In 2024, the Web3 ecosystem suffered numerous phishing attacks, resulting in approximately $494 million in losses.
This report analyzes the latest trends in Wallet Drainer attacks and protection methods to help industry practitioners and users better protect their assets.
Overview
Wallet Drainer is a type of malware deployed on phishing websites that steals crypto assets by inducing users to sign malicious transactions. In 2024, such attacks caused approximately $494 million in losses, a 67% increase year-over-year.
The number of victims only increased by 3.7% (reaching 332,000 addresses), and the loss per attack increased significantly, with the largest single theft amounting to $55.48M USD.
This report focuses on EVM-compatible chains.
Key Data Comparison
2024 Key Indicators
- Total Loss: $494M USD, up 67%
- Number of Victims: 332,000 addresses, up 3.7%
- Largest Single Theft: $55.48M USD
- Number of Large-scale Thefts: 30
Major Events of the Year
- Q1: Bitcoin price reached all-time high, increased on-chain activity led to rise in phishing
- Q2: Pink Drainer announced exit
- Q3: Market adjustment, phishing activities cooled down, but occasional large-scale incidents occurred
- Q4: Inferno Drainer claimed exit, taken over by Angel
Next, we will analyze in detail the loss data behind these events to reveal trends and potential risks.
Loss Analysis
Monthly Overall Loss Trends
The year’s attack activities can be divided into three phases:
- First quarter saw the heaviest losses, reaching $187.2 million with 175,000 victims. March recorded the highest losses at $75.2 million.
- Second and third quarters combined losses totaled $257 million, with victims decreasing to 90,000.
- Fourth quarter losses dropped to $51 million with victims reducing to 30,000, indicating improved security.
Major Case Analysis
30 cases exceeding $1 million occurred throughout the year, with total losses of $171 million.
Major Theft Monthly Trend Analysis:
Large-scale theft incidents in 2024 showed distinct phases. The first half (January-June) saw frequent but smaller-scale incidents, with individual losses ranging from $1-8M.
The peak period occurred during July-September, with major losses of $55.48M and $32.51M in August and September respectively, accounting for 52% of the year’s total large-scale losses.
The final quarter showed a significant reduction in both frequency and scale, with individual losses mostly ranging from $2-6M, indicating an overall improvement in market security awareness.
Loss Distribution Characteristics:
- Chain Distribution:
- Ethereum (25 cases, 85.3%), losses of $152 million
- Arbitrum (2 cases, $3.55M)
- Blast (1 case, $5.87M)
- Base (1 case, $1.2M)
- BNB Chain (1 case, $7.88M)
- Asset Types:
- Staking & Restaking(40.9%)
- Stablecoin(33.5%)
- Aave Collateral(10.7%)
- Pendle Yield (9.3%)
- Others (5.6%)
- Phishing Signature Types:
- Permit (56.7%)
- setOwner (31.9%)
- Transfer (4.5%)
- increaseAllowance (3.5%)
- Others (3.4%)
Wallet Drainer Evolution
The attack landscape evolved significantly throughout the year, marked by several key transitions:
- Pink’s Exit (End of May): Held 28% market share, which was subsequently absorbed by Inferno
- Angel’s Takeover of Inferno (End of October): Angel’s share decreased while Inferno maintained 40-45% market share
Market Structure Evolution
- Q1-Q2: Three major players dominated (Angel: 42%, Pink: 28%, Inferno: 22%)
- Q3: Dual competition (Inferno: 43%, Angel: 25%)
- Q4: New landscape (Inferno and Angel: 45%, Acedrainer: 20%, Other new Drainers: 25%)
Distribution Channel Analysis
Common Traffic Sources for Phishing Websites
Phishing websites primarily acquire traffic through these channels:
- Hacking: Official project Discord and Twitter accounts compromised, frontend or supply chain attacks
- Organic Traffic: NFT or token airdrops, expired Discord links being taken over
- Paid Traffic: Google Search/Twitter/Telegram advertisements
- Others: Email/Social Media/IM private messages/other sources
Phishing Website Activity Analysis
Q1 showed the highest phishing website activity for the year, explaining the high theft losses during this period. Due to market adjustments and the exit of major Drainers like Pink and Inferno, overall activity levels in the second half of the year were lower than in the first half.
