Wallet Drainers in 2026: Anatomy of Modern Crypto Phishing

1. The macroeconomic landscape of phishing in 2026

The volume of malicious activity on the web has escalated alarmingly. Over the past year, security researchers tracked approximately 11.9 million malicious domains, with a daily average of 378,411 active domains at any given moment. This saturation of the digital space is designed to overwhelm the reactive defense mechanisms of financial institutions and technology platforms, which are now the primary targets of these campaigns.

The statistics reveal that the technology sector concentrates 36.13% of attacks, followed by the government and financial sector at 26.84%, and e-commerce at 14.72%. These industries offer high leverage for attackers, as compromising a single identity can unlock access to multiple critical systems.

The sophistication of attacks has driven the average scam payment from $782 in 2024 to $2,764 in 2025 — a 253% year-over-year increase. This phenomenon is explained by scammers abandoning massive, indiscriminate campaigns in favor of highly targeted, personalized attacks. They now use artificial intelligence tools to identify and exploit high-net-worth individuals, known as "whales" in crypto parlance.

The role of stablecoins has been fundamental in this expansion. In 2026, stablecoins represent 84% of all illicit transaction volume. Their price stability makes them the ideal vehicle for money laundering and sanctions evasion, especially in Russia-linked networks such as Garantex and the A7 wallet cluster, which processed more than $39 billion in 2025 under a coordinated state sanctions evasion scheme.

For a broader view of the security landscape, including the $3.41 billion in total losses across 2025, see our Crypto Security Report 2025–2026.

2. The Drainer-as-a-Service (DaaS) economy

The business model behind wallet theft has been structured similarly to Ransomware-as-a-Service (RaaS). Malware developers create complete infrastructures that they rent to "affiliates" with less technical knowledge. These Drainer-as-a-Service (DaaS) providers offer control panels, landing page generators, Telegram bots, and technical support for more than 90 wallet types.

The DaaS model has effectively industrialized crypto theft. An affiliate with minimal coding skills can launch a phishing campaign within hours, leveraging professionally designed phishing pages that mimic popular dApps, NFT drops, and airdrop claim sites. The barrier to entry has never been lower — and the returns have never been higher.

The Rublevka Team: anatomy of a "Traffer Team"

The group known as "Rublevka Team" is a prominent example of this professionalization. Operating since 2023, this Russian-origin team has generated more than $10 million through affiliate-driven campaigns. Their success lies in a hierarchical and competitive structure:

Recruitment and structure. The group recruits social engineering specialists through specialized forums such as LolzTeam, Exploit, and XSS. Affiliates receive between 75% and 80% of the loot, while the core developers retain the remaining percentage as a service fee. This generous split attracts a constant stream of new operators eager to participate.

Evasion infrastructure. The Rublevka Team employs advanced "cloaking" techniques to restrict access to their phishing pages based on the visitor's IP address, ISP, or country of origin. This prevents security researchers or Google bots from detecting the malicious content. If a researcher from a known security firm visits the URL, they see an innocuous page. The real phishing content is served only to targeted victims.

"Red Table" bypass. They have implemented functions to unblock domains flagged as dangerous by Google, temporarily displaying harmless content ("white pages") to evade security scans. Once the domain is de-listed from Google Safe Browsing warnings, the phishing content is re-enabled.

The deployment of these tools allows attackers with minimal technical experience to launch high-impact campaigns, exploiting media events such as token launches (airdrops) or NFT pre-sales to attract victims. A fake "claim your airdrop" page, combined with social media promotion through compromised accounts, can generate six-figure returns in a single day.

3. Technical anatomy of the modern drainer

The drainers of 2026 have evolved to exploit the complexity of smart contracts and new network standards. Unlike older methods that required the user to manually send their assets, modern drainers induce the victim to sign transactions that grant unlimited permissions over their funds.

Understanding the technical mechanisms is critical because it reveals why traditional security advice — "never share your seed phrase" — is no longer sufficient. The new generation of attacks does not need your seed phrase. It needs a single signature on a carefully crafted transaction. For more on how token approvals create hidden risks, see our dedicated article.

