The message came from an account the trader had followed for years. A supposed airdrop, 24-hour deadline, direct link to the claim page. The site looked professional, asked for a single signature, no password, no seed, no approvals, just a plain "Sign". Two seconds later, every NFT and a six-figure token balance had moved to an unfamiliar address. The signature was the permission.
Wallet drainers are the dominant scam in Web3. They skip classic credential theft and use the mechanisms decentralized apps rely on anyway. A sufficiently complex transaction, signed by MetaMask or Rabby, moves every token, NFT, and DeFi position into the attacker's contract. The system works exactly the way it's designed to.
What you're actually signing
When a Web3 site prompts you to sign, you're rarely authorizing a plain transfer. You're usually authorizing an approval, giving a smart contract permission to act on your behalf. The classic ERC-20 approval reads "Contract X may move up to Y of token Z from my wallet". Most drainers request an infinite approval: "may move all of my token Z".
On the NFT side there's setApprovalForAll, a single signature granting a contract permission to move every NFT in a collection. With Seaport and Permit2, complex orders can authorize multiple tokens at once. And with EIP-712 messages, you can sign dense authorizations whose human-readable form barely reflects what happens.
At signing time, many wallets show a bland "This will interact with a contract". The real effect, which tokens move, which collections are affected, how much can be drained over the next 30 days, is either missing or rendered as hex nobody reads.
Wallet drainers as a service
Drainers aren't built from scratch. There are kits you rent: Angel Drainer, Inferno, Pink, Rainbow. The buyer gets smart-contract code, a configurable frontend, a Telegram bot for status alerts, and a split of stolen value, typically 20 percent to the kit operator and 80 percent to the buyer.
The kits cover arbitrary L1 and L2 networks: Ethereum, Solana, Base, Polygon, BNB, Arbitrum. The fake site auto-detects the connecting wallet and presents the right drain function for each chain. Victims don't even need to know which chain they're on.
In 2024, users lost more than 500 million dollars to drainer kits according to Scam Sniffer and Chainalysis, spread across hundreds of thousands of individual victims. 2025 continued to rise despite improvements in major wallets.
documented drainer losses in 2024
individual victims in one year
of value unrecoverable after signing
Why blind signing is the root cause
Many wallets show only a hash and a generic "Signing this message could let the app do things on your behalf" for complex transactions. This is blind signing. It exists because human-readable parsing of contract calls is hard on the wallet side and many dapp actions don't translate meaningfully.
Drainers weaponize that. The attack wraps the authorizing operation into a dense-looking message, often Permit2 or Seaport, that reads like nothing in the UI but technically transfers the full token budget. Hardware wallets like Ledger and Trezor now render structured parses for popular contract interfaces, but only the ones they know.
The lesson is to never treat blind signing as acceptable. If your wallet can't tell you what happens, back out. Even when the site looks legitimate.
The signatures that should alarm you
setApprovalForAll is almost always a strong warning on a site you haven't deeply verified. The only legitimate case is a first listing on a marketplace, and even there modern implementations should have moved to Permit2.
Unlimited approvals on ERC-20 tokens are normal in everyday DeFi, but on an unfamiliar site they should be a hard no. If the amount is 2^256 or some absurdly round number, you're staring at a drainer signature.
Permit2 signatures let the spender move tokens for an hour to months without an on-chain transaction. When an unknown site asks for Permit2, you're signing a pre-authorized theft.
Seaport offers with multiple items and recipient addresses you don't recognize are especially dangerous because they trade individual NFTs for token amounts, and the flow looks like an ordinary sell.
A fresh browser for every mint
The most effective operational change is to stop doing Web3 interactions from the browser where your main wallet is signed in. A mint page, airdrop claim, or new DeFi app opens inside an isolated browser. There you connect a wallet that holds only what that interaction needs and nothing else. A drainer hits that wallet, gets the modest balance, and never touches your main position.
The community calls this a "burner wallet", and it's been standard for years among heavy minters. The step people forget: the browser should also be a burner. Extensions like MetaMask can retain session storage and authorizations; an isolated browser ends the session empty and is immune to later signature replays.
Ready to unlock desktop power on any device?
Try Browser.lol free and experience true mobile productivity.
Start Your Desktop BrowserNo downloads required • Works on any device
