Back to Blog

Unraveling Hacking Incidents Involving Drainers: Insights and Prevention

MetaSleuth
April 12, 2024

Recently, an increasing number of scammers are employing drainer toolkits to launch Web3 phishing websites. Specifically, these phishing websites automatically prompt users to connect wallet, scan their valuable tokens, and generate phishing transactions. Initially, scammers promote these phishing sites directly on social media platforms. However, due to increasing caution among Web3 users, it has become challenging for them to profit in this manner. Now, drainers have shifted tactics, resorting to hacking popular projects, Discord servers, Twitter accounts, email database, official websites, and software supply chain. They exploit the traffic and trust associated with these platforms to promote phishing websites on a large scale. Consequently, these hacking incidents have led to substantial losses for users. The table below summarizes several hacking incidents and related wallet drainers. In this blog, we outline the methods used by hackers and seek to enhance users' awareness of these tactics.

Hacking Incidents and Related Attackers Targeting Various Platforms and Databases

Hacking Targets Related Drainers Examples
Discord Server Pink Drainer Pika Protocol
Evmos
Orbiter Finance
Cherry Network
Twitter Account Pink Drainer DJ Steve Aoki
OpenAI CTO
Slingshot
UniSat
Official Website Angel Drainer Galxe
Balancer
Frax Finance
Software Supply Chain Angel Drainer Ledger Connect Kit
Email Database Pink Drainer MailerLite Database

Section 1: Discord Server Hacking Incident

On May 31st, 2023, Pika Protocol’s Discord was hacked. A phishing website, deployed by Pink Drainer, was disseminated within its official Discord group. Subsequent analysis revealed that the Discord server administrator was instructed to visit a deceptive website that contained a malicious JavaScript snippet. The administrator was then induced to execute it via actions such as clicking on buttons or adding bookmarks. After that, the discord token was stolen. Several popular Web3 projects also experienced similar hacking incidents during that period.

Section 2: Twitter Account Hacking Incident

On May 26th, 2023, the Twitter account of Steve Aoki was compromised and posted a message containing a phishing website, leading to cryptocurrency investors losing $170,000. Transactions of the victim accounts indicated a connection to Pink Drainer. Further scrutiny of the phishing account’s transactions revealed that the Twitter account breach was a result of a SIM swap attack. In the SIM swap attack, the scammer employs social engineering methods, often utilizing victims’ personal details, to persuade the telephone company to transfer the victim’s phone number to the scammer’s SIM card. Once successful, the scammer can take control of the victim’s Twitter account. Similar hacking incidents also occurred with Twitter accounts of OpenAI CTO, Slingshot, and Vitalik Buterin, all related with Pink Drainer.

Section 3: Official Website Hacking Incident

On October 6th, 2023, the official website of Galxe was redirected to a phishing website, resulting in a financial loss of $270,000 for the victims. According to the official explanation, an unidentified individual posed as an authorized Galxe representative and contacted the domain service provider, with a request to reset login credentials. Specifically, the impostor submitted fake documentation to the domain service provider, successfully circumventing their security procedures and obtaining unauthorized access to the domain account. The victim account’s transaction also revealed that this incident was launched by Angel Drainer. Furthermore, Balancer and Frax Finance also fell victim to similar hacking methods employed by Angel Drainer.

Section 4: Software Supply Chain Hacking Incident

On December 14th, 2023, an exploit was detected on Ledger Connect Kit, a JavaScript library designed to facilitate connections between websites and wallets, by Ledger. The exploit occurred due to a former employee being targeted by a phishing attack, enabling a bad actor to upload a malicious file to Ledger's NPMJS repository. The compromised library enabled hackers to inject a malicious script into these popular cryptocurrency websites. Consequently, users may be prompted to sign a phishing transaction with phishing accounts. More than $600k has been pilfered from users across various cryptocurrency platforms, including SushiSwap and Revoke.cash. Additionally, the phishing account’s transaction records indicated that this incident was launched by Angel Drainer.

Section 5: Email Database Hacking Incident

On January 23rd, 2024, numerous emails were dispatched from the official accounts of WalletConnect, Token Terminal, and De.Fi, each containing malicious links housing wallet drainers provided by Pink Drainer. And this was due to their email manager, MailerLite was compromised via a social engineering attack. Specifically, a team member inadvertently clicked on an image linked to a fraudulent Google sign-in page, granting attackers access to MailerLite's internal admin panel. Subsequently, the hackers escalated their control by resetting the password of a specific user through the admin panel, leading to the leakage of their email database and the dissemination of phishing emails.

Boosting User Awareness and Defense Against Drainer-Related Hacks in Web3

The developers of wallet drainers are continually devising new methods to hack into prominent projects and disseminate phishing websites through their traffic. We'll stay alert, continuously monitoring phishing accounts and transactions related to them. We encourage users to be cautious and carefully scrutinize transaction details before proceeding with any actions. This blog strives to assist users in comprehending the methodologies used to hack projects and in safeguarding themselves against drainer-related phishing transactions.

About BlockSec

BlockSec is a pioneering blockchain security company established in 2021 by a group of globally distinguished security experts. The company is committed to enhancing security and usability for the emerging Web3 world in order to facilitate its mass adoption. To this end, BlockSec provides smart contract and EVM chain security auditing services, the Phalcon platform for security development and blocking threats proactively, the MetaSleuth platform for fund tracking and investigation, and MetaSuites extension for web3 builders surfing efficiently in the crypto world.

To date, the company has served over 300 esteemed clients such as MetaMask, Uniswap Foundation, Compound, Forta, and PancakeSwap, and received tens of millions of US dollars in two rounds of financing from preeminent investors, including Matrix Partners, Vitalbridge Capital, and Fenbushi Capital.

Official website: https://blocksec.com/

Official Twitter account: https://twitter.com/BlockSecTeam

Sign up for the latest updates
FATF’s New Stablecoin Report Signals a Shift to Secondary-Market Compliance
Knowledge

FATF’s New Stablecoin Report Signals a Shift to Secondary-Market Compliance

BlockSec interprets FATF’s March 2026 report on stablecoins and unhosted wallets, explains why supervision is shifting toward secondary-market P2P activity, breaks down the report’s main recommendations and red flags, and shows how on-chain monitoring, screening, and cross-chain tracing can help issuers and VASPs respond with stronger, more effective compliance controls.

Weekly Web3 Security Incident Roundup | Mar 16 – Mar 22, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Mar 16 – Mar 22, 2026

This BlockSec weekly security report covers seven DeFi attack incidents detected between March 16 and March 22, 2026, across Ethereum, BNB Chain, Polygon, and Polygon zkEVM, with total estimated losses of approximately $82.7M. The most significant event was the Resolv stablecoin protocol's infrastructure-key compromise, which led to over $80M in unauthorized USR minting and cross-protocol contagion across lending markets. Other incidents include a $2.15M donation attack combined with market manipulation on Venus Protocol, a $257K empty-market exploit on dTRINITY (Aave V3 fork), access control vulnerabilities in Fun.xyz and ShiMama, a weak-randomness exploit in BlindBox, and a redemption accounting flaw in Keom.

Weekly Web3 Security Incident Roundup | Mar 9 – Mar 15, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Mar 9 – Mar 15, 2026

This BlockSec weekly security report covers eight DeFi attack incidents detected between March 9 and March 15, 2026, across Ethereum and BNB Chain, with total estimated losses of approximately $1.66M. Incidents include a $1.01M AAVE incorrect liquidation caused by oracle misconfiguration, a $242K exploit on the deflationary token MT due to flawed trading restrictions, a $149K exploit on the burn-to-earn protocol DBXen from `_msgSender()` and `msg.sender` inconsistency, and a $131K attack on AM Token exploiting a flawed delayed-burn mechanism. The report provides detailed vulnerability analysis and attack transaction breakdowns for each incident.

Go Deeper with MetaSleuth Investigation

Extend your crypto compliance capabilities with Blocksec's MetaSleuth Investigation, the first platform for tracing funds, mapping transaction networks and revealing hidden on-chain relationships.

Move from detection to resolution faster with clear visual insights and evidence-ready workflows across the digital assets ecosystem.

MetaSleuth Investigation