Subscribe to the Non-Human & AI Identity Journal

Why do Web3 drainer campaigns often combine phishing with endpoint malware?

Phishing creates the wallet interaction, but endpoint malware expands the theft surface by harvesting secrets from local files and developer environments. That combination lets attackers steal both the approval path and the credentials behind it, which increases the chance of follow-on compromise and repeated exfiltration.

Why This Matters for Security Teams

Web3 drainer campaigns are not just wallet scams. They are credential theft operations that target both the approval flow and the device where secrets live. A phishing page can coerce a signature or transaction approval, while endpoint malware can steal seed phrases, browser-stored credentials, wallet extensions, developer tokens, and cloud secrets from local files. That combination gives attackers more than one way to win, which is why defenders should treat the campaign as an NHI and endpoint compromise problem, not only a user-awareness problem.

This pattern is visible in incidents like the Shai Hulud npm malware campaign, where malware exposure and secret harvesting reinforce each other. NIST’s Cybersecurity Framework 2.0 is useful here because it pushes teams to connect identity, endpoint, and recovery controls instead of treating them as separate risk silos. In practice, many security teams encounter wallet abuse only after malware has already harvested the secrets needed for repeat access and broader compromise.

How It Works in Practice

The attack chain usually starts with social engineering. The phishing lure imitates an airdrop, token claim, governance action, payment, or support prompt and pushes the victim to connect a wallet or approve a transaction. That creates the immediate theft path. Endpoint malware then expands the blast radius by searching the host for anything that helps attackers continue operating after the first wallet interaction succeeds.

On developer and operator endpoints, the malware may look for browser profiles, wallet extensions, clipboard content, .env files, private keys, API keys, CI tokens, SSH material, cloud credentials, or browser-saved session data. In NHI terms, the attacker is not only stealing a wallet approval moment, but also the secrets and workload identities that let them move laterally into code repositories, package registries, infrastructure consoles, and automation pipelines.

  • Phishing is the delivery and coercion layer.
  • Malware is the persistence and discovery layer.
  • Secrets theft enables reuse across accounts, devices, and environments.
  • Wallet approval abuse can be chained with infrastructure compromise for larger losses.

That is why current guidance suggests protecting both the interaction surface and the endpoint secret surface. The operational lesson is reinforced by the research in The State of Secrets in AppSec, which shows how slowly leaked secrets are often remediated even when teams believe their controls are strong. For implementation detail, CISA Secure Our World remains a practical reference for reducing credential exposure and improving user and device hygiene. These controls tend to break down when wallets, developer tooling, and cloud access all coexist on unmanaged endpoints because a single compromise can expose multiple trust domains at once.

Common Variations and Edge Cases

Tighter endpoint monitoring often increases friction for developers and traders, requiring organisations to balance theft resistance against usability and fast transaction workflows. The standard answer also changes depending on the target environment. On personal wallets, attackers often rely on browser-based impersonation and malicious approval prompts. On operator or developer laptops, the same campaign may become much more valuable because one compromised host can yield both wallet access and production secrets.

Best practice is evolving around how much runtime inspection is appropriate for crypto wallets and browser extensions. There is no universal standard for this yet, but current guidance suggests prioritising device hardening, least-privilege secret storage, short-lived credentials, phishing-resistant authentication where possible, and rapid revocation of exposed secrets. Teams should also separate high-value signing operations from general browsing and development activity wherever possible.

Cases involving custodial infrastructure, CI/CD runners, or hot-wallet automation are especially dangerous because malware can target service credentials instead of individual users. The DeepSeek breach is a useful reminder that exposed secrets and large sensitive repositories can amplify downstream abuse far beyond the initial compromise. For control mapping, the NIST Cybersecurity Framework 2.0 supports the needed blend of prevention, detection, response, and recovery when one campaign spans both social engineering and endpoint intrusion.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Secret theft and reuse are central to drainer follow-on compromise.
NIST CSF 2.0 PR.AC-1 Phishing and malware both abuse weak access and credential controls.
NIST CSF 2.0 DE.CM-1 Endpoint malware requires continuous detection of anomalous device activity.

Strengthen identity proofing, credential hygiene, and access controls across wallets and endpoints.