EIP-7702: the new battlefield

Ethereum's Pectra upgrade introduced the EIP-7702 standard, originally designed to bring account abstraction capabilities to Externally Owned Accounts (EOAs) like MetaMask. However, this standard has opened a qualitatively new attack surface.

EIP-7702 allows an EOA to temporarily delegate its execution logic to an external smart contract by signing an authorization tuple. Phishing groups have developed a taxonomy of attacks under this standard:

Delegation pointer deception. Users are tricked into authorizing an address that hosts malicious logic. Since the delegated implementation is opaque at the time of signing, the user effectively installs a "malicious brain" in their own wallet. The transaction preview in most wallet interfaces does not clearly communicate the implications of an EIP-7702 delegation.

Control persistence. Once the delegation is written to the account's code slot, all subsequent calls are automatically routed through the attacker's code. This creates a temporal separation between the phishing moment and the theft moment, allowing the attacker to wait until the wallet holds a larger balance before executing the drain.

Cross-context activation. The malicious code can be activated not only by user-initiated transactions but also by external calls from other contracts or protocols. This enables automatic asset drainage without any direct intervention from the victim — the wallet can be emptied while the user sleeps.

From a technical standpoint, the implementation uses a new transaction type, SET_CODE_TX_TYPE (0x04), which includes a list of signed authorizations. If a user signs one of these authorizations pointing to a drainer contract, the attacker can invoke mass transfer functions for ERC-20 tokens, NFTs, and ETH atomically and silently.

Permit2 vs. EIP-7702: a technical comparison

The danger of EIP-7702 lies in the fact that it breaks fundamental security assumptions. Many developers relied on the check tx.origin == msg.sender to prevent reentrancy or flash loan attacks, assuming that EOAs could not execute contract code. EIP-7702 invalidates this premise, allowing a personal account to behave as a malicious contract in governance contexts or DeFi protocols. For a deeper understanding of wallet types and their security properties, see What is a crypto wallet?

4. Adaptation by network: Solana, TON, and Layer 2s

Drainer developers have diversified their targets to include networks with lower fees and large volumes of retail users. The expansion beyond Ethereum represents a maturation of the threat — drainer kits now ship with multi-chain support out of the box.

Solana and the CLINKSINK malware

Solana has become a priority target due to its transaction speed and the memecoin boom. The drainer known as CLINKSINK, identified by security researchers in 2026, uses phishing pages that impersonate Phantom, DappRadar, and BONK. Once the victim connects their wallet to claim a supposed airdrop, they are asked to sign a fraudulent transaction that instantly transfers their SOL and SPL tokens to the attackers' addresses.

Campaigns using CLINKSINK have stolen an estimated $900,000, distributing the loot in an 80/20 split between affiliate and service operator. The agility of these groups is evident in their constant rotation of domains and RPC (Remote Procedure Call) APIs to evade wallet blacklists. A domain may be live for only 4–6 hours before being rotated, making traditional blacklist-based defenses largely ineffective.

The Open Network (TON) and comment-based deception

TON's integration with Telegram has facilitated a new phishing modality based on the transaction comment function. Attackers send fake offers of, for example, 5,000 USDT, using the comment field to display messages like "Receive 5,000 USDT" alongside a "Confirm" button. When the user signs what appears to be a receipt of funds, they actually authorize a contract that drains their Toncoins and Jettons (TON tokens).

Although some drainer operators have abandoned TON due to the lack of "whales" (high-capital investors), the volume of retail victims remains significant. The social proximity of Telegram — where users may receive malicious messages from contacts whose accounts have been compromised — adds a layer of trust that traditional phishing channels lack.

The dominance of Layer 2: Base and Arbitrum

In 2026, Layer 2 (L2) networks like Base and Arbitrum concentrate more than 77% of total value locked in the L2 ecosystem. Base, in particular, has become the leader in daily transactions, often exceeding 50 million monthly transactions. This concentration of users, driven by easy onboarding from Coinbase, has attracted drainer kit developers like Inferno and Angel, which now include native support for these networks.

