Wallet Drainer Kits: The Scam Economy Behind Airdrop Scams

What wallet drainer kits actually are

A wallet drainer kit is a bundle of three things: a smart contract (or a script that calls one), a phishing landing page, and a web dashboard. The contract is built so that when a victim signs a transaction on the phishing site, it grants the attacker permission to move specific tokens and NFTs out of the victim's wallet. The dashboard lets the "affiliate," the person running the scam, see incoming victims in real time and watch profits accrue.

On Ethereum and EVM-compatible chains, the most common trick is asking the victim to sign a setApprovalForAll call on a malicious ERC-721 or ERC-1155 contract, or to sign an increaseAllowance for an ERC-20 like USDT or USDC. From the victim's point of view, they click "Claim airdrop," their wallet pops up, they sign what looks like a normal approval, and within seconds the assets are gone. On Solana, the equivalent is a transaction that bundles token-transfer instructions into what looks like a claim or stake action.

These kits are not custom malware. They are products with pricing pages, support channels, and even customer success teams. The phrase the industry uses is drainer-as-a-service (DaaS), and it is the structural reason phishing at scale has become routine rather than exceptional.

Why this is a market, not a hobby

The shift from lone-hacker phishing to a service economy is the single most important fact about wallet drainers. Inferno Drainer, which reportedly shut down in late 2023, claimed on its now-archived site that it had helped affiliates drain roughly $80 million in assets before it went dark. Security researchers at Wallet Guard and Scam Sniffer tracked similar revenue from Pink Drainer, Angel Drainer, Monkey Drainer, and a rotating cast of successors; the cumulative tally across these kits has been estimated in the hundreds of millions of dollars.

The economics make the model self-sustaining. Building a reliable drainer is non-trivial: it requires gas optimisation, support for many tokens, methods to launder the proceeds, and constant updates as wallets and block explorers add warnings. Most individual scammers cannot or do not want to do that work, so they rent it. The operator handles the technical side, the affiliate handles the traffic, and the split, usually 20% to the operator and 80% to the affiliate, with 30/70 in some kits, aligns incentives to keep stealing.

That split is also why a single kit can serve hundreds of "customers" at once. The marginal cost of a new affiliate is near zero, so operators market aggressively in private Telegram and Discord channels, often with testimonial screenshots of past payouts. A shutdown, even a high-profile one like Inferno's, mostly redistributes affiliates to the next kit; the playbook, and most of the landing-page templates, stay the same.

The typical victim flow, step by step

Almost every drainer attack follows a similar sequence, and recognising the steps is the best defence. The chain usually starts outside of crypto: a search engine, a social network, or a Discord server.

• Search-ad or hijacked-account lure. Affiliates buy Google or Bing ads for terms like "Uniswap airdrop claim" or "LayerZero claim," with the destination URL swapped for a lookalike domain. Alternatively, they take over verified X/Twitter or Discord accounts and post fake claim links from accounts their targets already trust.
• Lookalike landing page. The site is a pixel-perfect copy of a real protocol, complete with fake follower counts, fake comments, and a "Connect Wallet" button. Domains are typically registered within days and often use privacy services or free registrars.
• The drain modal. After connecting, the site asks the user to "claim" or "verify" and produces a wallet popup. On Ethereum, that popup is usually a setApprovalForAll or a Permit2 signature; on Solana, it is a transaction the user is pressured to sign quickly.
• Automated sweeping. The moment the signature lands, the drainer's backend submits a bundle of transfer calls. High-value ERC-20s, native ETH, and valuable NFTs are moved in a single block. Within seconds, the assets are routed through mixers, bridges, or freshly funded wallets.
• Laundering. Proceeds are typically bridged to chains with weaker KYC, swapped for stablecoins like USDT or USDC, and pushed through peel chains or services like Tornado Cash successors. Some affiliates cash out directly through nested exchanges; others use OTC desks that specialise in "cleaning" tokens.

The whole sequence, from clicking a search ad to losing a wallet's contents, can be under five minutes, which is why volume is high even when the per-victim conversion rate is low.

The biggest kits and what they reveal about the market

Inferno Drainer is the case study that anchored public awareness. Before its November 2023 shutdown, Inferno publicly advertised on forums, charged a 20% cut, and exposed its own operator dashboard in a security slip that let researchers tally the take. Subsequent investigations tied Inferno activity to a core set of wallet clusters and to laundering paths through specific centralised services.

Pink Drainer emerged almost immediately after Inferno's exit and at one point advertised a 30/70 split, with a higher operator take that signalled confidence in conversion rates. Angel Drainer and Venom Drainer followed similar patterns, each iterating on evasion: rotating domains faster, using novel approval patterns to bypass wallet heuristics, and targeting chains beyond Ethereum mainnet, including Arbitrum, Base, and BNB Chain. Solana-focused kits, sometimes called "sweeper bots" rather than drainers, use a related model on SPL tokens and have produced large individual losses.

The pattern across these kits is informative. Operators iterate on three things: how to reach victims, how to make the signature look legitimate, and how to launder the proceeds. When one technique stops working, such as Tornado Cash being sanctioned in 2022, the operator's job is to find the next one. The product itself, a polished phishing front end and a draining backend, is now table stakes.

What actually goes wrong for victims

The risk profile of a drainer attack is unusually severe. Unlike an exchange hack, where a custodian may cover losses or where funds can sometimes be frozen centrally, drainer theft is self-custodial and effectively irreversible. Once a setApprovalForAll has been signed, the attacker can call that approval at any time, so even assets that were not in the wallet at the moment of the signature can be drained later.

Several specific failure modes deserve attention:

• Hidden approvals persist. A victim who drains their ETH and ERC-20s may believe they have "lost everything" and walk away, but a live NFT approval can let the attacker revisit the wallet weeks later and sweep newly acquired items.
• Permit2 and off-chain signatures. Modern drainers abuse Permit2, an Uniswap-authored standard for token allowances, by getting users to sign an off-chain message that grants spending rights. These signatures do not always show clear warnings in wallets, and they do not require holding ETH for gas to be issued, which lowers the cost of attack.
• Repeat targeting. Once a wallet is flagged as drainer-victim on-chain, it often receives follow-up airdrop-style tokens and NFTs designed to lure the owner back to a malicious site. The same wallet can be hit multiple times in different campaigns.
• Stablecoin speed. USDT and USDC are favoured targets because they are liquid, fungible, and easy to launder. A wallet holding $50,000 in stablecoins and signing the wrong approval is usually fully drained within the same block.
• Reputation and tax fallout. Victims are not just financially exposed; the public nature of on-chain theft can attract further social engineering, including fake "recovery services" that promise to retrieve funds for an upfront fee.

For a reader evaluating exposure, the honest summary is: a single signature, on a single day, can empty a wallet that took years to build, and the legal recourse is limited in most jurisdictions.

How law enforcement and researchers track the drainer economy

Tracking drainer profits is one of the clearer success stories in on-chain investigation. Because every theft leaves a public ledger trail, firms like Chainalysis, TRM Labs, and Elliptic, alongside independent researchers, can cluster drainer addresses, follow funds across bridges, and sometimes identify cash-out points at centralised exchanges that do perform KYC.

The Inferno case is again illustrative. Researchers pulled together deposit addresses, identified the 20% operator skim, and traced the operator's own treasury wallets. Several official actions against phishing infrastructure in 2023 and 2024, including domain seizures and the takedown of major phishing-as-a-service platforms, were informed by exactly this kind of clustering. Wallet Guard and Scam Sniffer, the two most cited community dashboards, have published real-time totals of drainer theft and run victim-notification services that flag approvals directly in wallets.

There are real limits to this work. Mixers, cross-chain bridges, peel chains, and non-custodial services like decentralised exchanges all blunt traceability. Operators also launder through nested services, accounts at offshore exchanges opened with stolen or synthetic identities, and informal OTC brokers. When an operator does get identified, prosecution is harder than identification: many drainer operators are believed to sit in jurisdictions with limited crypto-crime cooperation, and the affiliates can be anywhere. Even the headline shutdowns, Inferno's voluntary exit, the disruption of several kits by security researchers in 2024, are temporary: the operators migrate, the affiliates redistribute, and a new kit typically takes the dominant position within weeks.

What this means for you, practically

The honest, non-promotional takeaway is that drainer kits change the threat model for any self-custodial user. Three habits materially reduce exposure, and none of them require buying anything new.

First, treat every signature as irreversible. Most wallets, including popular Ethereum wallets, now simulate transactions and show what will be transferred. Read those simulations. If a "claim" is asking you to sign an approval, the simulation will often reveal the underlying drain contract, and that is the moment to close the tab. On Solana, look at the transaction's instruction list rather than just clicking through.

Second, separate your wallets. A hot wallet used for airdrops, mints, and DeFi should not hold the bulk of long-term holdings. Move valuable assets, especially large USDT and USDC balances and high-value NFTs, to a cold or hardware wallet that you only connect when you intend to sign. If a hot wallet is drained, the loss is bounded.

Third, use allowlist and revocation tools. Revoke.cx and similar services let you inspect and cancel existing ERC-20 and NFT allowances, which is a useful cleanup step after any interaction with an unfamiliar site. Some wallets also support spend caps and per-dApp approval limits, which constrain what a malicious approval can do even if you do sign one.

None of these habits are a guarantee, and no reader should treat them as such. Drainer operators adapt, and novel approval patterns continue to surface. But the gap between an aware user and an unaware user, in expected loss, is large enough to be worth the friction.

How to follow the drainer economy critically

The drainer economy moves fast, and so does the news about it. Headlines often blur "crypto crime" into a single number, even though the bulk of recent losses are phishing-driven rather than exchange-driven; reading that number with context matters. Zippfeed surfaces security-tagged headlines with sentiment scoring (bullish, neutral, or bearish) and an importance rating, so you can separate genuine protocol risk from marketing-driven fear, and act on the stories that actually affect your wallet.