Case Intake · Open 24/7
Home / Scam Patterns / Wallet drains & phishing approvals
§ — · Scam pattern

Wallet drained from a signature,
recovery depends on where the funds went next.

Wallet drain attacks differ from investment-platform fraud because there's no platform to recover from — the attacker stole approval to move funds directly out of the victim's wallet, often through a single malicious signature on a spoofed minting page, fake airdrop claim, or impersonation of a legitimate dApp. Recovery is possible when the drained funds land at a regulated exchange or known wallet cluster; less so when they go straight into mixer infrastructure.

§ 01 · How this scam works

The victim visits a site that appears to be a legitimate project: an airdrop claim page, an NFT minting site, a DeFi interface. The site asks the victim to connect their wallet and sign a transaction. The signature looks routine. In fact it grants the attacker's contract approval to transfer specific token balances out of the wallet at any time the attacker chooses.

Immediately or hours later, the attacker calls the contract and drains the approved tokens to a wallet they control. The victim's first warning is often the wallet balance dropping to zero in a single transaction, with no further interaction required.

The drained funds are usually moved through one or more bridging or swap protocols within minutes, both to obscure the trail and to convert to an asset (often ETH or stablecoins) easier to launder. From there the funds may go to a privacy mixer, a non-cooperative exchange, or — sometimes — to a regulated exchange where recovery becomes realistic.

Typical victim profile

Spans the spectrum from experienced DeFi users to first-time NFT minters. Wallet drains often hit people who consider themselves crypto-savvy — the attack relies on the assumption that "I would never fall for that", which lowers the verification step on the specific spoofed site that gets through. Loss sizes vary enormously, from a few hundred dollars in test tokens to seven-figure DeFi positions.

§ 02 · Red flags to recognise

Signals victims and bystanders should know.

  • 01

    Wallet-connect request from a domain you didn't reach via the project's official channel

    Spoofed minting and airdrop sites are typically promoted through compromised Discord channels, fake Twitter accounts, or paid Google ads. Always reach the dApp through the project's verified official link.

  • 02

    Urgency framing — "claim within 24 hours" or "limited supply"

    Engineered to prevent you from verifying the URL. Legitimate projects have multi-day claim windows and don't pressure participants.

  • 03

    Signature request asks for a token approval, not a specific transaction

    A token "approve" or "setApprovalForAll" signature gives the contract ongoing permission to move your tokens. This is normal for legitimate DEX use, but malicious contracts also use it. Always inspect what the signature is approving and to which contract.

  • 04

    Asks for your seed phrase or private key

    No legitimate service ever needs your 12 or 24-word recovery phrase. Any prompt for these is an immediate drain attempt regardless of how legitimate the surrounding page looks.

§ 03 · What to do if you've been hit

The first 24 hours matter most.

  1. 01

    Move remaining funds to a new wallet immediately

    If your wallet was drained, the approval may still allow continued draining of other tokens you still hold. Generate a new wallet (with a fresh seed phrase) and move everything not yet drained.

  2. 02

    Revoke pending approvals on the old wallet

    Use Revoke.cash or similar to revoke any outstanding token approvals on the compromised wallet. Even if you're moving funds out, leaving the approval active risks future draining of any tokens that arrive back at that address.

  3. 03

    Document the transaction hashes

    The malicious approval transaction and the subsequent drain transaction are on-chain forever. Note the hashes; they are the evidence basis for any recovery action.

  4. 04

    Notify the relevant exchanges and chains

    If the drained funds landed at a known regulated exchange, contact their compliance team immediately. Some exchanges can freeze the receiving wallet within hours if action is initiated quickly.

  5. 05

    Open a CryptoLeek case review

    We trace the drain and tell you within 24 hours whether the destination is recoverable. Wallet drains have a particular pattern that benefits from fast professional escalation.

§ 04 · Documented cases in this category

189 platforms in our public registry match this pattern.

Confirmed Scam 2026-05-21

EtherWallet

ether-wallet.net

ether-wallet.net is a confirmed-fraudulent site listed on CryptoScamDB's blacklist, operating as a credential-harvesting or fund-draining imitation of a well-known Ethereum wallet brand.

Confirmed Scam 2026-05-21

EthereumWallet

ethereum-wallet.info

ethereum-wallet.info is a blacklisted domain flagged by CryptoScamDB that mimics legitimate Ethereum wallet infrastructure, likely to harvest private keys, seed phrases, or drain connected wallets.

Confirmed Scam 2026-05-21

account-kigo.net

account-kigo.net

account-kigo.net is a blacklisted domain listed by CryptoScamDB as a confirmed fraudulent operation, consistent with account-spoofing or credential-harvesting schemes targeting cryptocurrency holders.