The low gas fees on these networks enable scammers to conduct address poisoning attacks at massive scale. They send micro-transactions from addresses that are visually similar to the user's own addresses, hoping the victim will copy a malicious address from their transaction history when making future transfers. On Ethereum mainnet, the gas cost of each poisoning transaction would be prohibitive. On Base or Arbitrum, an attacker can send thousands of poisoning transactions for a few dollars.

For more on how different wallet types interact with these networks, see our guide on hardware wallets.

5. The AI revolution in phishing

The use of generative artificial intelligence has transformed phishing from a "low-effort" activity into a high-fidelity operation. AI-generated phishing emails achieve click-through rates four times higher than traditional methods. The grammar is flawless, the personalization is precise, and the sense of urgency is calibrated to each victim's profile.

Deepfake vishing and voice cloning

Voice cloning has become a critical tool for Business Email Compromise (BEC) and consumer fraud. With just three seconds of audio from a person, attackers can generate voice clones with 85% accuracy, reaching an "indistinguishability" threshold for the human ear.

In March 2026, cases were reported where scammers used voice clones of grandchildren to deceive grandparents, requesting urgent Bitcoin payments for supposed bail. In the corporate sphere, the Arup firm incident remains the reference case: an employee transferred $25.6 million after participating in a deepfake video call where the CFO and other colleagues appeared — all synthetically generated.

The combination of voice cloning and real-time deepfake video has created a threat that is qualitatively different from traditional phishing. When a victim sees and hears a person they trust asking them to take action, the psychological defenses that protect against email-based scams simply do not activate. For comprehensive guidance on protecting yourself, see Staying safe in crypto.

Autonomous scam agents

The most recent frontier is the deployment of autonomous agents based on large language models (LLMs). These bots can maintain "romance" or investment conversations (Pig Butchering) simultaneously with thousands of victims, intelligently adapting their tone and personality over weeks or months.

The "Truman Show" operation uncovered by Check Point revealed the use of 90 AI-generated "experts" in messaging groups, who directed victims to trading applications with market data controlled by the attacker. The victims believed they were receiving advice from a community of successful traders. In reality, every "expert," every chart, and every success story was fabricated by AI.

6. Case studies: 2025–2026

Analyzing recent incidents reveals the practical execution of these threats — and the lessons each one carries for anyone managing digital assets.

The $282 million social engineering theft

In January 2026, a hardware wallet user suffered a record loss of $282 million in Bitcoin and Litecoin. Despite using a Trezor, considered one of the most secure wallets available, security was subverted by a social engineering scheme where attackers impersonated technical support to manipulate the user.

Investigation revealed that the attackers used a leaked API key to facilitate the deception, making their impersonation of legitimate support more convincing. The funds were rapidly laundered through instant exchanges and routes linked to THORChain, ultimately being converted to Monero (XMR) to erase the trail. The conversion to Monero — a privacy coin with untraceable transactions — means recovery is virtually impossible.

This case is the most expensive illustration of a fundamental truth: hardware wallets protect against malware and remote key extraction, but they offer zero protection against a user voluntarily surrendering their recovery phrase. The device cannot distinguish between a legitimate recovery and a social engineering attack.

The TrueBit Protocol exploitation

In early 2026, the TrueBit protocol on Ethereum was exploited through a vulnerability in its TRU token minting price logic. An attacker abused a mathematical error that allowed minting large quantities of TRU with near-zero ETH, draining approximately $26.6 million in Ether from the protocol's reserves.

This case demonstrates that while phishing is the dominant threat, technical vulnerabilities in "stalled" or low-visibility smart contracts remain a latent risk. TrueBit's contract had been deployed years earlier and had not received the ongoing security attention that more active protocols benefit from. Legacy contracts holding significant value without active maintenance represent a ticking time bomb. For guidance on evaluating smart contract security, see How to verify smart contracts.

Government impersonation campaigns: E-ZPass

One of the most massive phishing campaigns of 2025 was the "E-ZPass" operation, which affected millions of drivers in the United States. The group known as "Smishing Triad," using the "Lighthouse" infrastructure, sent fraudulent SMS messages about toll debts that directed users to websites indistinguishable from official ones.

