Security researchers have tied more than 236,000 active websites to a single scam kit designed to quietly drain visitors’ crypto wallets. The scale of the operation shows how industrialized wallet theft has become, with turnkey templates letting low-skill criminals spin up convincing fake sites in minutes. For anyone who uses a browser wallet or connects a hardware device to random web apps, the odds of stumbling into a trap are rising fast.
How a single scam kit powered over 236,000 wallet-draining sites
The latest investigation traces a sprawling network of wallet-draining pages back to a shared set of templates, scripts, and hosting infrastructure. According to researchers, the same kit has been used to generate more than 236,000 scam domains that mimic popular crypto services, from decentralized exchanges to NFT marketplaces and token airdrop portals. Each site follows a similar pattern: a familiar brand look, a prompt to connect a wallet, and behind the scenes, code that prepares to siphon assets the moment a victim signs a malicious transaction.
The operation appears to rely on a small set of controllers who distribute the kit to affiliates. Those affiliates then register new domains, customize branding, and funnel traffic through social media promotions, phishing emails, and search ads. Shared JavaScript libraries and repeated configuration values tie these sites together, even when the branding targets completely different projects or chains.
Unlike older phishing campaigns that simply stole seed phrases, these templates integrate directly with wallet standards such as WalletConnect and browser extension APIs. The pages present what looks like a normal permission request, but the transaction data is crafted so that once approved, the victim effectively hands over control of their tokens or NFTs. Because the theft happens through on-chain transactions, there is no way to reverse the damage after the fact.
Researchers who mapped the infrastructure found that many of the domains are short lived. Once a site starts getting flagged by security tools or community warnings, it is abandoned and quickly replaced. The kit’s automation makes this churn trivial, since spinning up dozens of new clones only requires changing a few configuration values and pointing them at fresh domains.
What changed in the economics and tactics of wallet-draining scams
The most striking shift is the industrial packaging of fraud. Instead of bespoke, hand-coded phishing pages, the operators now sell or lease a complete “wallet drainer as a service” product. Affiliates receive prebuilt templates, hosting instructions, and even analytics dashboards that show which campaigns are converting. This model mirrors earlier credit card skimming kits and ransomware services, but now targets on-chain assets.
On the technical side, the kit has evolved to exploit how normalized wallet pop-ups have become. Regular users are accustomed to clicking through a series of transaction prompts when interacting with DeFi protocols, NFT mints, or cross-chain bridges. The scam templates lean on this muscle memory. They often display a series of harmless approvals first, then slip in a final transaction that grants broad token allowances or transfers assets outright. To a distracted user, the difference between a legitimate and malicious prompt can be a single line of hex data.
Infrastructure choices also favor the scammers. The operators take advantage of cheap domain registrations and content delivery networks. Many of the 236,000 sites use randomized domain names that look like truncated versions of real projects, combined with generic top-level domains. TLS certificates and basic security headers are in place, which helps the pages appear legitimate to both users and automated scanners.
Another change is the level of localization and targeting. Some templates ship with language packs and region-specific branding so affiliates can go after users in particular countries or communities. Others are tuned to mimic new token launches or NFT drops that are trending on social media, which shortens the time between hype and exploitation. The kit’s maintainers update logos, token tickers, and copy as the market’s attention shifts.
Why this mass-produced wallet theft campaign matters right now
The raw number of affected sites would be concerning on its own, but the timing amplifies the risk. Crypto markets have seen renewed retail interest, with fresh capital flowing into DeFi pools, staking products, and speculative tokens. Many newcomers rely on browser wallets and follow social media influencers for discovery, which makes them prime targets for scam templates that look like the real thing.
The campaign also exploits gaps in user education. Security advice has long focused on seed phrase protection and avoiding unsolicited direct messages. Wallet-draining kits bypass those defenses by never asking for a seed phrase at all. Instead, they encourage users to sign transactions that appear to be routine approvals. Once granted, those approvals let the attacker move tokens out of the wallet at any time, often in small increments to avoid immediate detection.
For projects and protocols, the reputational damage is severe. When a fake site uses nearly identical branding to a legitimate DeFi platform or NFT collection, victims often blame the real project, not the scammers. Support channels get flooded with complaints, and development teams must divert resources into takedown requests, community alerts, and security audits of their own front ends to reassure users.
Regulators and law enforcement agencies are watching as well, since large-scale wallet draining can intersect with money laundering and sanctions evasion. The on-chain nature of the theft provides a transparent record of where funds move, but tracing those flows through mixers, cross-chain bridges, and centralized exchanges still requires significant investigative work. When thousands of small thefts are spread across 236,000 domains, prioritizing cases becomes a challenge.
There is also a broader trust issue for the web3 ecosystem. If connecting a wallet to any new site feels like stepping into a minefield, casual users may retreat to custodial services or abandon on-chain interactions entirely. That shift would undercut the promise of user-controlled assets and smart contract autonomy that has driven much of the industry’s innovation.
How users and platforms can respond to large-scale wallet draining
Defending against a kit that can spawn hundreds of thousands of lookalike sites requires layered responses from users, wallet providers, and platforms. At the user level, the most effective habit is to slow down and read transaction prompts carefully. Any request that grants unlimited token allowances, especially to a contract the user does not recognize, should be treated as a red flag. Hardware wallets add a second layer of review, since they display transaction details on a separate screen that is harder for a web page to spoof.
Wallet software can help by improving how approvals are presented. Instead of raw contract addresses and token IDs, interfaces can label high-risk actions in plain language, such as “give this site permission to move all of your USDC.” Some wallets already offer allowance dashboards that show which contracts have ongoing access to a user’s tokens, along with one-click revoke options. Expanding these features and making them more prominent would reduce the long tail of damage from a single mistaken click.
Projects and protocols have their own responsibilities. Official sites should use clear, consistent domains and publish verified links on social profiles and documentation. Many teams now maintain “only click these” link lists and encourage users to bookmark them rather than follow search ads or random posts. Security monitoring that looks for brand impersonation and typo-squatted domains can catch some of the clones early, giving teams a chance to file takedown requests before large numbers of users are hit.
Infrastructure providers, from domain registrars to ad networks, can tighten screening for crypto-related content. While automated filters are imperfect, pattern matching on known scam templates, repeated JavaScript signatures, and suspicious domain registration patterns could flag some of the 236,000 sites before they start buying traffic. Collaboration with threat intelligence groups and blockchain analytics firms would make those filters more accurate over time.