happens.
An automated program that monitors a compromised wallet (one whose private key the operator now knows) and instantly sends any incoming funds to an attacker-controlled address — making the wallet permanently unusable for the victim.
A wallet-targeting scam that seeds the victim's transaction history with a fake address that mimics the first and last characters of an address they recently used, hoping they will copy-paste the wrong one for a future send.
A cold wallet stores the private key offline (hardware device or paper); a hot wallet stores it in software connected to the internet — cold is materially safer against most wallet-drain and phishing attacks.
A wallet that requires signatures from multiple private keys (e.g. 2-of-3 or 3-of-5) to authorise any outgoing transaction — meaning a single compromised key cannot drain the wallet.
A service or smart contract that pools cryptocurrency from many depositors and pays out equivalent amounts to fresh addresses, breaking the on-chain link between source and destination wallets.