As cryptocurrencies gain mass adoption, scams become more and more commonplace. Just like criminals will go to any extent to rob assets in US Dollars, so it is with crypto nowadays.
There is, however, a major difference between a USD heist and a crypto one: the latter is 100% virtual and can be controlled remotely as long as you hold the private key. With legacy fiat currencies, you need some logistics and access to a bank account. There is no bank or middleman in crypto! So scammers and crypto ruggers employ different tools and techniques against their victims.
In this article we discuss one such tool : the crypto wallet drainer! This newe class of tools has several different names. Crypto drainers, drainware, wallet drainers, and XYZ drainers where XYZ is a specific DeFi asset name like several different NFTs, Solana, Avalanche, Bitcoin and Ethereum, to name a few.
So, what’s a wallet drainer?
As you may have guessed, it’s a tool that will automate the process of completely draining all assets off a cryptocurrency wallet.
Why use a wallet drainer?
Wallet drainers are simply tools that automate the boring task of repeatedly assembling transactions, signing them and sending them off into the network. You use a wallet drainer to move all assets from one wallet to another quickly and with little effort.
Are wallet drainers illegal?
Nope! There’s plenty of legit uses for wallet drainers! If you hold your assets in a certain wallet. Say, NFTs, several different tokens, ETH or AVAX and so on. At some point, you suspect you have have compromised your private key. You’ll need to move all assets to a new wallet in order to stay safe. You then use a wallet drainer in a completely legal way.
So why are wallet drainers used mostly by scammers?
Because scammers need a fast exit from the crime scene. As soon as they gain access to a private key, they must drain all assets controlled by that key as fast as possible. So they use a wallet drainer. Just like bank robbers use automobiles to escape a crime scene, that doesn’t make cars illegal.
A drainware attack is a complex operation where the scammers attempt to steal funds by employing several different techniques. There are usually two main phases in a drainware attack: the private key theft phase (usually accomplished through phishing) and the wallet drain phase. Let’s take a quick look at these two stages.
The Phishing Phase
When a wallet drainer is used to steal assets from a victim, the attacker must first gain access to the private key. So, a drainware attack usually begins with some kind of phishing and/or impersonation type fraud. The idea here is to gain access to a victim’s mnemonic phrase. This is usually accomplished by publishing a fraudulent web page that looks exactly like the original wallet, complete with SSL certificate and all the bells and whistles you’d expect from the legitimate wallet. The phishing page will usually display some fake error after you insert the mnemonic phrase. Something like “an error occurred, try again later”.
At this point the scammer has already moved on to the next phase of the drainware attack.
Wallet Drainer Phase
This is where the crypto drainer comes into play.
The scammer will now take the stolen mnemonic phrase and will run the wallet drainer using it. The wallet drainer simulates an actual wallet : it starts to generate HD keys and as many as possible addresses under that master private key’s control. It then checks explorers for assets held under each address. For each asset found, it immediately builds and signs a transaction moving the asset to a new wallet. An experienced scammer will usually create a different wallet for each heist. It’s very difficult tracing funds when they do that.
How exchanges deal with such attacks?
Thus, centralized exchanges keep gigantic lists of blocked addresses. When a deposit comes in from a suspected drainware scammer address, the exchange will immediately freeze the account and request KYC and other guarantees from the account owner.
Every DeFi platform has its own addressing scheme and different crypto algorithms. For example, Ethereum’s Kekkak-256 is incompatible with Bitcoin’s SHA256 hashing algorithm.
For this reason there isn’t a single wallet drainer that can be used for all platforms. Even the programming languages vary a lot among projects. Cardano uses Haskell, Avalanche uses Go, Bitcoin uses C++ and so on. This makes it very difficult to implement universal libraries on a single wallet drainer. (Any project which was able to implement all these platforms under a single umbrella would be a killer app and would probably not be wasted on a wallet draining tool.)
Bitcoin doesn’t have sophisticated smart contracts. Its script language is really barebones, so Bitcoin wallet drainers aren’t really sophisticated. All they do is generate the HD wallet’s addresses and drain the BTC contained in each. So we’ll focus on Ethereum drainers next.
By far, the most common wallet drainers are built for the Ethereum platform. For obvious reasons!
A large share of DeFi contracts, NFTs and tokens are implemented on the Ethereum platform. Even though Cardano and Avalanche are quickly gaining ground, Ethereum has 4 to 5 year lead on smart contracts and community adoption.
You can easily find Ethereum wallet drainers on Github. They’re open source projects and serve as a reference for legitimate programmers. Wallet drainers actually perform a lot of a traditional wallet’s functions. Learning how an Ethereum wallet drainer works will help you understand how Ethereum address and transaction functions work as well.
Some popular Ethereum wallet drainers include eth-drainer, seaport-drainer, eth-token-nft-drainer among others.
Watch out for browser-based wallets.
Browser-based wallets are permanent risk.
Any javascript program can detect Core Wallet or Metamask running in a browser. Since javascript can be loaded from any source, when you’re browsing the WWW using a wallet-enabled browser, you’re placing yourself at risk at every site you visit.
Never use your wallet-enabled browser profile for general www browsing. Most browsers allow you to create several profiles. Use a safe, clean profile for your wallet sessions, then close it and use your main profile for www browsing.
Use a hardware wallet
This is by far the most important step everyone should take in order to keep their keys safe.
If you choose to keep your browser-wallet enabled at all times, then you should definitely purchase a hardware wallet. Hardware wallets never leak your private key. So, even if the browser or wallet get compromised, the attacker won’t get hold of the private key.
Double check wallet URLs
This is a basic one : always check that the wallet URL matches the official address. Phishing consists in publishing a nearly identical page under a fake name. Always verify the name.
Also pay attention to any certificate warnings. If there are any SSL certificate warnings whatsoever, then back off immediately and contact wallet support. Take a screenshot if possible. It may be something harmless, but most of the time a SSL warning means the website has been compromised somehow.