Accueil des dossiers · Ouvert 24h/24
Traduction automatique. Relecture professionnelle en attente.
Home / Scam Patterns / Wallet drains & phishing approvals
§ — · Scam pattern

Wallet drained from a signature,
recovery depends on where the funds went next.

Wallet drain attacks differ from investment-platform fraud because there's no platform to recover from — the attacker stole approval to move funds directly out of the victim's wallet, often through a single malicious signature on a spoofed minting page, fake airdrop claim, or impersonation of a legitimate dApp. Recovery is possible when the drained funds land at a regulated exchange or known wallet cluster; less so when they go straight into mixer infrastructure.

§ 01 · How this scam works

The victim visits a site that appears to be a legitimate project: an airdrop claim page, an NFT minting site, a DeFi interface. The site asks the victim to connect their wallet and sign a transaction. The signature looks routine. In fact it grants the attacker's contract approval to transfer specific token balances out of the wallet at any time the attacker chooses.

Immediately or hours later, the attacker calls the contract and drains the approved tokens to a wallet they control. The victim's first warning is often the wallet balance dropping to zero in a single transaction, with no further interaction required.

The drained funds are usually moved through one or more bridging or swap protocols within minutes, both to obscure the trail and to convert to an asset (often ETH or stablecoins) easier to launder. From there the funds may go to a privacy mixer, a non-cooperative exchange, or — sometimes — to a regulated exchange where recovery becomes realistic.

Typical victim profile

Spans the spectrum from experienced DeFi users to first-time NFT minters. Wallet drains often hit people who consider themselves crypto-savvy — the attack relies on the assumption that "I would never fall for that", which lowers the verification step on the specific spoofed site that gets through. Loss sizes vary enormously, from a few hundred dollars in test tokens to seven-figure DeFi positions.

§ 02 · Red flags to recognise

Signals victims and bystanders should know.

  • 01

    Wallet-connect request from a domain you didn't reach via the project's official channel

    Spoofed minting and airdrop sites are typically promoted through compromised Discord channels, fake Twitter accounts, or paid Google ads. Always reach the dApp through the project's verified official link.

  • 02

    Urgency framing — "claim within 24 hours" or "limited supply"

    Engineered to prevent you from verifying the URL. Legitimate projects have multi-day claim windows and don't pressure participants.

  • 03

    Signature request asks for a token approval, not a specific transaction

    A token "approve" or "setApprovalForAll" signature gives the contract ongoing permission to move your tokens. This is normal for legitimate DEX use, but malicious contracts also use it. Always inspect what the signature is approving and to which contract.

  • 04

    Asks for your seed phrase or private key

    No legitimate service ever needs your 12 or 24-word recovery phrase. Any prompt for these is an immediate drain attempt regardless of how legitimate the surrounding page looks.

§ 03 · What to do if you've been hit

The first 24 hours matter most.

  1. 01

    Move remaining funds to a new wallet immediately

    If your wallet was drained, the approval may still allow continued draining of other tokens you still hold. Generate a new wallet (with a fresh seed phrase) and move everything not yet drained.

  2. 02

    Revoke pending approvals on the old wallet

    Use Revoke.cash or similar to revoke any outstanding token approvals on the compromised wallet. Even if you're moving funds out, leaving the approval active risks future draining of any tokens that arrive back at that address.

  3. 03

    Document the transaction hashes

    The malicious approval transaction and the subsequent drain transaction are on-chain forever. Note the hashes; they are the evidence basis for any recovery action.

  4. 04

    Notify the relevant exchanges and chains

    If the drained funds landed at a known regulated exchange, contact their compliance team immediately. Some exchanges can freeze the receiving wallet within hours if action is initiated quickly.

  5. 05

    Open a CryptoLeek case review

    We trace the drain and tell you within 24 hours whether the destination is recoverable. Wallet drains have a particular pattern that benefits from fast professional escalation.

§ 04 · Documented cases in this category

301 platforms in our public registry match this pattern.

Arnaque confirmée 2026-05-30

myetnherwallet.com

myetnherwallet.com

myetnherwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetnherwallet.com.
Arnaque confirmée 2026-05-30

myetjherwallet.com

myetjherwallet.com

myetjherwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetjherwallet.com.
Arnaque confirmée 2026-05-30

myethwerwallet.com

myethwerwallet.com

myethwerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethwerwallet.com.
Arnaque confirmée 2026-05-30

myethrrwallet.com

myethrrwallet.com

myethrrwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethrrwallet.com.
Arnaque confirmée 2026-05-30

myethuerwallet.com

myethuerwallet.com

myethuerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethuerwallet.com.
Arnaque confirmée 2026-05-30

myethrerwallet.com

myethrerwallet.com

myethrerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethrerwallet.com.
Arnaque confirmée 2026-05-30

myethnerwallet.com

myethnerwallet.com

myethnerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethnerwallet.com.
Arnaque confirmée 2026-05-30

myethjerwallet.com

myethjerwallet.com

myethjerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethjerwallet.com.
Arnaque confirmée 2026-05-30

myethgerwallet.com

myethgerwallet.com

myethgerwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethgerwallet.com.
Arnaque confirmée 2026-05-30

