Common Attacks: Phishing, Drainers, Fake Airdrops

Common Attacks in Web3: Phishing, Wallet Drainers, Fake Airdrops, Approval Traps, and Defense Playbook

Common attacks in Web3 rarely begin with someone breaking cryptography. Most crypto losses start with social engineering: fake DMs, lookalike domains, malicious wallet pop-ups, fake airdrops, drainer websites, approval traps, and signatures disguised as harmless verification. The attacker does not need your seed phrase if they can trick you into granting token approvals, NFT operator permissions, or permit signatures. This guide explains how Web3 phishing works, how wallet drainers abuse allowances, why fake airdrops are so effective, what red flags to watch for, and how to build a safer daily wallet routine.

TL;DR

  • Most Web3 losses begin with social engineering, not broken encryption. Scammers use DMs, email, fake support, search ads, pop-ups, lookalike sites, and urgency to rush users into signing.
  • Wallet drainers usually do not hack your wallet directly. They trick you into approving a spender, signing a permit, granting NFT operator rights, or signing a malicious message.
  • Never enter your seed phrase into a website, form, support chat, cloud note, screenshot, or wallet pop-up. Seed phrases belong only on your hardware wallet during setup or recovery.
  • ERC-20 approvals and permit signatures can let a spender move your tokens. ERC-721 and ERC-1155 setApprovalForAll can let an attacker move entire NFT collections.
  • Fake airdrops are effective because “free money” lowers suspicion. Treat surprise claims, viral links, and DM invitations as hostile until verified through official channels.
  • Use a vault wallet for meaningful funds and a daily hot wallet for normal interaction. Never connect your vault to random sites.
  • Review and revoke stale approvals regularly using reputable approval management tools.
  • Simulate transactions, read spender fields, cap allowances where possible, use bookmarks, rotate daily wallets, and act quickly if you suspect compromise.
Security warning A clean wallet can still be drained by one bad signature

Many users believe they are safe because their seed phrase was never stolen. That is not enough. On-chain permissions can give attackers spending rights without seed theft. A malicious approval, permit, or NFT operator signature can be enough to drain assets later, even while the wallet still looks normal.

This guide is educational and not legal, financial, investment, custody, or forensic advice. Always verify official domains, wallet prompts, transaction simulations, spender addresses, and contract permissions before signing.

Why Web3 scams work

Web3 changes the security model. In traditional finance, a fraudulent transaction may be reversible, delayed, blocked by a bank, or disputed through customer support. On-chain, a valid signature can move assets quickly and permanently. That makes the user’s attention one of the most important security layers.

Attackers understand this. They do not usually need to break a wallet’s cryptography. They need to control the context around the user. They create urgency, impersonate support, clone trusted websites, buy search ads, send fake airdrop links, inject malicious pop-ups, and push the user toward a wallet prompt that looks routine.

The most dangerous part is that many malicious actions do not look like transfers at first. A user may think they are verifying eligibility, reconnecting a wallet, syncing an account, claiming an NFT, or signing into a DApp. In reality, the signature may authorize token movement, set an NFT operator, or approve a drainer contract.

Typical Web3 Drainer Flow The attacker wins by getting permission, not by stealing the seed phrase first. 1. Bait DM, airdrop, fake support 2. Fake site Lookalike domain or pop-up 3. Bad signature Approval, permit, operator 4. Drain transferFrom or NFT move Defense: separate wallets, read spender fields, simulate transactions, revoke approvals, and avoid DM links. The safest wallet is not the one that signs fastest. It is the one that makes dangerous permissions obvious.

1. Phishing: DMs, pop-ups, lookalike sites, and fake support

Phishing is the entry point for many Web3 attacks. The scammer creates a believable reason for the user to take action quickly. The message may say there is a refund to claim, a wallet verification problem, a compromised account, a pending airdrop, a closed beta, a mint window, or a support issue that requires immediate attention.

The attacker’s goal is to move the user into a controlled environment: a fake site, fake wallet modal, fake support chat, fake verification page, or malicious DApp. Once there, the user is pushed toward a signature or approval.

Fake support and moderator impersonation

Fake support is common in Discord, Telegram, X, and wallet communities. A scammer pretends to be a moderator, project admin, wallet support agent, exchange worker, or security team member. They may claim there is an issue with your wallet, pending KYC, stuck funds, or an urgent refund.

