A client connected a self-custody wallet to a site advertising a token airdrop and signed what looked like a routine approval. Within seconds, tens of thousands of dollars in ETH and tokens left the wallet.
What we found. The site was a wallet drainer. The signature the client approved granted a malicious contract permission to move specific tokens, which it did immediately and automatically. No seed phrase was ever exposed — a single approval was enough.
What we did.
- Identified the drainer contract and the exact approval transaction.
- Traced the outflow to a drainer-as-a-service cluster we already track.
- Found a portion of the proceeds routed to a centralized exchange deposit address.
- Revoked the remaining live approvals on the client wallet to stop any further draining.
The outcome. The exchange froze the linked deposit pending review, and the revocation work ensured the wallet could not be drained again from the same permission. Part of the loss was traced to a regulated off-ramp; the remainder was documented for ongoing monitoring.
The takeaway. A signature can be as dangerous as a seed phrase. Review every approval, revoke permissions you no longer use, and treat unexpected airdrop sites as hostile by default.
Client and identifying details have been anonymized to protect confidentiality. CryptoCISO does not guarantee recovery; outcomes depend on the specific facts of each case.