Crypto Drainers: From Wallet Approval Abuse to Malware-Assisted Web3 Attacks

BLOG APRIL 1, 2026 Threat Research CRYPTO DRAINERS: FROM WALLET APPROVAL ABUSE TO MALWARE-ASSISTED WEB3 ATTACKS IN THIS ARTICLE Introduction Understanding Crypto Drainers Permission Abuse in Smart Contracts Attack Lifecycle Drainer-as-a-Service (DaaS) Ecosystem Case Study: Bonk.fun Frontend Compromise Multiple Drainer and Price Evolution: Malware-Assisted Crypto Drainers GitHub-Based Lure Technical Analysis: Execution Flow: Use of LuaJIT for Payload Execution Credential Harvesting via .env Files Data Exfiltration via Discord Webhooks Decrypting Embedded Configuration Key Characteristics: Technical Insight: Continuous Monitoring & Silent Data Harvesting Detection Opportunities Endpoint Indicators Network Indicators Behavioral Patterns Web3 Indicators Detection Logic Example MITRE ATT&CK Mapping How Gurucul Helps Detect and Mitigate Conclusion Introduction Crypto drainers represent a class of financially motivated threats targeting Web3 users by abusing blockchain transaction authorization mechanisms rather than exploiting software vulnerabilities. Instead of stealing credentials or deploying traditional malware, these attacks manipulate users into approving malicious transactions that grant attackers permission to transfer digital assets. While early drainer campaigns relied purely on phishing and deceptive interfaces, recent activity shows an evolution toward hybrid models that combine social engineering, malicious smart contracts, and endpoint-level data exfiltration, increasing both scale and operational impact. Understanding Crypto Drainers A crypto drainer is a malicious mechanism designed to extract cryptocurrency assets by inducing users to authorize transactions that delegate control over their tokens or NFTs. Unlike traditional account compromise techniques, drainers do not require: Password theft Private key extraction Exploitation of software vulnerabilities Instead, they abuse legitimate blockchain functionality. Permission Abuse in Smart Contracts In most cases, drainers exploit standard token approval mechanisms: ERC-20 Tokens approve(address spender, uint256 amount) Grants permission to spend tokens NFT Standards (ERC-721 / ERC-1155) setApprovalForAll(address operator, bool approved) Grants full control over NFTs Once these permissions are granted, attacker-controlled contracts can invoke transfer functions to move assets without further user interaction. Attack Lifecycle A typical crypto drainer campaign follows a structured workflow: 1. Initial Access (Phishing / Social Engineering) Attackers lure victims via: Fake airdrops Malicious NFT mint pages Compromised legitimate websites Social media campaigns 2. Wallet Interaction Victims are prompted to: Connect their wallet Sign or approve a transaction These prompts are designed to appear legitimate. 3. Malicious Transaction Execution The transaction interacts with an attacker-controlled smart contract, invoking permission-granting functions such as: approve() setApprovalForAll() 4. Permission Abuse Once approval is granted, the attacker gains the ability to transfer assets programmatically. In many cases, attackers request unlimited token allowances, enabling repeated asset transfers without requiring additional user interaction. 5. Asset Drain Assets are transferred to attacker-controlled wallets, often within a single block confirmation window, leaving little opportunity for intervention. Drainer-as-a-Service (DaaS) Ecosystem Underground forums indicate that crypto drainers are increasingly commoditized and distributed as Drainer-as-a-Service (DaaS) offerings. Key characteristics: Affiliate-based revenue sharing (e.g., 80/20 splits) Pre-built phishing kits and smart contracts Multi-chain support Automated draining mechanisms This model lowers the barrier to entry and enables large-scale campaigns by low-skilled actors. Case Study: Bonk.fun Frontend Compromise The Bonk.fun incident highlights the effectiveness of frontend manipulation in Web3 attacks. Attackers compromised the website interface and injected a fake “Terms of Service” prompt. Users who interacted with the prompt unknowingly signed malicious transactions, resulting in immediate asset loss. Key Insight: No smart contract vulnerability was exploited The attack relied entirely on user interaction with a manipulated frontend This highlights a key weakness in Web3 security models, where protections can be bypassed through interface-level manipulation. Discussions on Reddit forums about the Bonk.fun hijack indicate that one user claimed the attacker injected a “HussDrainer” tool into the website. Such attacks typically involve injection of malicious JavaScript into the frontend, altering transaction prompts without modifying backend contract logic. Multiple Drainer and Price This illustrates the pricing structure of various crypto drainer tools along with their advertised capabilities. It shows how these tools are often sold as packaged services, offering features such as multi-chain support, automated