Wallet-drainer and phishing toolkits are surging, with ~$500M drained in 2024 and crypto losses hitting $3.1B in H1 2025 alone. Point-in-time audits aren’t enough without continuous monitoring and revocation playbooks.
We recently caught up with Natalie Newson, Senior Blockchain Investigator at CertiK to better understand how “drainer-as-a-service” works and the defense stack that stops active drains in minutes.
Natalie Newson from CertiK has shared some key insights on a number of key developments below.
The drainer economy: kits, affiliates, and why AI-written lures now dominate spear phish.
Drainer kits were popularized at the end of 2022 with the goal of providing code to scammers who would then steal NFTs and crypto, and take a small cut of the funds users stole.
Initially, some user knowledge was needed to connect a drainer script to a self-hosted website, though later drainers started to provide website templates and hosting.
The overall lack of skill needed to operate drainer kits opened the door for big gains for relatively little work. With the rise of AI, scammers now have a way to generate tailored and more convincing scams at scale, again with minimal effort.
Where victims get hit: approval farming, fake sign prompts, and domain spoofs.
Large communities are typically targets for scammers. In 2022 and 2023 during the Monkey Drainer era, at least one Discord server was being exploited every day due to the ease of obtaining user account tokens.
These tokens often gave scammers full access to servers, enabling them to post surprise “airdrops,” which prayed on FOMO.
Audit + always-on: approvals monitoring, anomaly alerts, and emergency revoke flows for wallets and dApps.
Several wallet providers monitor for this activity, though it is very much a game of cat and mouse. Each time wallet monitoring protects a drainer method, a new bypass is developed to avoid triggering the warning.
In case of doubt or a confirmed attack, some free tools like Revoke.cash allow you to revoke approvals from the compromised wallet.
Practical controls that work: allowlists, approval simulators, MPC hygiene, and withdrawal holds.
One of the most effective methods to prevent wallet draining is to double check that the site you’re connected to is legitimate and understand what the transaction is asking you to do.
Use a wallet guard for additional security, but don’t rely on it, as drainer kits actively create bypasses to remain undetected. Moreover, a strong MPC hygiene, such as key separation, and a good signing policy, are essential to eliminate a single point of failure.
Using multiple wallets/a hardware wallet will also help limit damage in the event of signing a malicious transaction. It is good practice to never connect to a site with a wallet that holds all your assets.
Metrics that matter: time-to-detect, time-to-revoke, and reduction in exploitable approvals.
The time taken between clicking “confirm” on a malicious transaction and assets being stolen is typically within seconds. While revoking will prevent further thefts from the wallet, it is often too late to save the assets already there.
One of the fundamental issues with preventing exploits via approvals is that these methods are central to smart contracts themselves and to do so would also break existing contracts. Scammers would then find new methods to phish users.