Hosting Services & Domain Registrar Distribution
Most phishing websites are deployed on:
- Cloudflare
- Vercel
- IPFS
Major domain registrars include:
- OwnRegistrar
- Hostinger
- NameSilo
- Tucows
X Platform Fake Account Trends
Account activity largely mirrored phishing website trends:
- More active in the first half of the year
- Significant decline in July due to X platform’s increased crackdown on fake accounts and overall crypto market adjustment
- Gradual increase after September and October as market conditions improved
Phishing Signature Methods
Permit remains the primary method for token phishing attacks.
Notably, the setOwner phishing signature targeting Proxy ownership modification led to a significant incident in August, resulting in a single victim losing $55 million in DAI.
Detection Bypass
As wallets increase investment in phishing security, Wallet Drainers continue to develop new bypass methods, including:
- Exploiting wallet normalization processes to initiate signatures that wallets can process but security detection layers might miss
- Using legitimate contracts and adding Cloudflare or fake CAPTCHA pages to prevent detection
- Attempting to bypass wallet blacklists through XSS vulnerabilities
- Deceiving wallet simulation results
This remains an ongoing cat-and-mouse game between attackers and defenders.
Security Recommendations
User Security Guidelines
Web3 security requires both tool protection and proper security awareness and habits. While enjoying Web3 innovation benefits, always prioritize security and remain vigilant. In the decentralized world, everyone is ultimately responsible for protecting their own assets.
Wallet Development Security Guidelines
As crucial entry points to the Web3 world, wallets play a key role in protecting user assets. By establishing comprehensive security strategies, continuously upgrading protection capabilities, and actively adopting industry-leading security solutions, wallets can provide users with a more secure and reliable service environment. This is not just a responsibility but also a necessary condition for maintaining advantages in a highly competitive market.
Future Outlook
As of 2024, known losses from phishing signature attacks have reached $790 million. Although these types of attacks decreased in the second half of the year, this might indicate that attackers are shifting towards other attack methods, such as malware and other more covert approaches.
As the Web3 ecosystem continues to develop, the challenges of protecting user assets remain. Regardless of how attack methods evolve, continuous security awareness and building protective capabilities remain key to safeguarding assets.
Platform Impact
In 2024, ScamSniffer achieved significant operational milestones in protecting the Web3 ecosystem:
Threat Detection
- Scanned over 40 million URLs
- Blocked more than 290,000 malicious domains
- Monitored 25,000+ phishing addresses
- Tracked & alerted 30 major theft cases exceeding $1M each
Security Operations
- Conducted over 1 billion security checks
- Analyzed 50M+ signature requests
- Prevented 2.5M+ suspicious transactions
- Flagged 1.4M+ phishing tweets
- Detected 580,000+ impersonation attempts
Ecosystem Integration
- Provided security API services to more than 10 major Web3 projects
- Protected millions of users through wallet partnerships
These metrics demonstrate ScamSniffer’s substantial contribution to Web3 security and its role in building a safer decentralized ecosystem.
About ScamSniffer
ScamSniffer is a security platform focused on Web3 anti-scam, providing real-time anti-scam protection by combining off-chain and on-chain monitoring data.
Our browser security extension helps users identify phishing websites and suspicious transactions, providing comprehensive protection for Web3 users.
Our security solutions have been adopted by wallets including Binance, Bybit, OneKey, Phantom, TokenPocket, and others, protecting millions of Web3 users monthly from phishing and fraud threats.
We are committed to building a safer Web3 ecosystem for the next billion users.
Learn more: [[email protected]]