Confirmed Scam 2026-05-21

aragonproject.io

aragonproject.io

aragonproject.io is blacklisted by CryptoScamDB as a confirmed fraudulent operation; its domain closely mimics the name of a recognised blockchain governance protocol, signalling a brand impersonation pattern.

Confirmed Scam 2026-05-21

bitcoin-wallet.net

bitcoin-wallet.net

bitcoin-wallet.net is a confirmed-fraudulent domain blacklisted by CryptoScamDB; it presents as a legitimate Bitcoin wallet service while operating as a credential-harvesting or deposit-theft scheme.

Confirmed Scam 2026-05-21

blocklichan.info

blocklichan.info

blocklichan.info is a confirmed fraudulent cryptocurrency platform listed on the CryptoScamDB blacklist, consistent with operations that solicit deposits and subsequently obstruct or deny withdrawal.

Confirmed Scam 2026-05-21

bloclkicihan.info

bloclkicihan.info

bloclkicihan.info is a confirmed-fraudulent domain listed on the CryptoScamDB blacklist, exhibiting a character-transposition naming pattern common to disposable crypto fraud infrastructure.

Confirmed Scam 2026-05-21

coin-wallet.info

coin-wallet.info

coin-wallet.info is a confirmed-fraudulent cryptocurrency wallet platform listed on CryptoScamDB's blacklist, consistent with credential-harvesting or fake-custody wallet operations targeting retail crypto holders.

Confirmed Scam 2026-05-21

coindash.ru

coindash.ru

coindash.ru is a confirmed-fraudulent domain listed on the CryptoScamDB blacklist, employing TLD substitution to impersonate a recognised cryptocurrency platform and harvest user credentials or funds.

Confirmed Scam 2026-05-21

contribute-status.im

contribute-status.im

contribute-status.im is a blacklisted domain impersonating the Status Network ecosystem, consistent with fake contribution or staking portals designed to harvest wallet credentials or divert funds.

Confirmed Scam 2026-05-21

district-0x.io

district-0x.io

district-0x.io is a confirmed-fraudulent site listed on CryptoScamDB's blacklist, employing a lookalike domain to impersonate an established decentralised-platform brand and deceive cryptocurrency users.

Confirmed Scam 2026-05-21

district0x.net

district0x.net

district0x.net is a confirmed-blacklisted domain that mimics the branding of a known Ethereum-based decentralised marketplace project; CryptoScamDB lists it as a fraud operation targeting crypto users seeking the legitimate service.

Confirmed Scam 2026-05-21

eos-bonus.com

eos-bonus.com

eos-bonus.com is a confirmed-fraudulent platform listed on CryptoScamDB's blacklist, operating a bonus or reward-themed scheme targeting cryptocurrency users under the EOS brand.

Confirmed Scam 2026-05-21

eos-io.info

eos-io.info

eos-io.info is a confirmed-fraudulent domain flagged by CryptoScamDB, structured to impersonate the EOS blockchain brand identity and mislead users seeking legitimate EOS-related services.

Confirmed Scam 2026-05-21

ether-api.com

ether-api.com

ether-api.com is listed on the CryptoScamDB blacklist as a confirmed fraudulent operation presenting itself as an Ethereum-linked API service, with no evidence of legitimate infrastructure or regulatory standing.

Confirmed Scam 2026-05-21

ether-wall.com

ether-wall.com

ether-wall.com is a confirmed-fraudulent site listed on the CryptoScamDB blacklist, presenting as an Ethereum wallet service while operating as a credential-harvesting or asset-theft operation targeting cryptocurrency holders.

Confirmed Scam 2026-05-21

etherclassicwallet.com

etherclassicwallet.com

etherclassicwallet.com is a confirmed-fraudulent site listed on the CryptoScamDB blacklist, operating as a fake Ethereum Classic wallet interface designed to harvest private keys or seed phrases from users.

Confirmed Scam 2026-05-21

ethereum-wallet.net

ethereum-wallet.net

ethereum-wallet.net is a blacklisted domain confirmed by CryptoScamDB that impersonates legitimate Ethereum wallet infrastructure to harvest credentials or intercept funds from cryptocurrency users.

Confirmed Scam 2026-05-21

ethereumchamber.com

ethereumchamber.com

ethereumchamber.com appears on the CryptoScamDB blacklist as a confirmed fraudulent operation leveraging Ethereum branding to solicit cryptocurrency deposits from unsuspecting users.

