The cryptocurrency ecosystem's shift from simple money transfers to a complex network of decentralized finance (DeFi) and smart contracts has fundamentally changed the definition of asset security. In its infancy, protecting private keys or seed phrases was considered the strongest shield for cryptocurrency wallets.
However, actual figures from 2023 to 2026 show an alarming trend: users' assets are still drained even if their private keys never leave an offline environment or secure device. According to experts at Tan Phat Digital, this loss does not originate from cracking encryption algorithms but from the abuse of permission approval mechanisms, design flaws in the user interface (UI), and sophisticated social engineering techniques using artificial intelligence.
Token permission approval mechanism and vulnerability from the Approve function
The nature of DeFi protocols such as exchanges Decentralized (DEX) or lending platforms are the direct interaction of smart contracts with assets in user wallets. In order for a decentralized application (dApp) to automatically perform swaps or deposits, users must perform a step called "token approval". Technically, the approve(address spender, uint256 amount) function is called on the token's contract to update a data map recording the addresses of dApps that are allowed to spend a specific amount of assets.
The problem arises from the design habits of dApps to optimize user experience. Instead of requiring approval for each individual transaction, dApps typically request "unlimited" approval, equivalent to the maximum value of a 256-bit unsigned integer ($2^{256}-1$). When a user confirms this command, they give that smart contract the right to withdraw any amount of tokens at any time without any additional confirmation steps. If that smart contract fails, is hijacked by a hacker, or is itself a disguised "drainer", the entire token balance will disappear in an instant.
Spending authorization levels and associated risks
Limited approval:
Features: Only a specific amount of spending is allowed (e.g. 100 USDT).
- points: Allows the entire current and future balance of that token to be spent.
Risk: All assets of that token can be wiped out if the smart contract is hacked or malicious.
Recommendation: Only applies to reputable protocols that have been audited for a long time and are trusted by the community Trusted.
NFT Approval (Approve for All):
Features: Allows authorized addresses to transfer all NFTs in a specific collection.
Risks: The entire NFT collection can be lost after just a single signature
Recommendation: Exercise extreme caution when interacting with NFT minting sites or exotic marketplaces.
The accumulation of approvals over time creates a "potential attack surface". Users may have granted permissions to a project years ago, then the project was abandoned or compromised by hackers. This is why using "revoke approval" tools to periodically revoke spending permissions is an indispensable part of wallet hygiene that Tan Phat Digital always emphasizes with customers.
See more: What is private key and passphrase in wallet? A guide to digital asset self-management
The evolution of off-chain signatures: From EIP-2612 to Permit2
To solve the problem of gas fees and cumbersome transaction steps, the Ethereum community has introduced standards such as EIP-2612 (Permit) and Uniswap Permit2. However, these improvements unintentionally create new methods for attackers to withdraw funds without requiring an on-chain transaction from the user.
Permit Mechanism (EIP-2612) and Permit2
EIP-2612 introduces a permit() function that allows users to authorize spending via an off-chain digital signature. Instead of sending a transaction approve to the network, users simply sign a message in the EIP-712 structure format. An attacker could create a phishing website asking the user to "log in", but it is actually a command granting unlimited spending permissions. Since this is an off-chain signature, users do not see the gas cost notification, reducing vigilance.
Uniswap's Permit2 creates an intermediary contract that manages rights for all types of ERC-20 tokens. Despite its convenience, Permit2 creates a "centralized weakness". If an attacker tricks a user into signing a Permit2 message, they can simultaneously withdraw different types of tokens in the same transaction, making the withdrawal speed much faster than traditional methods.
The signature generation process is based on the ECDSA algorithm using Elliptic curve Secp256k1. An attacker can use the ecrecover function to prove ownership:
address = ecrecover(digest, v, r, s)
The complexity of this structure makes it difficult for ordinary users to manually check authenticity, creating conditions for blind signing fraud scenarios to become common.
See also: What is Transaction ID (TxID)? Instructions for looking up transaction codes
Automatic withdrawal techniques: Drainer Scripts and DaaS
The term "drained wallet" is associated with the rise of professional criminal organizations operating under the Drainer-as-a-Service (DaaS) model. These groups provide complete malware toolkits for affiliates to deploy large-scale phishing campaigns.
Analysis of typical Drainer groups
Monkey Drainer (2022 - March 2023): Appropriated about 13 million USD. Characterized by the use of Javascript scripts impersonating the Seaport and WalletConnect protocols to trick users into signing.
Inferno Drainer (November 2022 - November 2023): Appropriation of about 87 million USD. This group has created more than 16,000 fraudulent domain names, using a "waiting" mechanism to catch wallets with large balances before taking action.
Angel Drainer (2023 - 2025): Appropriating tens of millions of dollars. Famous for supply chain attacks, directly targeting domain name providers and IT staff of large projects.
DaaS's business model is extremely professional with profit sharing between developers and affiliates carrying out fraud, creating a dense wave of phishing attacks on social networks.