Real support will never ask for your seed phrase or private key. Real support also should not need you to sign random wallet prompts to “sync” your account. If support contacts you first through a DM, treat it as hostile.

URL tricks and search ad traps

Attackers use lookalike domains, unicode characters, zero-width characters, misspellings, and sponsored ads that rank above legitimate sites. A domain may look correct at a glance while using a different character set or a subtle typo.

The safest habit is bookmarks. Open DApps, wallets, bridges, staking pages, and exchanges from your own saved bookmarks, not from DMs, ads, random tweets, or search results.

Fake wallet pop-ups

Malicious sites can show modals that look like wallet prompts. They may say reconnect, verify, sync, migrate, validate, approve, claim, or continue. The text is designed to feel routine, but the underlying action may be dangerous.

If a wallet prompt appears from a site you did not intentionally open, close it. If a site asks for a signature before showing any clear purpose, stop. If the wallet cannot decode what you are signing, treat it as blind signing.

Rule Never follow links from DMs

Manually navigate to official domains through your own bookmarks. If urgency is used, assume the scammer is trying to bypass your normal verification process.

Example attack flow: fake airdrop to token drain

A common attack begins with a viral message about a surprise airdrop from a recognizable protocol. The message may appear in a DM, reply thread, Discord announcement clone, Telegram channel, or sponsored ad. The link opens a convincing lookalike website with the correct branding, colors, and interface style.

The user connects a wallet and clicks claim. Instead of a normal claim transaction, the site asks the user to sign a message to verify eligibility. The message may be an off-chain permit, or it may grant a contract permission to move tokens later.

Nothing leaves the wallet immediately, so the user assumes the claim failed or the site was harmless. Hours later, the drainer calls transferFrom using the approval or permit and empties valuable tokens. The seed phrase was never stolen. The permission was the exploit.

// ERC-20 approval pattern behind many drains: approve(spender, type(uint256).max); // Later, the approved spender can move tokens: spender.transferFrom(user, attacker, amount);

2. How wallet drainers really work

Wallet drainers are not magic. They are usually permission abuse systems. They trick users into authorizing the attacker to move assets, then use those permissions at the right time. The dangerous part is that Web3 permissions are normal. DEXs, marketplaces, routers, staking systems, and bridges all require approvals in legitimate workflows.

A drainer succeeds by making a malicious permission look like a normal step. It may disguise approval as claim, verification, wallet sync, login, migration, mint, or eligibility check.

ERC-20 allowances

ERC-20 tokens use allowances so a spender contract can move tokens on behalf of a user. This is necessary for swaps and many DeFi operations. But an unlimited allowance to a malicious spender lets that spender drain tokens later without asking the user again.

Permit signatures and EIP-2612

Permit signatures allow approvals through off-chain signatures. This can improve UX because users do not need a separate gas transaction to approve tokens. But a malicious permit can be just as powerful as an on-chain approval.

The risk is psychological. Users often treat “sign message” as safer than “send transaction.” That is not always true. A permit can create a live allowance without an immediate transfer.

EIP-712 typed data

EIP-712 typed data is meant to make signed messages more readable. But readable does not mean safe. Users still need to inspect the fields. Look for spender, token, value, deadline, verifying contract, chain ID, and domain.

Fields to inspect before signing approvals or permits

  • Spender: who receives permission to move assets?
  • Token: which asset is being approved?
  • Value: is it a small amount or unlimited approval?
  • Deadline: does the permission expire soon or far in the future?
  • Domain: does the signing domain match the official project?
  • Verifying contract: is the contract recognized and verified?

Blind signing

Blind signing happens when the wallet cannot clearly decode what the user is approving. The interface may show raw hex data or vague signature text. This is dangerous because the user cannot confirm the real effect.

Prefer wallets, hardware devices, and transaction simulation tools that explain what will happen. If the prompt cannot tell you the token, spender, amount, destination, or contract effect, cancel.

3. NFT approval traps

NFT drainers usually target setApprovalForAll. This grants an operator permission to move every NFT in a specific collection from the user’s wallet. Marketplaces use this pattern legitimately so users can list NFTs, but malicious sites abuse the same function.

// ERC-721 and ERC-1155 approval trap: setApprovalForAll(spender, true); // This can allow spender to transfer all NFTs // from the approved collection later.

