Skip to main content
Security

New Phishing-as-a-Service Group Targets Web3 Wallet Token Approvals

The emergence of Eleven Drainer professionalizes social engineering, weaponizing malicious `permit` and `approve` calls to systematically sweep user-approved assets.
November 23, 20253 min

A metallic, cubic device with transparent blue accents and a white spherical component is partially submerged in a reflective, rippled liquid, while a vibrant blue, textured, frosty substance envelops one side. The object appears to be a sophisticated hardware wallet, designed for ultimate digital asset custody through advanced cold storage mechanisms
The image displays a collection of crystalline and spherical objects arranged on a textured blue landmass, partially submerged in calm, reflective water. A large, frosted blue crystal dominates the left, accompanied by a smooth white sphere and smaller blue and white crystalline forms

Briefing

The new Eleven Drainer Phishing-as-a-Service (PhaaS) operation has been identified by security researchers, signaling a critical evolution in user-targeted asset theft. This sophisticated criminal enterprise provides end-to-end infrastructure ∞ including cloned websites and malicious smart contract scripts ∞ to rapidly execute large-scale social engineering attacks against individual Web3 wallet holders. The primary consequence is the unauthorized sweeping of tokens, NFTs, and stablecoins by leveraging fraudulent transaction signatures, circumventing traditional smart contract security measures. The professionalized drainer ecosystem was responsible for an estimated $494 million in losses in 2024 , underscoring the massive scale of this ongoing threat class.

A close-up view highlights a futuristic in-ear monitor, featuring a translucent deep blue inner casing with intricate internal components and clear outer shell. Polished silver metallic connectors are visible, contrasting against the blue and transparent materials, set against a soft grey background

Context

The current threat landscape is defined by the proliferation of PhaaS kits, which have lowered the technical barrier for large-scale on-chain fraud. Prior to this group’s emergence, established actors like Angel and Inferno Drainer had already demonstrated the effectiveness of weaponizing token approval mechanisms. This class of attack exploits the human factor and the user’s implicit trust in familiar Web3 interfaces, rather than exploiting a protocol’s core smart contract logic.

A transparent, fluid-like element, dynamically shaped, dominates the foreground, refracting a detailed blue and grey mechanical assembly. This intricate apparatus features textured surfaces, metallic components, and precise circular elements, suggesting advanced engineering

Analysis

The Eleven Drainer attack vector begins with a social engineering lure, typically a fake airdrop or project site, directing the user to connect their wallet. The malicious front-end then prompts the user to sign a transaction, often disguised as a simple “connect” or “claim” action. In reality, this signature is a malicious setApprovalForAll or permit call granting the attacker’s contract unlimited spending allowance over the user’s assets.

Once the signature is obtained, the attacker’s back-end script automatically calls the approved function to sweep all available tokens and NFTs from the victim’s wallet in a single, irreversible transaction. This method bypasses the need to compromise a protocol’s smart contract, instead exploiting the trust layer between the user and their wallet interface.

A modern, metallic, camera-like device is shown at an angle, nestled within a vibrant, translucent blue, irregularly shaped substance, with white foam covering parts of both. The background is a smooth, light gray, creating a minimalist setting for the central elements

Parameters

  • Attack Vector Class ∞ Phishing-as-a-Service (PhaaS). Explanation ∞ Criminal enterprise providing tools for mass-scale social engineering and wallet draining.
  • Primary Vulnerability ∞ User Error and Malicious Signature. Explanation ∞ Exploits human inattention to grant unlimited token spending permissions.
  • Estimated 2024 Loss ∞ $494 Million. Explanation ∞ Total funds stolen by the broader wallet drainer ecosystem, showing the scale of the threat.
  • Victim Target ∞ Individual Web3 Wallet Holders. Explanation ∞ Attack is directed at the user interface and wallet interaction, not a protocol’s core contract.

A gleaming metallic object, possibly a secure hardware wallet or a cryptographic primitive, is partially embedded in a textured, light blue granular surface. This surface, covered in numerous small, clear droplets, surrounds the central object, creating a dynamic visual

Outlook

Users must immediately adopt a posture of zero-trust for all transaction signatures and employ real-time transaction simulation tools to verify the true nature of a wallet request before signing. Protocols should integrate client-side security layers that explicitly decode and warn users about unlimited token approvals ( setApprovalForAll ). This incident will likely drive the adoption of EIP-712 structured data signing for clarity and accelerate the development of real-time transaction monitoring and intent-based security solutions to bridge the critical gap in user-side protection.

The image displays a close-up of a sleek, transparent electronic device, revealing its intricate internal components. A prominent brushed metallic chip, likely a secure element, is visible through the blue-tinted translucent casing, alongside a circular button and glowing blue circuitry

Verdict

The rise of professionalized wallet drainers shifts the primary security battleground from smart contract code to the user’s execution environment, demanding an immediate overhaul of individual operational security practices.

wallet drainer, phishing as a service, social engineering, malicious smart contract, token approval, asset sweeping, private key theft, web3 security, user-side risk, seed phrase compromise, decentralized finance, crypto malware, signature request, allowance exploit, unauthorized transfer, front-end compromise, multi-chain threat, digital asset security, off-chain vulnerability, credential theft, transaction signing, hardware wallet risk, zero-day phishing, crypto fraud Signal Acquired from ∞ spaziocrypto.com

Micro Crypto News Feeds

phishing-as-a-service

Definition ∞ Phishing-as-a-Service refers to subscription-based or rented platforms that provide tools and infrastructure for conducting phishing attacks.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

wallet drainer

Definition ∞ A wallet drainer is a type of malicious software or script designed to steal funds from cryptocurrency wallets.

web3 wallet

Definition ∞ A Web3 Wallet is a digital tool that allows users to manage their digital assets and interact with decentralized applications on the internet.

real-time transaction

Definition ∞ A real-time transaction refers to a financial operation that is processed and settled almost instantaneously, with minimal delay between initiation and completion.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

Tags:

Tags: