Demystifying Hacking Incidents by Drainers

4 min readApr 15, 2024


An Overview of Drainer-Related Hacking Incidents Targeting Web3 Users

Recently, an increasing number of scammers are employing drainer toolkits to launch Web3 phishing websites. Specifically, these phishing websites automatically prompt users to connect wallet, scan their valuable tokens, and generate phishing transactions. Initially, scammers promote these phishing sites directly on social media platforms. However, due to increasing caution among Web3 users, it has become challenging for them to profit in this manner. Now, drainers have shifted tactics, resorting to hacking popular projects, Discord servers, Twitter accounts, email database, official websites, and software supply chain. They exploit the traffic and trust associated with these platforms to promote phishing websites on a large scale. Consequently, these hacking incidents have led to substantial losses for users. The table below summarizes several hacking incidents and related wallet drainers. In this blog, we outline the methods used by hackers and seek to enhance users’ awareness of these tactics.

Hacking Incidents and Related Attackers Targeting Various Platforms and Databases

Section 1: Discord Server Hacking Incident

On May 31st, 2023, Pika Protocol’s Discord was hacked. A phishing website, deployed by Pink Drainer, was disseminated within its official Discord group. Subsequent analysis revealed that the Discord server administrator was instructed to visit a deceptive website that contained a malicious JavaScript snippet. The administrator was then induced to execute it via actions such as clicking on buttons or adding bookmarks. After that, the discord token was stolen. Several popular Web3 projects also experienced similar hacking incidents during that period.

Section 2: Twitter Account Hacking Incident

On May 26th, 2023, the Twitter account of Steve Aoki was compromised and posted a message containing a phishing website, leading to cryptocurrency investors losing $170,000. Transactions of the victim accounts indicated a connection to Pink Drainer. Further scrutiny of the phishing account’s transactions revealed that the Twitter account breach was a result of a SIM swap attack. In the SIM swap attack, the scammer employs social engineering methods, often utilizing victims’ personal details, to persuade the telephone company to transfer the victim’s phone number to the scammer’s SIM card. Once successful, the scammer can take control of the victim’s Twitter account. Similar hacking incidents also occurred with Twitter accounts of OpenAI CTO, Slingshot, and Vitalik Buterin, all related with Pink Drainer.

Section 3: Official Website Hacking Incident

On October 6th, 2023, the official website of Galxe was redirected to a phishing website, resulting in a financial loss of $270,000 for the victims. According to the official explanation, an unidentified individual posed as an authorized Galxe representative and contacted the domain service provider, with a request to reset login credentials. Specifically, the impostor submitted fake documentation to the domain service provider, successfully circumventing their security procedures and obtaining unauthorized access to the domain account. The victim account’s transaction also revealed that this incident was launched by Angel Drainer. Furthermore, Balancer and Frax Finance also fell victim to similar hacking methods employed by Angel Drainer.

Section 4: Software Supply Chain Hacking Incident

On December 14th, 2023, an exploit was detected on Ledger Connect Kit, a JavaScript library designed to facilitate connections between websites and wallets, by Ledger. The exploit occurred due to a former employee being targeted by a phishing attack, enabling a bad actor to upload a malicious file to Ledger’s NPMJS repository. The compromised library enabled hackers to inject a malicious script into these popular cryptocurrency websites. Consequently, users may be prompted to sign a phishing transaction with phishing accounts. More than $600k has been pilfered from users across various cryptocurrency platforms, including SushiSwap and Additionally, the phishing account’s transaction records indicated that this incident was launched by Angel Drainer.

Section 5: Email Database Hacking Incident

On January 23rd, 2024, numerous emails were dispatched from the official accounts of WalletConnect, Token Terminal, and De.Fi, each containing malicious links housing wallet drainers provided by Pink Drainer. And this was due to their email manager, MailerLite was compromised via a social engineering attack. Specifically, a team member inadvertently clicked on an image linked to a fraudulent Google sign-in page, granting attackers access to MailerLite’s internal admin panel. Subsequently, the hackers escalated their control by resetting the password of a specific user through the admin panel, leading to the leakage of their email database and the dissemination of phishing emails.

Enhancing User Awareness and Protection Against Drainer-Related Hacking Incidents in Web3

The developers of wallet drainers are continually devising new methods to hack into prominent projects and disseminate phishing websites through their traffic. We’ll stay alert, continuously monitoring phishing accounts and transactions related to them. We encourage users to be cautious and carefully scrutinize transaction details before proceeding with any actions. This blog strives to assist users in comprehending the methodologies used to hack projects and in safeguarding themselves against drainer-related phishing transactions.

About BlockSec

BlockSec is a pioneering blockchain security company established in 2021 by a group of globally distinguished security experts. The company is committed to enhancing security and usability for the emerging Web3 world in order to facilitate its mass adoption. To this end, BlockSec provides smart contract and EVM chain security auditing services, the Phalcon platform for security development and blocking threats proactively, the MetaSleuth platform for fund tracking and investigation, and MetaSuites extension for web3 builders surfing efficiently in the crypto world.

To date, the company has served over 300 esteemed clients such as MetaMask, Uniswap Foundation, Compound, Forta, and PancakeSwap, and received tens of millions of US dollars in two rounds of financing from preeminent investors, including Matrix Partners, Vitalbridge Capital, and Fenbushi Capital.

Official website:

Official Twitter account:




The BlockSec focuses on the security of the blockchain ecosystem and the research of DeFi attack monitoring and blocking.