If a site claims you need to approve all NFTs to claim an airdrop, verify eligibility, receive a reward, or view utility, treat it as a major warning. A claim action should not normally require full operator rights over a valuable NFT collection.

Drainer NFTs and dusting

Attackers may send random NFTs to your wallet with metadata that points to a fake website. The NFT may say “claim reward,” “view utility,” “redeem pass,” or “unlock bonus.” The goal is to make you visit a malicious site and grant approvals.

Ignore random NFTs from unknown collections. Do not click utility links inside dusted NFTs. Do not attempt to sell or interact with suspicious assets unless you understand the risk.

4. Fake airdrops and approval traps

Fake airdrops work because free money is powerful bait. Scammers clone the branding of reputable projects, write convincing claim text, use real logos, copy announcements, and create urgency. The user feels they may lose an opportunity if they slow down.

A legitimate airdrop should be verifiable through official project channels, official domains, reputable ecosystem accounts, and transparent contract instructions. A viral tweet, DM, or random website is not enough.

Common fake airdrop patterns

  • Claim airdrop: button triggers unlimited approval or malicious permit.
  • Verify wallet: signature actually authorizes token movement.
  • Check eligibility: wallet prompt grants spender rights.
  • Connect to view allocation: fake wallet modal attempts to harvest seed phrase or signature.
  • Dust NFT utility: random NFT points users to a drainer website.
  • Fake migration: user is told tokens must be migrated through a malicious contract.
Reality check Free money should still pass verification

If the only proof of an airdrop is a DM, sponsored ad, viral tweet, or random claim page, slow down. Verify from official domains and official communication channels before connecting a wallet.

5. Red flags checklist

Most scams show warning signs before the damage happens. The problem is not that users never see the signs. The problem is that urgency, greed, fear, and routine wallet behavior make users ignore them.

Web3 scam red flags

  • Urgency: countdowns, limited windows, “claim within 24 hours,” or “mint closes in 5 minutes.”
  • Seed phrase requests: no site, moderator, tool, airdrop, or support agent needs your seed phrase.
  • Unlimited approvals: especially when the action is only supposed to be a claim, check, or verification.
  • Unknown spender: the spender is not the official router, marketplace, or verified contract.
  • Ambiguous prompts: the wallet cannot clearly show token, amount, spender, or destination.
  • Lookalike URLs: misspellings, unicode characters, strange subdomains, or sponsored ads.
  • Unverified contracts: black-box code on explorers deserves extra caution.
  • Admin superpowers: contracts that can seize, pause, blacklist, or change permissions without safeguards.
  • Fake support DMs: real support should not privately pressure you into signing or revealing secrets.
  • Random NFT utility links: dusted NFTs often lead to malicious claim pages.

6. Defensive playbook

Most Web3 attacks can be avoided with a practical operating system. The goal is not to become paranoid. The goal is to separate risk, limit permissions, and make dangerous prompts harder to approve by accident.

Use a hardware wallet for meaningful funds

A hardware wallet helps isolate private keys from your browser and phone. But hardware wallets are not magic. You still need to read what the device is asking you to sign. If the device shows a suspicious address, unknown spender, or unclear message, reject it.

Separate vault and daily wallets

Your vault wallet should hold meaningful funds and avoid random DApps. Your daily wallet should handle experiments, airdrops, mints, and routine activity with limited funds. If your daily wallet gets compromised, the blast radius should be small.

Wallet separation model: Vault wallet: - Hardware wallet - Meaningful funds - No random DApps - Minimal approvals Daily wallet: - Small balance - Mints, airdrops, games, testing - Regular approval revokes - Can be rotated often Emergency wallet: - Fresh wallet for moving remaining assets - Used only during compromise response

Approval hygiene

Approvals persist until revoked, expire, or are overwritten. That means old approvals can remain dangerous months after you forgot the site. Review approvals regularly and revoke anything you no longer need, especially for high-value tokens and NFTs.

Use reputable approval managers such as Revoke.cash. Always access them through official bookmarks and verify the domain.

Simulate before signing

Many wallets and DApps can simulate transactions before execution. Read the result. Does any token leave your account? Which token? To which address? Is the destination expected? Does the approval create unlimited spending rights?