Confirmed Scam 2026-05-21

ethereumchamber.net

ethereumchamber.net

ethereumchamber.net is listed on the CryptoScamDB blacklist as a confirmed fraudulent operation, presenting itself as an Ethereum-affiliated platform to attract cryptocurrency depositors.

Confirmed Scam 2026-05-21

ethereumchest.com

ethereumchest.com

ethereumchest.com is listed on the CryptoScamDB blacklist as a confirmed fraudulent operation; it appears designed to exploit the Ethereum brand to attract cryptocurrency holders and extract funds.

Confirmed Scam 2026-05-21

ethereumchest.net

ethereumchest.net

ethereumchest.net is a confirmed fraudulent operation listed on the CryptoScamDB blacklist, presenting as an Ethereum-related asset service while functioning as a vehicle for user fund theft.

Confirmed Scam 2026-05-21

etherswap.org

etherswap.org

etherswap.org is a confirmed-fraudulent platform listed on CryptoScamDB's community blacklist, presenting as an Ethereum-based token swap service while operating as a theft mechanism targeting cryptocurrency holders.

Confirmed Scam 2026-05-21

etherwallet.co.za

etherwallet.co.za

etherwallet.co.za is a confirmed-fraudulent domain on the CryptoScamDB blacklist, structured to impersonate a well-known Ethereum wallet interface and harvest user credentials or private keys.

§ 05 · Frequently asked

Questions victims of this pattern ask us most.

Can I get drained crypto back? +
Sometimes. If the drained funds reached a regulated exchange before being laundered through mixers, recovery is realistic through compliance escalation. If they went directly to a privacy mixer like Tornado Cash, recovery is much harder. CryptoLeek's free 24-hour review traces the post-drain path and tells you which category your case is in.
I revoked the approval but my tokens are already gone. What now? +
Revoking the approval stops further draining but doesn't undo the original transfer. Recovery focuses on the destination wallet and whether the funds reached an identifiable counterparty (an exchange, a known cluster). Document the transaction hashes; those are the starting point for the on-chain trace.
How fast do I need to act after a wallet drain? +
Within the first 24 hours, the receiving exchange may still hold the funds in a freezable account. After that window, the operator typically moves them onward through mixers and bridges. Recovery is still possible after the window but harder. Move remaining funds to a new wallet immediately, document the hashes, and contact us within the first day.

Lost crypto to this pattern?
We can help you recover it.

We trace the funds on-chain, identify the recovery choke points, and coordinate action with exchanges, payment processors, and counsel across 40+ jurisdictions. Free assessment within 24 hours, with an honest yes/no on whether the funds are realistically recoverable.

Free 24h review · No upfront fees
Start Free Recovery Review → Or email us
§ 06 · Related glossary terms

The vocabulary this pattern uses.

Definitions of the terms that come up across this guide. Each links to the full glossary.

Wallet drain

An attack in which an operator gains the right to move tokens out of a victim's wallet — usually via a malicious token approval or stolen private key — and transfers the wallet's balance to an address they control.

Read full definition →
Approval phishing

A wallet attack where the victim signs a `setApprovalForAll` or unlimited `approve` transaction on a spoofed dApp, granting the attacker contract permission to move specific tokens out of the wallet at any later time.

Read full definition →
Drainer-as-a-service (DaaS)

A subscription model in which a development team builds and maintains a wallet-drain smart contract and admin panel, then leases it to affiliates who run the front-end phishing sites and split the proceeds with the developers.

Read full definition →
Permit2 phishing

A phishing variant exploiting Uniswap's `Permit2` signature standard, in which a victim signs an off-chain message that the attacker then submits on-chain to drain approved tokens — with no gas or on-chain trail until the actual drain happens.

Read full definition →
Sweeper bot

An automated program that monitors a compromised wallet (one whose private key the operator now knows) and instantly sends any incoming funds to an attacker-controlled address — making the wallet permanently unusable for the victim.

Read full definition →
Address poisoning

A wallet-targeting scam that seeds the victim's transaction history with a fake address that mimics the first and last characters of an address they recently used, hoping they will copy-paste the wrong one for a future send.

Read full definition →
Cold wallet vs hot wallet

A cold wallet stores the private key offline (hardware device or paper); a hot wallet stores it in software connected to the internet — cold is materially safer against most wallet-drain and phishing attacks.

Read full definition →
Multi-sig wallet

A wallet that requires signatures from multiple private keys (e.g. 2-of-3 or 3-of-5) to authorise any outgoing transaction — meaning a single compromised key cannot drain the wallet.

Read full definition →
Mixer (cryptocurrency)

A service or smart contract that pools cryptocurrency from many depositors and pays out equivalent amounts to fresh addresses, breaking the on-chain link between source and destination wallets.

Read full definition →