Wallet Drainer Scams in 2026: How Approval Phishing Works and How to Stop It

A wallet drainer does not need your seed phrase or your password. It needs one thing: for you to click "approve." That single mechanism, the token approval, is behind a huge share of crypto losses, and once you understand it, most drainer attacks stop being mysterious and start being avoidable.

Key takeaways

• Drainers steal funds through approvals and signatures you authorize, not by stealing your seed phrase.
• The most dangerous request is an unlimited token approval or a "set code" / "permit" permission; treat those as red flags.
• "Blind signing" (approving a transaction you cannot read in plain language) is a leading cause of losses.
• Audit and revoke old approvals regularly; forgotten permissions can be exploited months later.
• Use a separate low-balance "hot" wallet for new or untrusted sites, and keep core holdings on hardware.

How the attack works

The trap usually starts on a convincing fake site: a counterfeit NFT mint, a token airdrop claim, or a clone of a popular exchange or dApp. You click "Connect Wallet," then the site asks you to "Approve" or "Sign." That click signs a smart-contract permission allowing the attacker's contract to transfer specific tokens, or in the worst case all of a token type, out of your wallet. No further action from you is needed; the attacker drains the wallet on their schedule, sometimes weeks later when you have forgotten you ever visited.

The signatures that drain wallets

Not every signature is dangerous, but a few specific types do almost all the damage. Learn to recognize these.

Request type	What it actually grants	Danger
approve (unlimited)	Spend any amount of one token, forever	Very high, the classic trap
permit / permit2	Off-chain signature granting spend rights	High, often unreadable
setApprovalForAll (NFTs)	Move any NFT in a collection	Very high for NFT holders
set code / delegation	Hand control of account behavior	Critical, newer threat
Exact-amount approve	Spend only what you specified	Low, the safe choice

The two patterns that cause most losses are the unlimited approval (granting a contract permission to spend an unbounded amount "so you do not have to approve again") and blind signing (the wallet shows raw code rather than a human-readable description). In May 2026, the Ethereum Foundation backed a Clear Signing standard, supported by Ledger and other wallet makers, to replace unreadable code with plain-language transaction descriptions. We cover that shift in our clear signing vs blind signing guide. Until it is universal, you have to be the safeguard.

A practical defense routine

1. Bookmark official sites. Reach dApps and wallet portals from your own bookmarks, never from social media links, DMs, or search ads.
2. Use a burner hot wallet. Keep a low-balance wallet for minting, claiming airdrops, and testing new apps. Isolate your main holdings on hardware.
3. Read every signature. If you cannot tell what a request does in plain words, do not sign it. Reject "approve all" and unknown "permit" requests.
4. Limit approvals. When a site offers a choice, approve only the exact amount needed rather than unlimited.
5. Audit and revoke. Periodically review active approvals with a reputable revoke tool (like Revoke.cash) and remove anything you no longer use.
6. Install a security extension. Use a wallet-security browser extension that flags known phishing pages before you connect.

A risk-tiered wallet setup

The single most effective structural defense is to stop using one wallet for everything. Separate your funds by how much risk each activity carries.

Wallet	Holds	Used for
Burner / hot wallet	Small, disposable balance	Mints, airdrops, new or untrusted dApps
Daily wallet	Moderate balance	Routine trading on trusted apps
Vault (hardware)	Long-term core holdings	Rarely connected, never to random sites

With this setup, the worst a drainer can do on a sketchy site is empty your burner. Your real holdings never touch the contract that signed the malicious approval. Pair the vault with our seed phrase and multisig backup guide and the hidden wallet passphrase guide for an extra layer.

The 2026 twist: panic-driven drains

A newer tactic exploits real incidents. When a genuine exploit hits a protocol and official accounts tell users to "revoke approvals" or "migrate funds," drainer operators register lookalike domains and flood social media with posts mimicking that guidance. Users doing exactly the right thing land on a fake "revoke" site that drains them instead.

The lesson is uncomfortable but important: even during an emergency, especially during an emergency, navigate only from your own bookmarks and verify the exact URL character by character. Attackers count on panic to make you skip the verification you would normally do.

What to do right now

If you hold crypto in a self-custody wallet:

• Audit your approvals today with Revoke.cash or a similar reputable tool, and revoke anything unfamiliar or unlimited.
• Split your funds into burner, daily, and vault wallets so no single click can empty everything.
• Bookmark every dApp you use and delete the habit of clicking links from social media or search ads.
• Update your wallet to get Clear Signing support as it rolls out.
• Move long-term holdings to hardware and connect that device only to sites you trust completely.

A related signature trick, address poisoning, is covered in our address poisoning explainer, and the broader scam landscape in how to spot a crypto rug pull.

Frequently asked questions

If I never share my seed phrase, am I safe from drainers?

No. Drainers do not need your seed phrase. They rely on you signing an approval, which is a completely different action. Guarding your seed phrase is necessary but not sufficient.

How do I revoke an approval I already gave?

Use a reputable token-approval checker like Revoke.cash connected to your wallet, then submit a revoke transaction for the permission you want to remove. Reach the tool from a verified bookmark, not a link someone sent you. Revoking costs a small gas fee.

Why does my wallet sometimes show only code instead of plain text?

That is blind signing. The transaction has not been decoded into readable terms, so you cannot see what you are authorizing. Avoid signing anything you cannot understand, and cancel until you can verify the site.

Does a hardware wallet protect me?

It protects your keys, but you can still approve a malicious transaction on a hardware wallet. The device signs whatever you confirm, so you must still read each request. Hardware protects against key theft, not against bad approvals.

How often should I audit my approvals?

Treat it like a routine, roughly monthly or after any session where you connected to new or untrusted sites. Forgotten approvals are a common way drainers strike long after the original visit.

This article is for general information and is not financial advice.