Use bookmarks only

Search ads and lookalike domains are common attack surfaces. Use bookmarks for wallets, exchanges, DEXs, bridges, approval managers, staking pages, and frequently used protocols. Avoid links from DMs and sponsored search results.

Cap allowances where possible

If you are swapping 100 USDC, approve 100 USDC or slightly more, not unlimited approval. Some interfaces push unlimited approval for convenience, but convenience increases blast radius if the spender is compromised or malicious.

Rotate daily wallets

A heavily used wallet collects old approvals, interaction history, spam NFTs, and risk. Periodically creating a fresh daily wallet can reduce exposure. Keep the vault separate and move only what you need.

Everyday wallet safety checklist

  • Use a hardware wallet for meaningful funds.
  • Keep a small-balance daily wallet for experiments.
  • Never connect the vault to random DApps.
  • Use bookmarks instead of DM links or search ads.
  • Read spender, token, amount, destination, and deadline.
  • Reject blind signing when the wallet cannot decode the prompt.
  • Use transaction simulation where available.
  • Cap approvals instead of using unlimited allowances by default.
  • Revoke stale token and NFT approvals monthly.
  • Ignore random NFTs and fake utility links.

Check token controls before granting approvals

Before approving, buying, or interacting with unknown tokens, scan for hidden taxes, blacklist logic, mint functions, ownership controls, proxy upgradeability, and sell restrictions.

Use Token Safety Checker Use ENS Name Checker

7. If you suspect compromise, act immediately

If you signed something suspicious, do not wait to see what happens. Drainers can act quickly or wait for a better moment. Your response should focus on revoking permissions, moving remaining assets, and isolating the compromised wallet.

  1. Disconnect from the suspicious site: close the page and remove connected sessions where possible.
  2. Review approvals: start with high-value ERC-20 tokens and NFTs.
  3. Revoke suspicious spenders: use a reputable approval manager from a bookmarked domain.
  4. Move remaining assets: transfer funds to a fresh wallet you control if the wallet may be compromised.
  5. Prioritize NFTs: revoke setApprovalForAll permissions for valuable collections.
  6. Audit extensions: remove browser extensions you do not explicitly trust.
  7. Check bookmarks: delete fake or suspicious bookmarks.
  8. Update software: update OS, browser, wallet, and hardware wallet firmware through official channels.
  9. Document spender addresses: keep notes for later review and possible reporting.
Important Do not reset a hardware wallet unless the seed is exposed

If you only signed a malicious approval from a hot wallet, the seed may not be compromised. Revoke approvals and rotate the hot wallet. Only factory reset or regenerate a hardware wallet if you believe the seed phrase or passphrase was exposed.

8. Monthly security routine

Security improves when it becomes a routine instead of a panic response. Set a recurring monthly reminder and perform a basic wallet hygiene review.

Monthly Web3 safety routine

  • Revoke stale ERC-20 approvals.
  • Revoke stale NFT operator approvals.
  • Sweep excess funds from daily wallet to vault.
  • Rotate daily address if it has been heavily used.
  • Review bookmarks and remove unused DApps.
  • Update OS, browser, wallet extension, and wallet app.
  • Update hardware wallet firmware only from official tools.
  • Review wallet connections and disconnect old sessions.
  • Check for dust NFTs and ignore suspicious utility links.
  • Send a small canary transfer from daily wallet to vault to confirm your routine is working.

9. Quick check

Use these questions to test whether the core lesson is clear before you sign another wallet prompt.

Question Answer
What does a drainer usually need you to do? Sign an approval, permit, NFT operator permission, or malicious message, often disguised as verify, claim, sync, or eligibility check.
Is it ever safe to type your seed phrase into a website? No. Seed phrases should never be typed into a website, support chat, form, cloud note, or random wallet pop-up.
How do you reduce risk from old token approvals? Regularly review and revoke allowances using a reputable approval manager, and use finite approvals going forward.
What field should you scrutinize in approval or permit prompts? The spender address, value amount, token, deadline, domain, and verifying contract.
Why do scammers use urgency and countdowns? To rush users past normal safety checks and make them sign before reading the wallet prompt.

10. Advanced defenses for active users

Active DeFi users, NFT traders, DAO operators, and treasury managers should add stronger defenses because their wallets are higher-value targets.