asset draining, and user-friendly dashboards. This reflects increasing commercialization of drainer tools, where even low-skilled attackers can access advanced capabilities for a price. Evolution: Malware-Assisted Crypto Drainers While traditional drainers operate purely through browser-based transaction abuse, recent campaigns demonstrate a shift toward hybrid models that incorporate endpoint-level payloads to expand data collection and persistence capabilities. GitHub-Based Lure The analyzed repository masquerades as: “Airdrop claim tools” “Wallet recovery solutions” However, analysis reveals behavior consistent with infostealer malware, extending beyond standard drainer capabilities. Repository naming patterns like “airdrop-claim-eip-7702”, which can be misleading and may act as phishing techniques. These types of projects often try to attract victims by promising recovery of lost funds or free airdrops. In reality, such repositories can contain malicious code that tricks users into interacting with fake airdrop functions. When users follow the instructions and connect their wallets, they may be asked to approve or sign transactions. This is where the attack happens — instead of recovering funds, the code can grant permission to the attacker, allowing them to drain the wallet. The use of terms like “wallet recovery”, “airdrop claim”, and “easy setup” is a common social engineering tactic to build trust. Since these repositories are publicly available, inexperienced users might believe they are legitimate tools, while in fact they could be designed to steal funds. Technical Analysis: The following analysis is based on static and behavioral examination of the retrieved sample. Execution Flow: User Execution → Launcher.cmd ↓ LuaJIT Invocation (luajit.exe) ↓ Lua Script Execution (uix.txt) ↓ Decryption of Embedded Configuration ↓ .env File Access & Monitoring ↓ HTTPS POST → Discord Webhook ↓ Loop for Continuous Data Exfiltration No persistence mechanisms were observed, suggesting the attack relies on immediate execution and rapid data exfiltration rather than long-term system foothold. Use of LuaJIT for Payload Execution The presence of: luajit.exe Script-based execution (nix.txt) indicates a user-executed payload delivery model, which is atypical for legitimate Web3 workflows and serves as an evasion technique. The archive contains luajit.exe and a launcher script (Launcher.cmd) that executes a Lua-based payload (uix.txt). This reflects a user-executed delivery model, which is atypical for legitimate Web3 workflows. The use of an interpreted Lua payload complicates static detection, as core logic is executed dynamically at runtime rather than embedded in compiled binaries.   Credential Harvesting via .env Files The malware targets .env files, which commonly store: API keys Private keys RPC endpoints Wallet credentials The script implements periodic file access to monitor changes and retransmit updated data. This behavior suggests periodic file polling rather than event-driven monitoring, which may generate detectable patterns in file access telemetry. We downloaded the application from the above github repo and found that it uses a Discord webhook as a data exfiltration endpoint to exfiltrate sensitive data over HTTPS. It continuously monitors the .env file for any changes and retransmits updated information. Since .env files often contain critical secrets such as crypto wallet credentials, this represents a significant security risk. Data Exfiltration via Discord Webhooks The sample leverages Discord webhook infrastructure as a data exfiltration endpoint. Data is sent via HTTPS POST requests No evidence of bidirectional command execution Behavior aligns with lightweight exfiltration rather than full C2 The above module is responsible for the decrypting URL which uses a Discord webhook as a data exfiltration endpoint hxxps://discord.com/api/webhooks/1411056528018112634/6SeAntJD8PfBeKbT23dJnwdkk_xuGMosIcjeCH0bXPYoQCHfLIHV8hJpK0nvHxDVkrlr (https://discord.com/api/webhooks/{webhook_id}/{webhook_token}) which points to a webhook endpoint of Discord used for data exfiltration. It sends the contents of a .env file to this endpoint via an HTTPS POST request. This behavior is consistent with automated exfiltration of sensitive environment variables. Decrypting Embedded Configuration The webhook URL is stored in an encrypted format using OpenSSL-compatible AES encryption. Key Characteristics: AES-256-CBC mode EVP_BytesToKey derivation Base64-encoded payload with Salted__header A Python-based implementation of this decryption process successfully recovers the webhook URL. Technical Insight: The use of AES-256-CBC with EVP_BytesToKey suggests basic obfuscation rather than advanced cryptographic  protection. The following script replicates the decryption logic observed in the sample: import base64 from Crypto.Cipher import AES from hashlib import md5# Key Derivation Function from Salt and Password def evp_bytes_to_key (password, salt, key_len=32, iv_len=16): d = b'' prev = b'' while len(d) < key_len + iv_len: prev = md5(prev + password + salt).digest() d += prev return d[:key_len], d[key_len:key_len + iv_len]def decrypt_discord_url(): # Encrypted Discord Server URLunwrap = "U2FsdGVkX19qDrIIfOzOFIAYpU9XTtZJfACYULun2rz7zaju2HPfVS94utvtRO6Id9h7cV5z5XOfVvHQk/u4cB7jlS0luARIAbCrx07OP+/f5rMbbuljSel5UEr3afOQ6lpybut26iKPqK1jRfPMWi5gBl9Po/tdEFW3TwFQciP+OJC8lh+KqHuM89SMgTjM"" # Base64 Decoding data = base64.b64decode(unwrap) # Check OpenSSL salted format if data[:8] != b"Salted__": raise ValueError("Invalid data: missing OpenSSL Salted__ header") # Extract salt and ciphertext salt = data[8:16] ciphertext = data[16:]# Derive key and IV key, iv = evp_bytes_to_key(b"tx", salt) # AES-256-CBC Decryption cipher = AES.new(key, AES.MODE_CBC, iv) plaintext = cipher.decrypt(ciphertext) # Remove PKCS7 padding pad_len = plaintext[-1] plaintext = plaintext[:-pad_len] return plaintext.decode() if __name__ == "__main__": result = decrypt_discord_url() print(result) Similar to the behavior of CryptoJS.AES.decrypt(), we implemented a custom script to recover the original Discord webhook URL. The encrypted string (unwrap) was first Base64-decoded, revealing data in the OpenSSL salted format (Salted__ | [8-byte salt] | [ciphertext]). Using the extracted salt and the known password, we derived the encryption key and IV via the EVP_BytesToKey function. The ciphertext was then decrypted using AES-256-CBC, resulting in the original Discord webhook URL used for data exfiltration.After decryption Discord Webhook URL is hxxps://discord.com/api/webhooks/1411056528018112634/6SeAntJD8PfBeKbT23dJnwdkk_xuGMosIcjeCH0bXPYoQCHfLIHV8hJpK0nvHxDVkrlr Continuous Monitoring & Silent Data Harvesting It continuously reads the .env file and monitors it for any changes. Whenever updates occur, the new data is sent out again. This enables ongoing data theft and persistent surveillance of sensitive information. envtypically contains: Private keys API keys RPC URLs Wallet secrets Detection Opportunities Effective detection requires correlating endpoint, network, and blockchain activity. Endpoint Indicators Execution of exefrom user directories Use of .cmdscripts for payload execution Repeated access to .envfiles by non-standard processes Network Indicators Outbound HTTPS POST requests to: com/api/webhooks Repeated beacon-like communication patterns Behavioral Patterns Archive-delivered payload followed by script execution File read → network exfiltration loop Execution of scripting engines in non-development environments Web3 Indicators Unusual spikes in: approve() transactions setApprovalForAll() calls Interactions with newly deployed or unverified contracts Large token allowance assignments Detection Logic Example Correlate execution of Lua-based interpreters with outbound HTTPS requests to Discord webhook endpoints, combined with repeated access to sensitive configuration files such as .env. Individually, these signals may appear benign; however, their temporal correlation significantly increases detection confidence. This multi-layered approach enables detection of both purely transaction-based drainers and malware-assisted variants within a unified analytical framework.” MITRE ATT&CK Mapping MITRE ATT&CK Mapping: • T1566 - Phishing • T1204 - User Execution • T1552 - Unsecured Credentials (.env access) • T1041 - Exfiltration Over Web Services • T1059 - Command and Scripting Interpreter (Lua execution)    How Gurucul Helps Detect and Mitigate Gurucul enables detection of crypto drainer campaigns by correlating user behavior, endpoint activity, and network telemetry, which is critical for identifying both traditional wallet-based attacks and malware-assisted variants. User Behavior Analytics (UEBA):Detects anomalous interactions with suspicious crypto domains, phishing sites, and airdrop scams. Endpoint Monitoring: Identifies execution of unusual processes (e.g., exe), script-based execution chains, and unauthorized access to sensitive files like .env. Network Detection: Flags outbound communication to services such as Discord webhooks and identifies abnormal data exfiltration patterns. Cross-Event Correlation: Links user activity, process execution, and network behavior to reconstruct the full attack chain and reduce false positives. Outcome: Enables SOC teams to detect, prioritize, and respond to crypto drainer threats through behavioral analytics and multi-layered visibility, rather than relying on isolated indicators. Conclusion Crypto drainers have evolved from purely transaction-based social engineering attacks into hybrid threat models that combine phishing, malicious smart contract interaction, and endpoint-level data exfiltration. This convergence increases both the scale and impact of such campaigns. Defenders must move beyond isolated detection strategies and instead correlate: Wallet interaction behavior Endpoint execution patterns Network exfiltration activity Only through this multi-layered visibility can organizations effectively detect and mitigate modern Web3-targeted threats. Contributors: Siva Prasad Boddu Pandurang Terkar Rudra Pratap