中文

How to Actually Stop Wallet Drainers in 2026: Multi-Sig Isolation, Transaction Simulation, and Approval Hygiene

Security · 2026-05-30 · 比特三棱镜编辑部
Ask AI

Drainer kits — the phishing toolchains designed to empty wallets — fully went SaaS in 2025-2026. Attackers no longer write code; they subscribe by the month to services like Inferno Drainer, Pink Drainer, or Angel Drainer and receive a phishing-site template, signature traps, and a sweep script in one bundle, sharing revenue with the platform. Result: phishing sites look more authentic, signature payloads are more deceptive, and more wallets get emptied. This post does not stop at “watch out for phishing”. It unpacks the attack chain and gives a three-layer defence you can actually operate.

Drainer attack chain and the three-layer defence of wallet isolation, transaction simulation, and approval cleanup

The drainer playbook

Almost every drainer attack follows the same script:

  1. Contact: Google Ads, lookalike Discord/Twitter accounts, fake airdrop links, or emails land the user on the phishing site.
  2. Wallet connect prompt: pixel-perfect UI asks to connect a wallet.
  3. Signature trap: an EIP-712 permit, a setApprovalForAll, or an ERC-20 increaseAllowance slipped into a benign-looking signature.
  4. Rapid sweep: a bot script harvests every authorised token and NFT to a relay wallet and fans them through mixers.

End to end, from click to empty, the average is under 90 seconds. Reactive remediation is too late by definition. Defence has to live before the signature.

Layer one: multi-wallet isolation — split the eggs across baskets

The most effective and least practised defence. Single principle: using one wallet for everything bets the entire balance on a single mistake. A sensible tiering looks like:

Wallet Holds Used for
Primary cold > 80% of net worth, long-term holdings Almost never signs, only receives
Transit hot < 15% of net worth Moves funds between cold and operational
Operational < 5% of net worth Day-to-day DeFi, airdrops, NFT mint
Burner 50-200 USD New protocols, suspicious links

A drained operational wallet costs 5%. Compartmentalisation is not a remedy, it is the default architecture.

For larger balances, also use multi-sig — a Safe 3-of-2 stops most single-point phishing because the attacker now needs two private-key signatures. The cost is UX: every on-chain action needs each signer to approve separately. Above 50k USD the trade-off is correct. The hardware wallet supply-chain risk writeup makes the same “no single line of defence” point from a different angle.

Layer two: transaction simulation — see what you are actually signing

The second layer is pre-signature simulation. The tooling matured in 2026 and falls into three categories:

  • Wallet-native: Rabby, OKX Web3, MetaMask Snaps integrate simulation directly.
  • Browser extensions: Blockaid, Wallet Guard, Pocket Universe.
  • Dedicated security dApps: Revoke.cash previews signatures alongside its revoke flow.

All do the same thing: fork the chain, replay the transaction you are about to sign, and tell you what will actually happen — which tokens move, who is being granted permission, what the balance change looks like.

Why is this so important? Because the drainer’s bread and butter is making the signature look harmless:

  • A permit signature shows only “Sign in to App” in the popup but contains an EIP-712 spending authorisation.
  • setApprovalForAll is a legitimate NFT-market call but is sometimes pointed at a malicious contract.
  • The default wallet UI may show “transfer 0 USDC” when the actual payload is a permit granting unlimited allowance to the attacker.

With simulation on, all of this gets translated into plain language: “This transaction will hand control of 10,000 USDC to address 0xabc…”. Unknown address receiving unlimited approval → reject immediately.

Transaction simulator translating an obfuscated signature into plain language warnings

Layer three: approval hygiene — defusing the bombs you planted earlier

The third layer addresses historical approvals. Even if every future signature you make is careful, the approvals you gave over the past three years still exist. Drainers regularly exploit long-forgotten approvals — a project that has long since rugged, whose owner key gets popped, then used to drain any wallet that still has a live approval pointing at the contract.

The cleanup loop:

  1. Monthly audit: open Revoke.cash or Etherscan’s Token Approvals page and list every non-revoked approval.
  2. Revoke three categories first:
    • Protocols you no longer use.
    • Approvals with unlimited allowance.
    • Approvals pointing at non-protocol addresses (anything you cannot map to a known dApp).
  3. Simulate the revoke too: a revoke is itself a signature — confirm the function being called.
  4. Per chain: Ethereum, Arbitrum, Base, BSC, Polygon — walk each one separately.

Revokes cost gas, but compared to being drained, a few dollars of gas is the cheapest insurance product on the market. The Etherscan explorer guide explains how to read the approvals tab yourself.

A monthly security checklist

To turn the three layers into a habit, here is the list I personally run through every first week of the month:

  • [ ] Operational wallet balance still < 5% of net worth; if not, sweep back to transit.
  • [ ] Revoke every unused token approval (every chain separately).
  • [ ] Audit all NFT setApprovalForAll and revoke expired or non-mainstream marketplaces.
  • [ ] Review browser extensions; remove any unused wallet or Web3 extension.
  • [ ] Update primary wallet and simulator extensions to the latest version.
  • [ ] List dApps interacted with this month and confirm the URLs are official.
  • [ ] Multi-sig threshold and signer addresses still correct.
  • [ ] Cold-wallet seed-phrase storage location accessible and not compromised.

About thirty minutes total. Given that drainers empty wallets in under ninety seconds, those thirty minutes have a generous return on investment.

Behavioural rules: assume every prompt is phishing

Past the technical layers, behaviour decides outcomes. These five rules I have run for four years without incident:

  • Always enter major dApps from a bookmark or typed URL; never click a Google Ad.
  • Any “claim reward”, “account suspended”, “sign now” link is hostile by default.
  • Any non-top NFT marketplace asking for setApprovalForAll is rejected.
  • If a signature does not make sense, leave the site first, research, come back.
  • Run any large transaction through a burner wallet first, then repeat on the main wallet.

The MetaMask phishing defence writeup has more specific recognition tips and pairs well with this one.

Defence is a process problem, not a tech problem

After being drained, almost everyone says “I’ll be more careful next time”. They get drained again. The reason is that “be careful” is not an executable instruction — it depends on attention, mood, familiarity. What is actually executable is a hardened process: which wallet does what, simulation before every signature, revoke audit every month. When that becomes muscle memory, you are actually safer. Drainers in 2026 are an industrialised product, and the defence must be an industrialised process to match.