Use multisigs for shared or large funds

A multisig reduces single-key risk. It is useful for DAOs, teams, treasuries, businesses, grants, and shared assets. However, multisigs still need signer hygiene. If all signers use the same infected device or approve prompts without review, the benefit weakens.

Use wallet policies and spending limits

Smart wallets and account abstraction systems can support spending limits, session keys, allowlists, and policy controls. These can reduce damage from one bad session. For example, a session key might be limited to one DApp, small amounts, and a short time window.

Use simulation and transaction preview tools

Transaction simulation is one of the best defenses against hidden drains. It can show token movements before signing. If the simulation says valuable assets will leave your wallet during a supposed claim, cancel immediately.

Separate devices for high-value actions

Consider using a cleaner browser profile or separate device for high-value wallet activity. Keep extensions minimal. Do not mix random browsing, testing, gaming, and treasury signing in the same browser environment.

Go deeper

These resources are useful for wallet security, approval hygiene, and practical user protection.

Verdict: most Web3 drains are permission failures

The most successful Web3 attacks do not usually defeat the wallet. They defeat the user’s decision process. A fake support message creates urgency. A lookalike site creates trust. A wallet pop-up creates routine behavior. A hidden approval creates spending rights. The drainer only needs one successful signature.

This is why wallet security must be practical. Use a vault wallet for meaningful funds. Use a small daily wallet for riskier interaction. Do not follow DM links. Use bookmarks. Read spender fields. Cap allowances. Simulate transactions. Revoke stale approvals. Ignore random NFT utility links. Rotate wallets when needed.

The best defense is not panic. It is a system. Every approval should answer the same questions: who is the spender, what can they move, how much can they move, when does permission expire, and why is this permission necessary?

If a site cannot answer those questions clearly, do not sign.

Make wallet hygiene part of your normal Web3 routine

Revoke stale approvals, separate vault and daily wallets, avoid DM links, and check contract permissions before approving unknown tokens or DApps.

Check Token Risk Blockchain Guides Subscribe

FAQs

What is a wallet drainer?

A wallet drainer is a malicious tool or contract flow designed to trick users into granting approvals, permits, NFT operator rights, or signatures that allow assets to be moved out of the wallet.

Can a wallet be drained without the seed phrase being stolen?

Yes. A malicious approval, permit signature, or NFT operator permission can let an attacker move assets without knowing the seed phrase.

What is the biggest red flag in an approval prompt?

The spender field is critical. If the spender is unknown, unverified, unrelated to the official DApp, or paired with unlimited value, cancel the prompt.

Is it safe to sign a message to verify an airdrop?

Not automatically. Some malicious signatures act like permits or orders. Read the typed data fields carefully and verify the claim from official channels before signing.

What does setApprovalForAll mean?

setApprovalForAll gives an operator permission to move all NFTs from a specific collection. It is legitimate for marketplaces but dangerous when requested by fake claim or airdrop sites.

How often should I revoke approvals?

Review approvals at least monthly and after any suspicious interaction. Prioritize high-value tokens and NFT collections first.

Should I use one wallet for everything?

No. Use separate wallets for vault storage, daily activity, experiments, and emergency response. Never connect your main vault to random sites.

What should I do if I signed something suspicious?

Disconnect the site, revoke suspicious approvals, move remaining assets to a fresh wallet if needed, audit extensions, update software, and document spender addresses for review.

Final reminder: Web3 scams usually exploit trust, urgency, and permissions. The seed phrase is not the only risk. Read every approval, verify every spender, use separate wallets, revoke stale permissions, and never let FOMO decide what your wallet signs. Check first, then decide.

Wisdom Uche Ijika - avatar
About the author: Wisdom Uche Ijika Verified icon 1
Founder @TokenToolHub | Web3 Technical Researcher, Token Security & On-Chain Intelligence | Helping traders and investors identify smart contract risks before interacting with tokens
Reader Supported Research

Support Independent Web3 Research

TokenToolHub publishes free Web3 security guides, smart contract risk explainers, and on-chain research resources for traders, builders, and investors. If this article helped you, you can optionally support the platform and help keep these resources free.

Network USDC on Base
0xBFCD4b0F3c307D235E540A9116A9f38cE65E666A

Support is completely optional. Please only send USDC on the Base network to this address. TokenToolHub will continue publishing free educational resources for the Web3 community.