This operation reached 330,000 messages sent in a single day and managed to collect approximately $1 billion over three years, demonstrating the power of Phishing-as-a-Service (PhaaS). The scale of this campaign shows that phishing infrastructure has matured to a point where it can sustain multi-year operations generating nine-figure returns — rivaling the revenue of legitimate technology companies.

While E-ZPass targeted traditional payment methods, the same infrastructure and techniques are actively being adapted for cryptocurrency theft. The playbook is identical: create urgency, impersonate authority, and direct the victim to a site that captures their credentials or authorization signatures.

7. Protection strategies and resilience in 2026

Defense against modern phishing requires a transition from "implicit trust" to a Zero Trust architecture. Every interaction, every transaction request, and every communication must be independently verified. The days of trusting a URL because it "looks right" or a caller because they "sound legitimate" are over.

For a comprehensive guide on staying safe in crypto and privacy and security best practices, see our dedicated Learn articles.

Hardware-software synergy: the SignGuard model

In 2026, owning a hardware wallet is no longer a sufficient guarantee of security. The current trend is the use of integrated signature protection systems (SignGuard). This approach means that the wallet application (software) analyzes and decompiles the transaction before it reaches the physical device.

Analysis parity. The software must display transaction details in a humanly readable format, warning about suspicious contract methods or unlimited spending approvals. If you see a transaction requesting approve(address, uint256.max), the interface should explicitly flag that you are granting unlimited access to your tokens.

Open-source protection. There is growing demand for devices with fully auditable firmware and hardware (open source), eliminating the risk of manufacturer "backdoors." If the firmware is not open source, you are trusting the manufacturer's security practices on faith.

Multi-level security. The use of physical security keys (FIDO2/YubiKey) is recommended to protect access to exchanges and email, eliminating the vulnerability of SMS-based 2FA. SIM-swap attacks remain a significant threat, and SMS 2FA should be considered compromised by default.

Managing EIP-7702 delegations

For users interacting with the new Ethereum standard, delegation hygiene is mandatory. It is essential to use tools such as the EIP-7702 Delegation Checker to verify whether an address has been delegated to an unknown contract.

Revoking an EIP-7702 delegation is performed by signing a new authorization that points to the zero address (address(0)), which effectively clears the wallet's code marker and restores its standard behavior. This should be done immediately if you suspect any unauthorized delegation, and proactively as part of regular security maintenance.

AI firewalls and browser security

AI-based security browser extension platforms have emerged, such as LayerX and SquareX, that analyze browser behavior in real time. These tools detect if a malicious extension is attempting to inject prompts into generative AI tools or if it is trying to spoof the interface of popular wallets like MetaMask or Phantom.

Detection is no longer based on known malware signatures but on dynamic behavioral anomaly analysis. If a website attempts to overlay a fake MetaMask popup on top of the real one, or if it requests a signature type inconsistent with the action the user believes they are performing, the security layer intervenes before the signature is submitted.

8. The future of security: beyond seed phrases

The traditional model of a single seed phrase as the sole point of failure is being replaced, especially in institutional environments and for high-net-worth users.

MPC (Multi-Party Computation) technology. This approach divides the private key into multiple fragments distributed across different devices and parties, so that no single device or person has full control over the funds. Even if one fragment is compromised, the attacker cannot reconstruct the full key without obtaining a threshold number of additional fragments.

Permanent account abstraction. Migration to smart contract wallets (EIP-4337) enables the implementation of spending limits, address whitelists, and social recovery. These features minimize damage in case a signature is compromised. A spending limit of $1,000 per day means that even a successful phishing attack can only drain $1,000 before the victim detects the issue and responds.

Operational hygiene. The general recommendation for 2026 is to use hot wallets solely for daily operations with small amounts, while the bulk of assets should remain in hardware vaults disconnected from any frequent dApp interaction. The rule of thumb: if you would not carry that amount of cash in your pocket on the street, it should not be in a hot wallet.

For a deeper understanding of wallet architectures and their security trade-offs, see our guides on crypto wallets and hardware wallets.