The explosion of decentralized finance (DeFi) and digital assets has created a new era for financial transactions, but at the same time has opened loopholes for the most sophisticated forms of cybercrime in history. According to observations of the team of experts at Tan Phat Digital, Wallet drainer has become a permanent threat, targeting not only inexperienced new users but also professional financial institutions with complex security systems. Different from traditional attacks targeting smart contract source code vulnerabilities, wallet drainer focuses on exploiting human factors through social engineering and fake user interfaces to legally take control of assets under the victim's unwitting confirmation.
As of 2024 - 2026, these activities have shifted from isolated phishing scenarios to an organized business model. organization, known as Drainer-as-a-Service (DaaS), where malware developers provide infrastructure to partners to carry out large-scale thefts. This report will analyze in detail the technical nature, fluctuations of the wallet malware market over the years, typical attack scenarios and breakthrough trends in artificial intelligence (AI) that are reshaping the cybersecurity landscape in 2026.
Market analysis and damage data for the period 2024 - 2025
Statistical data from blockchain security units like Scam Sniffer and Chainalysis show a drastic fluctuation in the total value of assets appropriated through wallet drainers over the years. The year 2024 is considered the peak of wallet thefts with record numbers, while 2025 sees a decrease in total value but a significant increase in the selectivity and sophistication of attacks.
Damage statistics over the years (2023 - 2025)
The activity of wallet drainers is often proportional to the level of excitement in the money market electronics. Here are the key cybersecurity metrics compiled:
Total property damage (USD):
Year 2023: 295 million
Year 2024: 494 million
Year 2025: 83.85 million
YoY change (2024-2025): Reduced by 83.0%
Total number of victims:
Year 2023: 324,000
Year 2024: 332,000
Year 2025: 106,106
YoY Change (2024-2025): Down 68.0%
Largest single theft (USD):
2023: 24.05 million
2024: 55.48 million
Year 2025: 6.5 million
YoY change (2024-2025): Decrease 88.3%
Number of loss cases of 1 million USD or more:
Year 2023: 13 cases
Year 2024: 30 cases
Year 2025: 11 cases
YoY change (2024-2025): Reduced by 63.3%
Average loss per victim (USD):
Year 2023: About 910
Years 2024: About 1,488
2025: About 790
YoY Change (2024-2025): Down 46.9%
Based on the data, the decline in losses in 2025 can be explained by large drainer groups such as Pink Drainer and Inferno Drainer temporarily stopped operations, along with increased user awareness thanks to tools from security units such as Tan Phat Digital regularly recommended.
Monthly fluctuations in 2025
1st quarter: $21.94 million in damage with 22,000 victims. The market context was flat, phishing activities decreased.
Q2: Loss of 17.78 million USD with 21,000 victims. The market recovered slightly, hackers focused on permission approval exploits.
Q3: Damage was 31.04 million USD with 40,000 victims. This is the peak of activity due to the rising momentum of BTC and ETH, users are easily caught off guard due to FOMO psychology.
Q4: Loss of 13.09 million USD with about 23,000 victims. Stable market, lowest loss of the year.
Anatomy of a Wallet Drainer attack
An attack does not occur randomly but is the result of a carefully calculated series of technical operations:
Led (Scam Airdrop & Phishing): Hackers create fake websites for reputable projects such as Chainlink, BNB Chain. They take over large X (Twitter) accounts or run Google Ads ads to put fraudulent links at the top of search results.
Connect C2 (Command and Control): When you press "Connect Wallet", the malicious code sends the wallet address to the hacker's server to analyze the balance and decide what type of transaction will require you to sign.
On-chain preparation: Hackers can force the wallet to switch to the network you have the most funds on (like Arbitrum or BSC) and check for old approvals.
Execute withdrawal: Hackers use commands like ERC-20 Approve, Signature Permit (EIP-2612) or SetApprovalForAll to take control of your tokens and NFTs without you needing to confirm a second time. two.
Technical mechanism: From Approve to Permit2 and EIP-7702
Understanding signature types is the best way to protect assets. Here are the differences:
Traditional Approval (Approve):
Gas Fee: Payable for each approval.
Visibility: Clearly visible on the wallet (address, gas fee).
Duration: Permanent until manual cancellation.
Risks: Most common among the dApp hack.
Signature Permit (EIP-2612):
Gas fee: No fee for the approval step (off-chain).
Display: Usually only shows a confusing text message, easily fooled into signing.
Duration: Depends on contract parameters copper.
Risk: Rising in individual scams.
Permit2 (Uniswap):
Gas Fees: Gas optimization, allowing bulk approvals.
Display: Can display deadlines and specific amounts.
Duration: Can set set automatic expiration time.
Risk: Account for 38% of high-value thefts in 2025.
Warning from Tan Phat Digital: New standard EIP-7702 in the Pectra upgrade allows temporary personal wallets to act as smart contracts. Hackers can trick you into signing a notice to make a series of withdrawal orders in a single transaction.
See more: How dangerous is approval scam and why so many people fall into the trap
Drainer-as-a-Service (DaaS) Ecosystem
The DaaS model allows unskilled hackers to still steal money by renting tools. Profits are usually divided according to the following ratio:
Affiliates: Receive 70-80% of the stolen money for luring victims.
