A crypto drainer is malware or a malicious workflow that tricks a user into granting transaction authority so assets can be moved without further approval. In practice, the identity risk sits in the permission grant, the approval context, and the surrounding secret exposure that can extend the theft beyond one wallet interaction.
Expanded Definition
A crypto drainer is a malicious workflow that captures transaction approval from a wallet holder and then uses that permission to move assets without further user confirmation. In NHI terms, the risk is not just theft of funds but abuse of delegated authority, where a signed approval becomes the attacker’s operational identity. That makes it adjacent to phishing, wallet compromise, and session hijacking, but distinct because the critical failure is often a legitimate-looking consent event rather than password capture. The pattern is increasingly relevant in agentic ecosystems because autonomous software, browser extensions, and spoofed dApps can all shape the approval context. Standards for this term are still evolving across vendors, so practitioners should treat it as an identity and authorization abuse problem rather than a purely malware label. For broader governance context, the NIST Cybersecurity Framework 2.0 is useful for mapping approval risk to access control and detection outcomes. The most common misapplication is assuming the wallet itself was "hacked" when the real condition was a user granting overly broad transaction authority to a deceptive interface.
Examples and Use Cases
Implementing crypto-drainer defenses rigorously often introduces more approval friction, requiring organisations to weigh faster user flows against tighter transaction scrutiny.
- A fake mint page requests broad token approval, then a drainer contract later transfers the wallet’s assets after the user signs a seemingly harmless permission.
- A malicious browser extension intercepts wallet prompts, changes destination details, and exploits the user’s trust in the approval screen.
- A compromised social post links to a spoofed dApp that mirrors a legitimate project, a pattern discussed in DeepSeek breach context where exposed secrets and trust abuse can extend compromise beyond one interaction.
- A support scam convinces a victim to sign a "verification" transaction, which actually grants unlimited token spend authority.
- Attackers combine leaked API keys and wallet metadata to target high-value users, illustrating how secret exposure can amplify wallet abuse beyond a single session.
Detection and response are stronger when teams pair wallet analytics with identity governance concepts from The State of Secrets in AppSec, especially when exposed secrets make follow-on abuse easier. The same approval-risk pattern also aligns with the broader access-control lens used in the NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
Crypto drainers show why NHI security must treat consent, delegation, and secret exposure as one attack surface. A wallet approval can function like a temporary identity grant, and if that grant is overly broad, the attacker can act repeatedly without needing another interactive compromise. That is especially dangerous when the same user also reuses credentials, exposes recovery phrases, or approves contract access from an untrusted device. NHIMG research in The State of Secrets in AppSec shows that the average time to remediate a leaked secret is 27 days, which helps explain how long adjacent compromise conditions can persist once the initial deception succeeds. Practitioners should therefore review approval scopes, revoke stale allowances, and treat wallet prompts as policy enforcement points, not just user interface events. The term also belongs in risk conversations for agentic systems, because an AI agent with signing capability can become the victim or the enabler of a drainer workflow. Organisations typically encounter the operational impact only after funds have already moved or an exposed secret has enabled repeat abuse, at which point crypto drainer becomes unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Focuses on secret exposure and permission abuse that enable wallet draining. |
| NIST CSF 2.0 | PR.AC-4 | Maps directly to least-privilege access and approval governance. |
| OWASP Agentic AI Top 10 | AGENT-04 | Relevant when agents or tools can sign transactions or trigger approvals. |
Limit approval scope, rotate exposed secrets, and revoke stale delegations promptly.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org