Supply chain attacks and poisoning of Front-end infrastructure
Even When users are very careful, they can still lose money due to attacks targeting infrastructure they trust. The attack on Ledger Connect Kit at the end of 2023 is a typical example. The attacker inserted malicious code into the Javascript library used by hundreds of dApps. When users visit the official website, the interface has been changed to display a fake confirmation window, sending assets directly to the hacker wallet.
The $120 million BadgerDAO hack also followed a similar scenario when the attacker took control of the project's Cloudflare account to insert malicious code into the user interface.
Address Poisoning: Address poisoning and psychological traps Copy
Address Poisoning technique is not based on software vulnerabilities but exploits people's superficial address checking habits. The attacker uses powerful algorithms to generate a wallet address whose first and last characters are identical to the victim's regular partner address. They then send a small amount of junk cryptocurrency to "poison" the transaction history. When the victim copies the address from history to make the next transaction, they accidentally send funds to the attacker. In 2024, a large investor lost up to 68 million USD in WBTC because of a small mistake in this process.
Malware designed specifically for Crypto
The popularity of hot wallets has created a market for specialized malware (Infostealers) with sophisticated operating mechanisms:
Clipboard Hijacker: Monitors the clipboard and replaces the copied wallet address with the hacker's address as soon as the user executes the paste command.
Keylogger: Records all keystrokes, steals wallet passwords or clusters recovery word when the user enters it into the computer.
Memory Scraper: Scans RAM memory to search for character strings with a format similar to seed phrases, stealing keys even if the user does not type them out.
Malicious Extensions: Fake browser extensions have the ability to modify website data, automatically changing transaction parameters before sending to real wallets to signature.
Multi-layer risk management and prevention strategy
In this context, Tan Phat Digital recommends users to build a continuous risk management process instead of relying only on a single layer of security.
Choose the appropriate wallet model according to needs
Multi-signature configuration 2-of-3:
Advantages: Allows losing or revealing a key while still preserving assets. Prevents a single fraudulent signature from draining a wallet.
Disadvantages: Requires users to manage and maintain at least 3 separate devices or keys.
Suitable for: Individuals with large assets or small workgroups.
Multi-Signature Configuration 3-of-5:
- DAO or large enterprise.
Dispersing private keys across different geographical locations and using multiple devices (like a combination of Ledger and Trezor) eliminates the risk of manufacturer errors or local physical disasters.
10 Crypto Wallet Security FAQs
Disconnecting a wallet from a dApp has keep me safe? No. Disconnecting just stops the interaction at the user interface. Approvals remain on the blockchain and can only be disabled with the "Revoke" command.
What should I do immediately if I suspect my wallet has been hacked? Immediately stop adding money to my wallet. Transfer all remaining assets to a completely new wallet address (with a new Seed Phrase) and revoke all spending rights on the old wallet if there are assets that cannot be moved immediately.
Why does Permit2 pose a greater risk than regular Permit? Because Permit2 allows mass approval of many different types of tokens. If an attacker tricks you into signing a malicious Permit2 message, they can "wipe" multiple assets in the same transaction instead of one at a time.
How to recognize a wallet address that is "poisoned" (Address Poisoning)? Carefully check each character of the address, not just the first and last 4-6 characters. Attackers use tools to create "vanity addresses" to trick your eyes into your transaction history.
Can I use Flashbots to get my money back? Flashbots can be used to "rescue" valuable assets (like NFTs or staking tokens) from a wallet infected with Sweeper Bot by bundling transactions so the bot cannot interfere.
What benefits does EIP-7702 bring to general users? It helps individual wallets (EOAs) gain features such as batching and allowing third parties to pay gas fees, making the experience smoother without the need to change wallets.
Is Multisig Wallet too complicated for personal use? The 2-of-3 model is the perfect balance. You can keep 2 keys on 2 different devices and send 1 key to a trusted relative or cold store as a backup, ensuring maximum safety without too much hassle.
Is it safe to use MoMo for automatic payments? MoMo's Tokenization mechanism encrypts payment information to perform repeat transactions. You should periodically check the "Account Links" list in the app to cancel services that are no longer in use.
How to "see through" a transaction before signing? Install utilities like Rabby Wallet or Pocket Universe. They will simulate transaction results (Assets In/Out) so you know exactly what permissions you are granting and which assets will be moved.
If I use a cold wallet (Hardware Wallet), do I need to worry about Malware? Yes. Malware like Clipboard Hijacker can change the wallet address you copy, causing you to send money to the hacker even though the cold wallet device is still very safe. Always confirm the address displayed on the physical screen of the cold wallet.
Losing money in a crypto wallet without revealing the private key is proof that blockchain security has shifted from the cryptographic technical layer to the contractual logic and user psychology layer. Modern phishing techniques all have one thing in common: they trick users into voluntarily taking actions that harm themselves.
The key to protecting assets in the future lies in a deep understanding of the types of powers you are signing. Tan Phat Digital always accompanies the community in improving security knowledge, abandoning the habit of "blind signing" and shifting to safer asset management models to ensure you are always the only one who truly controls your financial destiny on the blockchain.
Share