myethewrwallet.com

myethewrwallet.com

myethewrwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethewrwallet.com.
Arnaque confirmée 2026-05-30

myethewrallet.com

myethewrallet.com

myethewrallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethewrallet.com.
Arnaque confirmée 2026-05-30

myethesrwallet.com

myethesrwallet.com

myethesrwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myethesrwallet.com.
Arnaque confirmée 2026-05-30

myetherwzallet.com

myetherwzallet.com

myetherwzallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwzallet.com.
Arnaque confirmée 2026-05-30

myetherwxallet.com

myetherwxallet.com

myetherwxallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwxallet.com.
Arnaque confirmée 2026-05-30

myetherwwllet.com

myetherwwllet.com

myetherwwllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwwllet.com.
Arnaque confirmée 2026-05-30

myetherwwallet.com

myetherwwallet.com

myetherwwallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwwallet.com.
Arnaque confirmée 2026-05-30

myetherwsallet.com

myetherwsallet.com

myetherwsallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwsallet.com.
Arnaque confirmée 2026-05-30

myetherwlalet.com

myetherwlalet.com

myetherwlalet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwlalet.com.
Arnaque confirmée 2026-05-30

myetherweallet.com

myetherweallet.com

myetherweallet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherweallet.com.
Arnaque confirmée 2026-05-30

myetherwazllet.com

myetherwazllet.com

myetherwazllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwazllet.com.
Arnaque confirmée 2026-05-30

myetherwawllet.com

myetherwawllet.com

myetherwawllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwawllet.com.
Arnaque confirmée 2026-05-30

myetherwasllet.com

myetherwasllet.com

myetherwasllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwasllet.com.
Arnaque confirmée 2026-05-30

myetherwaqllet.com

myetherwaqllet.com

myetherwaqllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwaqllet.com.
Arnaque confirmée 2026-05-30

myetherwapllet.com

myetherwapllet.com

myetherwapllet.com is documented on the CryptoScamDB public warning list as an phishing operating from myetherwapllet.com.
See all 301 entries in the registry →
§ 05 · Frequently asked

Questions victims of this pattern ask us most.

Can I get drained crypto back? +
Sometimes. If the drained funds reached a regulated exchange before being laundered through mixers, recovery is realistic through compliance escalation. If they went directly to a privacy mixer like Tornado Cash, recovery is much harder. CryptoLeek's free 24-hour review traces the post-drain path and tells you which category your case is in.
I revoked the approval but my tokens are already gone. What now? +
Revoking the approval stops further draining but doesn't undo the original transfer. Recovery focuses on the destination wallet and whether the funds reached an identifiable counterparty (an exchange, a known cluster). Document the transaction hashes; those are the starting point for the on-chain trace.
How fast do I need to act after a wallet drain? +
Within the first 24 hours, the receiving exchange may still hold the funds in a freezable account. After that window, the operator typically moves them onward through mixers and bridges. Recovery is still possible after the window but harder. Move remaining funds to a new wallet immediately, document the hashes, and contact us within the first day.

Lost crypto to this pattern?
The free 24-hour case review tells you what's recoverable.

We trace the funds on-chain, identify where they ended up, and tell you within a day whether recovery is realistic.

Free 24h review
Open a case file → Or email us
§ 06 · Related glossary terms

The vocabulary this pattern uses.

Definitions of the terms that come up across this guide. Each links to the full glossary.

Wallet drain

An attack in which an operator gains the right to move tokens out of a victim's wallet — usually via a malicious token approval or stolen private key — and transfers the wallet's balance to an address they control.

Read full definition →
Approval phishing

A wallet attack where the victim signs a `setApprovalForAll` or unlimited `approve` transaction on a spoofed dApp, granting the attacker contract permission to move specific tokens out of the wallet at any later time.

Read full definition →
Drainer-as-a-service (DaaS)

A subscription model in which a development team builds and maintains a wallet-drain smart contract and admin panel, then leases it to affiliates who run the front-end phishing sites and split the proceeds with the developers.

Read full definition →
Permit2 phishing

A phishing variant exploiting Uniswap's `Permit2` signature standard, in which a victim signs an off-chain message that the attacker then submits on-chain to drain approved tokens — with no gas or on-chain trail until the actual drain happens.

Read full definition →
Sweeper bot

An automated program that monitors a compromised wallet (one whose private key the operator now knows) and instantly sends any incoming funds to an attacker-controlled address — making the wallet permanently unusable for the victim.

Read full definition →
Address poisoning

A wallet-targeting scam that seeds the victim's transaction history with a fake address that mimics the first and last characters of an address they recently used, hoping they will copy-paste the wrong one for a future send.

Read full definition →
Cold wallet vs hot wallet

A cold wallet stores the private key offline (hardware device or paper); a hot wallet stores it in software connected to the internet — cold is materially safer against most wallet-drain and phishing attacks.

Read full definition →
Multi-sig wallet

A wallet that requires signatures from multiple private keys (e.g. 2-of-3 or 3-of-5) to authorise any outgoing transaction — meaning a single compromised key cannot drain the wallet.

Read full definition →
Mixer (cryptocurrency)

A service or smart contract that pools cryptocurrency from many depositors and pays out equivalent amounts to fresh addresses, breaking the on-chain link between source and destination wallets.

Read full definition →
Other scam patterns