Security

New Phishing-as-a-Service Group Targets Web3 Wallet Token Approvals

The emergence of Eleven Drainer professionalizes social engineering, weaponizing malicious `permit` and `approve` calls to systematically sweep user-approved assets.
November 23, 20253 min

A sleek, transparent blue electronic device, rectangular, rests on a plain white background. Its translucent casing reveals intricate metallic internal components, including a central circular mechanism with a pink jewel-like accent, and various blue structural elements
A close-up view presents a high-tech mechanical assembly, featuring a central metallic rod extending from a complex circular structure. This structure comprises a textured grey ring, reflective metallic segments, and translucent outer casing elements, all rendered in cool blue-grey tones

Briefing

The new Eleven Drainer Phishing-as-a-Service (PhaaS) operation has been identified by security researchers, signaling a critical evolution in user-targeted asset theft. This sophisticated criminal enterprise provides end-to-end infrastructure → including cloned websites and malicious smart contract scripts → to rapidly execute large-scale social engineering attacks against individual Web3 wallet holders. The primary consequence is the unauthorized sweeping of tokens, NFTs, and stablecoins by leveraging fraudulent transaction signatures, circumventing traditional smart contract security measures. The professionalized drainer ecosystem was responsible for an estimated $494 million in losses in 2024 , underscoring the massive scale of this ongoing threat class.

A serene digital rendering showcases a metallic, rectangular object, reminiscent of a robust hardware wallet or server component, partially submerged in a pristine sandbank. Surrounding this central element are striking blue and white crystalline formations, resembling ice or salt crystals, emerging from the sand and water

Context

The current threat landscape is defined by the proliferation of PhaaS kits, which have lowered the technical barrier for large-scale on-chain fraud. Prior to this group’s emergence, established actors like Angel and Inferno Drainer had already demonstrated the effectiveness of weaponizing token approval mechanisms. This class of attack exploits the human factor and the user’s implicit trust in familiar Web3 interfaces, rather than exploiting a protocol’s core smart contract logic.

A transparent blue, possibly resin, housing reveals internal metallic components, including a precision-machined connector and a fine metallic pin extending into the material. This sophisticated assembly suggests a specialized hardware device designed for high-security operations

Analysis

The Eleven Drainer attack vector begins with a social engineering lure, typically a fake airdrop or project site, directing the user to connect their wallet. The malicious front-end then prompts the user to sign a transaction, often disguised as a simple “connect” or “claim” action. In reality, this signature is a malicious setApprovalForAll or permit call granting the attacker’s contract unlimited spending allowance over the user’s assets.

Once the signature is obtained, the attacker’s back-end script automatically calls the approved function to sweep all available tokens and NFTs from the victim’s wallet in a single, irreversible transaction. This method bypasses the need to compromise a protocol’s smart contract, instead exploiting the trust layer between the user and their wallet interface.

A close-up view reveals a complex assembly of metallic and blue components interwoven with numerous black and blue cables. This intricate structure visually represents the sophisticated hardware and network architecture essential for modern cryptocurrency operations

Parameters

  • Attack Vector Class → Phishing-as-a-Service (PhaaS). Explanation → Criminal enterprise providing tools for mass-scale social engineering and wallet draining.
  • Primary Vulnerability → User Error and Malicious Signature. Explanation → Exploits human inattention to grant unlimited token spending permissions.
  • Estimated 2024 Loss → $494 Million. Explanation → Total funds stolen by the broader wallet drainer ecosystem, showing the scale of the threat.
  • Victim Target → Individual Web3 Wallet Holders. Explanation → Attack is directed at the user interface and wallet interaction, not a protocol’s core contract.

The image displays a stylized scene featuring towering, jagged ice formations, glowing deep blue at their bases and stark white on top, set against a light grey background. A prominent metallic structure, resembling a server or hardware wallet, is integrated with the ice, surrounded by smaller icy spheres and white, cloud-like elements, all reflected on a calm water surface

Outlook

Users must immediately adopt a posture of zero-trust for all transaction signatures and employ real-time transaction simulation tools to verify the true nature of a wallet request before signing. Protocols should integrate client-side security layers that explicitly decode and warn users about unlimited token approvals ( setApprovalForAll ). This incident will likely drive the adoption of EIP-712 structured data signing for clarity and accelerate the development of real-time transaction monitoring and intent-based security solutions to bridge the critical gap in user-side protection.

A close-up reveals a sophisticated, metallic device featuring a translucent blue screen displaying intricate digital patterns and alphanumeric characters. A prominent silver frame with a central button accents the front, suggesting an interactive interface for user input and transaction confirmation

Verdict

The rise of professionalized wallet drainers shifts the primary security battleground from smart contract code to the user’s execution environment, demanding an immediate overhaul of individual operational security practices.

wallet drainer, phishing as a service, social engineering, malicious smart contract, token approval, asset sweeping, private key theft, web3 security, user-side risk, seed phrase compromise, decentralized finance, crypto malware, signature request, allowance exploit, unauthorized transfer, front-end compromise, multi-chain threat, digital asset security, off-chain vulnerability, credential theft, transaction signing, hardware wallet risk, zero-day phishing, crypto fraud Signal Acquired from → spaziocrypto.com

Micro Crypto News Feeds

phishing-as-a-service

Definition ∞ Phishing-as-a-Service refers to subscription-based or rented platforms that provide tools and infrastructure for conducting phishing attacks.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

wallet drainer

Definition ∞ A wallet drainer is a type of malicious software or script designed to steal funds from cryptocurrency wallets.

web3 wallet

Definition ∞ A Web3 Wallet is a digital tool that allows users to manage their digital assets and interact with decentralized applications on the internet.

real-time transaction

Definition ∞ A real-time transaction refers to a financial operation that is processed and settled almost instantaneously, with minimal delay between initiation and completion.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

Tags:

Tags: