Common Attacks: Phishing, Drainers, Fake Airdrops

Common Attacks in Web3: Phishing, Drainers, Fake Airdrops

How the most successful crypto scams actually work, and exactly how to avoid them.

TL;DR: Most losses start with social engineering (DMs, emails, pop-ups). Drainers abuse token approvals or get you to sign malicious messages. Never enter a seed phrase outside your hardware wallet. Use an approval manager, simulate transactions, and keep a vault wallet separate from a daily wallet.

1) Phishing: DMs, Pop-ups, Lookalike Sites

In Web3, most “hacks” begin as social engineering. Scammers don’t need to break cryptography; they just need to trick you into signing the wrong thing or revealing your seed.
Phishing surfaces include Discord/Twitter/Telegram DMs, email blasts, search ads, and injected pop-ups on compromised sites.

  • “Support” DMs / server impersonation. A fake moderator claims there’s an issue with your wallet, a refund to claim, or a KYC verification. The goal is to move you to a malicious site or make you share your seed phrase. Real support will never ask for seeds or private keys.
  • URL tricks. Attackers use unicode lookalikes (metamаsk.io with a Cyrillic “a”), zero-width characters, or sponsored ads that rank above legit results. Bookmark official domains and use bookmarks exclusively.
  • Fake wallet pop-ups. Malicious scripts inject modals that ask you to “reconnect”, “sync”, or “verify” with a signature that actually grants spending rights. If a pop-up appeared from a site you didn’t intentionally open, close it.
Rule: Never follow links from DMs. Manually navigate to official domains you already know. If urgency is used (“24h left!”), assume it’s a trap.

Example attack flow. You see a tweet/DM about a surprise airdrop for a major protocol. The link is a lookalike. After connecting your wallet, a modal asks you to sign “to verify eligibility.” That signature is an off-chain permit giving a drainer contract approval to spend your tokens. Hours later when you’re asleep the drainer calls transferFrom and empties your tokens. No seed was stolen; your approval did the damage.

2) How Wallet Drainers Work

Drainers almost never “hack” your wallet. Instead, they persuade you to authorize them. On EVM chains, ERC-20 tokens require an on-chain approval (allowance) or an off-chain “permit” signature so a contract can move tokens for you. Drainers trick users into granting unlimited allowances or signing structured messages that act like approvals.

// ERC-20 pattern behind many drains:
approve(spender, type(uint256).max); // user signs this (often disguised)
spender.transferFrom(user, attacker, amount); // later drains via allowance
  • Permit signatures (EIP-2612). These allow approvals by signing a message (no gas). They’re legitimate for good UX, but identical in power to on-chain approvals. If you sign a malicious permit, your wallet won’t show a transaction, yet your allowance is live.
  • EIP-712 typed data. Human-readable summaries help, but they still require careful reading. Look specifically for spender, token, and value. If value is huge (or 2^256-1), cancel.
  • Blind signing. If your wallet can’t decode the prompt, you’re effectively signing in the dark. Prefer wallets that parse calls and simulate effects.

NFT angle. With ERC-721/1155, the drainer aims for setApprovalForAll(attacker, true). That grants the attacker full control to move your NFTs later without further prompts. “Claim” sites that request this permission are a classic trap.

// ERC-721 approval trap:
setApprovalForAll(spender, true); // grants spender ability to transfer all NFTs from a collection

Why this works. Web3 relies on delegated permissions. Approvals are necessary for swaps and marketplaces, but once granted, they persist until you revoke them. Drainers exploit that persistence and your attention gaps.

3) Fake Airdrops & Approval Traps

“Free money” is the most reliable bait. Attackers clone the look and feel of reputable projects and push users toward interactions that create approvals or signatures. Common patterns:

  • “Claim airdrop” sites. The button triggers a wallet prompt that requests setApprovalForAll (NFTs) or unlimited ERC-20 allowance. The UI may hide the spender address or mask it as a “router”. If you don’t expect to sell or transfer, you don’t need these permissions to “claim”.
  • Signature bait. “Sign to verify wallet” or “Sign to check eligibility” can actually be a permit or an off-chain order authorizing token movement. If you see fields like spender, value, deadline, or a suspicious domain in the message, cancel.
  • Drainer NFTs (dusting). Attackers send you random NFTs with a “View utility” link. That link leads to a phishing site that requests approvals. Ignore these assets; interacting can expose you to additional traps.

Reality check. Legit airdrops are usually announced on official sites and reputable channels with clear instructions. If your only proof is a viral tweet or DM, treat it as hostile until proven safe.

4) Red Flags Checklist

  • Urgency, countdowns, or FOMO. “Mint closes in 5 minutes!” Urgency overrides caution, that’s the point.
  • Seed phrase requests. No site, mod, or tool needs your seed. Seeds belong only on your hardware wallet during setup/recovery.
  • Unlimited allowances by default. If the UI refuses to let you cap approval amounts, consider a different interface.
  • Ambiguous prompts. If you can’t clearly see token, amount, spender, and destination, do not sign.
  • Unsigned/unaudited contracts with admin superpowers. If owners can arbitrarily seize funds or pause transfers without safeguards, it’s not a safe place to grant approvals.
  • Unverified source on explorers. Black-box contracts on mainnet deserve extra skepticism.

5) Defensive Playbook

Think of this as your everyday operating manual. Follow these habits and you’ll sidestep the vast majority of drains.

  • Use a hardware wallet for meaningful funds. Sign important actions on-device and confirm addresses on the device screen. Keep a separate small-balance hot wallet for experiments.
  • Separate wallets. Daily hot wallet ↔ cold vault. Fund the daily from the vault as needed; sweep profits back. Never connect the vault to random sites.
  • Approval hygiene. Regularly review and revoke stale allowances using a reputable approval manager like Revoke.cash. Prioritize high-value tokens and NFTs first.
  • Simulate before signing. Many wallets and dApps simulate the result. Read the simulation: Does any token leave your account? To whom? If the spender or destination looks off, cancel.
  • Bookmarks only. Access dApps from your own bookmarks, not search results or DMs. This defeats lookalike domains and malicious ads.
  • Cap allowances. When possible, approve only what you need (e.g., approve 100 USDC for a 100 USDC swap). Re-approve later if needed.
  • Rotate daily addresses. Periodically create a fresh daily wallet to shed legacy approvals you forgot about.
  • Read the spender. On EVM, the critical field is the spender. Is it the official router/marketplace? Unknown addresses are hard stops.
If you suspect a compromise (act immediately):

  1. Disconnect the compromised site and revoke suspicious approvals (start with high-value tokens/NFTs).
  2. Move remaining assets from the hot wallet to your vault or to a brand-new wallet you control.
  3. Factory reset your hardware wallet only if you believe the seed/passphrase was exposed. Otherwise, rotate the hot wallet and keep the vault isolated.
  4. Audit extensions and bookmarks; remove anything you don’t explicitly trust. Update OS/browser/wallet.
  5. Review recent signatures/txs; note spender addresses so you can revoke all related allowances.
Monthly routine
• Revoke stale approvals (tokens + NFTs)
• Sweep extra funds from daily → vault
• Update OS, browser, wallet firmware
• Rotate daily address if heavily used
• Review bookmarks & remove unused dApps

Quick check

  1. What does a drainer usually need you to do?
  2. Is it ever safe to type your seed phrase into a website?
  3. How do you reduce risk from old token approvals?
  4. What field should you scrutinize in approval/permit prompts?
  5. Why do scammers use urgency and countdowns?
Show answers
  • Sign an approval/permit or a malicious message (often disguised as “verify” or “claim”).
  • No, only enter seeds on a hardware device during setup/recovery.
  • Regularly revoke allowances with an approval manager and prefer finite approvals going forward.
  • The spender address (and the value amount); unknown spenders or unlimited values are red flags.
  • To rush you past reading prompts and to override your normal safety checks.

Go deeper

Pro tip: add a recurring calendar reminder for your “monthly routine” and tie it to a small canary transfer from daily → vault to confirm all is well.

Next up: understand protocol risks before you deposit funds.

Next: Contract Risks (for Users) →