Security

New Phishing-as-a-Service Group Targets Web3 Wallet Token Approvals

The emergence of Eleven Drainer professionalizes social engineering, weaponizing malicious `permit` and `approve` calls to systematically sweep user-approved assets.
November 23, 20253 min

A modern, metallic, camera-like device is shown at an angle, nestled within a vibrant, translucent blue, irregularly shaped substance, with white foam covering parts of both. The background is a smooth, light gray, creating a minimalist setting for the central elements
The image displays a sophisticated, angular device featuring a metallic silver frame and translucent, flowing blue internal components. A distinct white "1" is visible on one of the blue elements

Briefing

The new Eleven Drainer Phishing-as-a-Service (PhaaS) operation has been identified by security researchers, signaling a critical evolution in user-targeted asset theft. This sophisticated criminal enterprise provides end-to-end infrastructure → including cloned websites and malicious smart contract scripts → to rapidly execute large-scale social engineering attacks against individual Web3 wallet holders. The primary consequence is the unauthorized sweeping of tokens, NFTs, and stablecoins by leveraging fraudulent transaction signatures, circumventing traditional smart contract security measures. The professionalized drainer ecosystem was responsible for an estimated $494 million in losses in 2024 , underscoring the massive scale of this ongoing threat class.

The image displays an intricate assembly of polished silver-toned rings, dark blue plastic connectors, and numerous thin metallic wires. These elements are tightly interwoven, creating a dense, technical composition against a blurred blue background, highlighting precision engineering

Context

The current threat landscape is defined by the proliferation of PhaaS kits, which have lowered the technical barrier for large-scale on-chain fraud. Prior to this group’s emergence, established actors like Angel and Inferno Drainer had already demonstrated the effectiveness of weaponizing token approval mechanisms. This class of attack exploits the human factor and the user’s implicit trust in familiar Web3 interfaces, rather than exploiting a protocol’s core smart contract logic.

A close-up perspective showcases a futuristic device, primarily composed of translucent blue material, featuring a central silver button labeled 'PUSH' set within a rectangular silver base. The device's sleek design and visible internal structures highlight its advanced engineering

Analysis

The Eleven Drainer attack vector begins with a social engineering lure, typically a fake airdrop or project site, directing the user to connect their wallet. The malicious front-end then prompts the user to sign a transaction, often disguised as a simple “connect” or “claim” action. In reality, this signature is a malicious setApprovalForAll or permit call granting the attacker’s contract unlimited spending allowance over the user’s assets.

Once the signature is obtained, the attacker’s back-end script automatically calls the approved function to sweep all available tokens and NFTs from the victim’s wallet in a single, irreversible transaction. This method bypasses the need to compromise a protocol’s smart contract, instead exploiting the trust layer between the user and their wallet interface.

A transparent, elongated crystalline object, resembling a hardware wallet, is shown interacting with a large, irregular mass of deep blue, translucent material. Portions of this blue mass are covered in delicate, spiky white frost, creating a striking contrast against the vibrant blue

Parameters

  • Attack Vector Class → Phishing-as-a-Service (PhaaS). Explanation → Criminal enterprise providing tools for mass-scale social engineering and wallet draining.
  • Primary Vulnerability → User Error and Malicious Signature. Explanation → Exploits human inattention to grant unlimited token spending permissions.
  • Estimated 2024 Loss → $494 Million. Explanation → Total funds stolen by the broader wallet drainer ecosystem, showing the scale of the threat.
  • Victim Target → Individual Web3 Wallet Holders. Explanation → Attack is directed at the user interface and wallet interaction, not a protocol’s core contract.

A luminous blue, fluid-like key with hexagonal patterns is prominently displayed over a complex metallic device. To the right, a blue module with a circular sensor is visible, suggesting advanced security features

Outlook

Users must immediately adopt a posture of zero-trust for all transaction signatures and employ real-time transaction simulation tools to verify the true nature of a wallet request before signing. Protocols should integrate client-side security layers that explicitly decode and warn users about unlimited token approvals ( setApprovalForAll ). This incident will likely drive the adoption of EIP-712 structured data signing for clarity and accelerate the development of real-time transaction monitoring and intent-based security solutions to bridge the critical gap in user-side protection.

The image displays a close-up of a sleek, translucent blue object with a prominent brushed metallic band. A small, circular, luminous blue button or indicator is embedded in the center of the metallic band

Verdict

The rise of professionalized wallet drainers shifts the primary security battleground from smart contract code to the user’s execution environment, demanding an immediate overhaul of individual operational security practices.

wallet drainer, phishing as a service, social engineering, malicious smart contract, token approval, asset sweeping, private key theft, web3 security, user-side risk, seed phrase compromise, decentralized finance, crypto malware, signature request, allowance exploit, unauthorized transfer, front-end compromise, multi-chain threat, digital asset security, off-chain vulnerability, credential theft, transaction signing, hardware wallet risk, zero-day phishing, crypto fraud Signal Acquired from → spaziocrypto.com

Micro Crypto News Feeds

phishing-as-a-service

Definition ∞ Phishing-as-a-Service refers to subscription-based or rented platforms that provide tools and infrastructure for conducting phishing attacks.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

wallet drainer

Definition ∞ A wallet drainer is a type of malicious software or script designed to steal funds from cryptocurrency wallets.

web3 wallet

Definition ∞ A Web3 Wallet is a digital tool that allows users to manage their digital assets and interact with decentralized applications on the internet.

real-time transaction

Definition ∞ A real-time transaction refers to a financial operation that is processed and settled almost instantaneously, with minimal delay between initiation and completion.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

Tags:

Tags: