Back to Blog

Unraveling Hacking Incidents Involving Drainers: Insights and Prevention

MetaSleuth
April 12, 2024

Recently, an increasing number of scammers are employing drainer toolkits to launch Web3 phishing websites. Specifically, these phishing websites automatically prompt users to connect wallet, scan their valuable tokens, and generate phishing transactions. Initially, scammers promote these phishing sites directly on social media platforms. However, due to increasing caution among Web3 users, it has become challenging for them to profit in this manner. Now, drainers have shifted tactics, resorting to hacking popular projects, Discord servers, Twitter accounts, email database, official websites, and software supply chain. They exploit the traffic and trust associated with these platforms to promote phishing websites on a large scale. Consequently, these hacking incidents have led to substantial losses for users. The table below summarizes several hacking incidents and related wallet drainers. In this blog, we outline the methods used by hackers and seek to enhance users' awareness of these tactics.

Hacking Incidents and Related Attackers Targeting Various Platforms and Databases

Hacking Targets Related Drainers Examples
Discord Server Pink Drainer Pika Protocol
Evmos
Orbiter Finance
Cherry Network
Twitter Account Pink Drainer DJ Steve Aoki
OpenAI CTO
Slingshot
UniSat
Official Website Angel Drainer Galxe
Balancer
Frax Finance
Software Supply Chain Angel Drainer Ledger Connect Kit
Email Database Pink Drainer MailerLite Database

Section 1: Discord Server Hacking Incident

On May 31st, 2023, Pika Protocol’s Discord was hacked. A phishing website, deployed by Pink Drainer, was disseminated within its official Discord group. Subsequent analysis revealed that the Discord server administrator was instructed to visit a deceptive website that contained a malicious JavaScript snippet. The administrator was then induced to execute it via actions such as clicking on buttons or adding bookmarks. After that, the discord token was stolen. Several popular Web3 projects also experienced similar hacking incidents during that period.

Section 2: Twitter Account Hacking Incident

On May 26th, 2023, the Twitter account of Steve Aoki was compromised and posted a message containing a phishing website, leading to cryptocurrency investors losing $170,000. Transactions of the victim accounts indicated a connection to Pink Drainer. Further scrutiny of the phishing account’s transactions revealed that the Twitter account breach was a result of a SIM swap attack. In the SIM swap attack, the scammer employs social engineering methods, often utilizing victims’ personal details, to persuade the telephone company to transfer the victim’s phone number to the scammer’s SIM card. Once successful, the scammer can take control of the victim’s Twitter account. Similar hacking incidents also occurred with Twitter accounts of OpenAI CTO, Slingshot, and Vitalik Buterin, all related with Pink Drainer.

Section 3: Official Website Hacking Incident

On October 6th, 2023, the official website of Galxe was redirected to a phishing website, resulting in a financial loss of $270,000 for the victims. According to the official explanation, an unidentified individual posed as an authorized Galxe representative and contacted the domain service provider, with a request to reset login credentials. Specifically, the impostor submitted fake documentation to the domain service provider, successfully circumventing their security procedures and obtaining unauthorized access to the domain account. The victim account’s transaction also revealed that this incident was launched by Angel Drainer. Furthermore, Balancer and Frax Finance also fell victim to similar hacking methods employed by Angel Drainer.

Section 4: Software Supply Chain Hacking Incident

On December 14th, 2023, an exploit was detected on Ledger Connect Kit, a JavaScript library designed to facilitate connections between websites and wallets, by Ledger. The exploit occurred due to a former employee being targeted by a phishing attack, enabling a bad actor to upload a malicious file to Ledger's NPMJS repository. The compromised library enabled hackers to inject a malicious script into these popular cryptocurrency websites. Consequently, users may be prompted to sign a phishing transaction with phishing accounts. More than $600k has been pilfered from users across various cryptocurrency platforms, including SushiSwap and Revoke.cash. Additionally, the phishing account’s transaction records indicated that this incident was launched by Angel Drainer.

Section 5: Email Database Hacking Incident

On January 23rd, 2024, numerous emails were dispatched from the official accounts of WalletConnect, Token Terminal, and De.Fi, each containing malicious links housing wallet drainers provided by Pink Drainer. And this was due to their email manager, MailerLite was compromised via a social engineering attack. Specifically, a team member inadvertently clicked on an image linked to a fraudulent Google sign-in page, granting attackers access to MailerLite's internal admin panel. Subsequently, the hackers escalated their control by resetting the password of a specific user through the admin panel, leading to the leakage of their email database and the dissemination of phishing emails.

Boosting User Awareness and Defense Against Drainer-Related Hacks in Web3

The developers of wallet drainers are continually devising new methods to hack into prominent projects and disseminate phishing websites through their traffic. We'll stay alert, continuously monitoring phishing accounts and transactions related to them. We encourage users to be cautious and carefully scrutinize transaction details before proceeding with any actions. This blog strives to assist users in comprehending the methodologies used to hack projects and in safeguarding themselves against drainer-related phishing transactions.

About BlockSec

BlockSec is a pioneering blockchain security company established in 2021 by a group of globally distinguished security experts. The company is committed to enhancing security and usability for the emerging Web3 world in order to facilitate its mass adoption. To this end, BlockSec provides smart contract and EVM chain security auditing services, the Phalcon platform for security development and blocking threats proactively, the MetaSleuth platform for fund tracking and investigation, and MetaSuites extension for web3 builders surfing efficiently in the crypto world.

To date, the company has served over 300 esteemed clients such as MetaMask, Uniswap Foundation, Compound, Forta, and PancakeSwap, and received tens of millions of US dollars in two rounds of financing from preeminent investors, including Matrix Partners, Vitalbridge Capital, and Fenbushi Capital.

Official website: https://blocksec.com/

Official Twitter account: https://twitter.com/BlockSecTeam

Sign up for the latest updates
~$15.9M Lost: Trusted Volumes & More | BlockSec Weekly
Security Insights

~$15.9M Lost: Trusted Volumes & More | BlockSec Weekly

This BlockSec bi-weekly security report covers 11 notable attack incidents identified between April 27 and May 10, 2026, across Sui, Ethereum, BNB Chain, Base, Blast, and Berachain, with total estimated losses of approximately $15.9M. Three incidents are analyzed in detail: the highlighted $1.14M Aftermath Finance exploit on Sui, where a signed/unsigned semantic mismatch in the builder-fee validation allowed an attacker to inject a negative fee that was converted into positive collateral during settlement; the $5.87M Trusted Volumes RFQ authorization mismatch on Ethereum; and the $5.7M Wasabi Protocol infrastructure-to-contract-control compromise across multiple EVM chains.

Newsletter - April 2026
Security Insights

Newsletter - April 2026

In April 2026, the DeFi ecosystem experienced three major security incidents. KelpDAO lost ~$290M due to an insecure 1-of-1 DVN bridge configuration exploited via RPC infrastructure compromise, Drift Protocol suffered ~$285M from a multisig governance takeover leveraging Solana's durable nonce mechanism, and Rhea Finance incurred ~$18.4M following a business logic flaw in its margin-trading module that allowed circular swap path manipulatio

~$7.04M Lost: GiddyDefi, Volo Vault & More | BlockSec Weekly
Security Insights

~$7.04M Lost: GiddyDefi, Volo Vault & More | BlockSec Weekly

This BlockSec weekly security report covers eight attack incidents detected between April 20 and April 26, 2026, across Ethereum, Avalanche, Sui, Base, HyperLiquid, and MegaETH, with total estimated losses of approximately $7.04M. The highlighted incident is the $1.3M GiddyDefi exploit, where the attacker did not break any cryptography or use a flash loan but simply replayed an existing on-chain EIP-712 signature with the unsigned `aggregator` and `fromToken` fields swapped out for a malicious contract, demonstrating how partial signature coverage turns any historical signature into a generic permit. Other incidents include a $3.5M Volo Vault operator key compromise on Sui, a $1.5M Purrlend privileged-role takeover, a $413K SingularityFinance oracle misconfiguration, a $142.7K Scallop cross-pool index injection, a $72.35K Kipseli Router decimal mismatch, a $50.7K REVLoans (Juicebox) accounting pollution, and a $64K Custom Rebalancer arbitrary-call exploit.

Go Deeper with MetaSleuth Investigation

Extend your crypto compliance capabilities with Blocksec's MetaSleuth Investigation, the first platform for tracing funds, mapping transaction networks and revealing hidden on-chain relationships.

Move from detection to resolution faster with clear visual insights and evidence-ready workflows across the digital assets ecosystem.

MetaSleuth Investigation