Developers: Receive 20-30% of the fee to maintain malicious code infrastructure.
Prominent groups include:
Monkey Drainer: Closed, moved to other groups.
Inferno Drainer: Still operates anonymously with sophisticated proxy infrastructure.
MS Drainer: Focuses on mobile users and fake Google Play apps.
Eleven Drainer: Emerging group, regularly gives away "luxury cars" to competitors thieves get the most money.
Trend in 2026: Artificial Intelligence and Fraud Industrialization
In 2026, Tan Phat Digital noted the emergence of Agentic AI — autonomous AI agents capable of searching for "shark" wallets, creating fake addresses themselves, and passing KYC verification steps with deepfake without no need for human intervention.
The Injection Attack technique also becomes dangerous when the hacker does not fake a face in front of the camera but "injects" the digital video stream directly into the application data to bypass FaceID. In addition, Deepfake Elon Musk or Brad Garlinghouse livestream giving gifts is still a popular FOMO trap on YouTube and X.
Address Poisoning Attack
Hackers take advantage of the habit of copying wallet addresses from transaction history. They generate "Vanity" wallet addresses whose first and last 4-5 characters are identical to your wallet. Then, they send a very small amount of money (dust) to your wallet to "poison" history. If you accidentally copy this address for the next money transfer, the money will go straight to the hacker's pocket.
Defense strategy and security tools 2026
To protect assets, Tan Phat Digital recommends that users equip the following defense layers:
Pocket Universe / Wallet Guard: Transaction simulation tool, helping you foresee the results "How much will it cost you" before signing.
Revoke.cash: Essential tool to manage and revoke unlimited token approval rights granted in the past.
Kerberus Sentinel3: Real-time phishing blocker and address poisoning protection with high accuracy rate.
Rabby Wallet: Wallet has built-in risk warnings, safer than default wallets.
Ledger / Trezor (Hard Wallet): Store 90% of assets in cold wallet and only use 10% in hot wallet for transactions.
See more: Rug Pull usually occurs at what stage of a Crypto project
Emergency handling process when hacked
If you suspect your wallet has been hacked, take 4 steps immediately following:
Cancel approval: Visit Revoke.cash to cancel all token access.
Evacuate assets: Transfer remaining funds to a completely new wallet created on a clean device.
Scan for malware: Check the device for keyloggers no.
Report: Contact exchanges to block hacker wallets and report to authorities.
10 Frequently Asked Questions (FAQ)
What actually is a Wallet Drainer? Wallet drainers are pieces of malicious code embedded in fake decentralized applications (dApps), designed to trick you. the user gives control of the wallet. As soon as permission is granted, hackers will use bots to automatically wipe out all the most valuable assets in a few seconds.
What tricks do hackers often use to lure victims? They exploit fear of missing out (FOMO) through free Airdrop programs, limited Mint NFTs or DeFi rewards. Phishing links often appear on X ads (Twitter), Discord, or paid ads on Google.
Why are Permit signatures more dangerous than regular transactions? Because Permit signatures (EIP-2612) take place off-chain and do not cost gas immediately, many wallets cannot simulate or display obvious red flags. Users often sign without knowing that they have just given the right to withdraw funds to hackers.
How does EIP-7702 affect wallet security in 2026? This is a new "attack vector". With just a single signature, hackers can turn your wallet into a "gateway" that allows them to perform a series of withdrawals of assets (ETH, NFT, Token) without any additional confirmation.
What is Address Poisoning and how to avoid it? Hackers send a very small amount of money from a wallet address that looks similar to your wallet (thanks to the Vanity tool) into the transaction history. To avoid losing money, you absolutely must not copy the address from your transaction history but must copy it from an official source or trusted wallet directory.
How to recognize fraudulent Deepfake videos on YouTube/X? Pay attention to signs such as lip movements that do not match the sound, eyes that rarely blink, or strange shadows around the face. Always check that the posting account has a green check mark or that the website in question is an official domain.
What tool should I use to "scan" the transaction before signing? Utilities like Pocket Universe or Wallet Guard are top choices. They will display in easy-to-understand language: "You will lose 1000 USDT" instead of complicated hex codes, helping you stop in time.
Why do experts recommend using the 90/10 strategy? Because hot wallets (on phones/computers) always have the risk of being hacked via the web. Keeping 90% of assets in a cold wallet (hardware wallet) helps ensure absolute safety for large amounts of money, while 10% of hot wallets are only used for "hunting" for bets or small spending.
If I accidentally click and sign on a fraudulent link, what should I do first? Must act in "gold": Immediately access Revoke.cash to cancel (Revoke) all approval rights just granted. If your wallet shows signs of being continuously drained of ETH, create a new wallet and transfer any remaining assets immediately.
Will wallet fraud ease in 2026? While overall losses are down in 2025, the drainer ecosystem remains dynamic. Hackers are shifting from quantity to quality, using AI to carry out sophisticated attacks targeting high-value accounts.
In the 2026 AI era, no matter how strong security technology is, it cannot replace your own vigilance. Always be skeptical of "free" offers and always use a simulation tool before pressing any confirmation button on an e-wallet.
Share
