The smart contracts behind blue-chip NFT collections have never been better audited. The humans holding the tokens have never been more relentlessly targeted. That asymmetry defines NFT security in 2025 and 2026: the protocol layer is mostly hardened, but a professional scam economy has grown around the soft target that remains — a holder clicking through a signature prompt they do not fully understand.
Chainalysis reported roughly $2.17 billion stolen from crypto services through June 2025, trending past $4 billion for the full year and tracking 17% higher than the 2022 record. Personal-wallet compromises accounted for 23.35% of stolen funds year-to-date, the fastest-growing slice. At the same time, Scam Sniffer reported $83.85 million lost to wallet-drainer phishing across 106,106 victims — an 83% drop from 2024's $494 million and 332,000 victims, but with the surviving attacks concentrated into larger, more sophisticated hits. The biggest single signature phish in September 2025 drained $6.5 million through a Permit signature. Only eleven victims lost over $1 million, down from thirty the year before.
The picture that emerges is an industry that is losing more money to fewer, better attacks. DPRK's February 2025 theft of $1.5 billion from Bybit remains the largest crypto heist on record, roughly 69% of all service losses for the year. The $285 million Drift incident in April 2026 was not a smart-contract exploit at all — it was six months of patient social engineering, with on-chain indicators consistent with previously attributed DPRK operations, that culminated in pre-signed Solana durable-nonce transactions. No audit could have prevented it. That is the frame worth internalizing before minting or moving another JPEG: for a detailed map of where these attacks sit within the full crypto attack surface, the drainer economy is a specific, maturing subdomain — and NFT holders are its canonical target.
Wallet drainer kits: crime as a subscription product
A wallet drainer is a phishing site plus a smart contract plus a back-end that watches for signed messages and sprints to execute them before the victim realizes. Drainer-as-a-service (DaaS) repackages that stack as a product. Operators write the draining contract and the phishing templates. Affiliates deploy copies, buy ads, hijack Discords, and drive traffic. A typical split sends 20% of stolen funds to the operator and 80% to the affiliate. Angel, one of the top kits, required a $5,000–$10,000 deposit before accepting new affiliates — the business model has franchise fees.
BlockSec tracked the DaaS ecosystem from March 2023 through April 2025 and attributed $135 million in stolen assets to 76,582 victims across 32,819 distinct phishing sites. Fifty-six operators managed 6,087 affiliates. Only 10.8% of DaaS-linked addresses appeared on public scam flag lists, which is why wallets and block explorers often show no warning before the click. Three kits — Inferno ($59 million), Angel ($53.1 million), and Pink ($14.7 million) — accounted for 93.9% of attributed profits. In October 2024 Inferno handed its toolkit to Angel, consolidating power the way any maturing market eventually does. Later waves arrived under names like Venom, Pussy, Monkey, and a class of post-Pectra kits that abuse EIP-7702 batch operations.
NFT holders are the ideal target population because how token approvals actually work means collectors have been conditioned to sign approval after approval — to mint, to list, to offer, to transfer, to bridge. The instinct to reflexively click "Sign" is exactly the muscle the drainer economy is built to exploit.
The signature trap
A modern drainer rarely needs a user to send a transaction. It needs a signature. The mechanics are consistent: the user lands on a phishing site, clicks a button labeled "Claim Airdrop" or "Verify Holder" or "Unlock Mint," the wallet pops a signature request, the signed message is relayed to the drainer back-end, and a single bundled transaction empties whatever the signature authorized.
The signature types matter. Per Scam Sniffer, Permit and Permit2 signatures drove 38% of large losses in 2025 — $8.72 million across three incidents. Approve and increaseApproval cost another $5.62 million across three cases. A single setApprovalForAll signature was responsible for $1.23 million. Raw Transfer signatures drained $4.87 million across two cases. The new post-Pectra category of EIP-7702 batch operations contributed $2.54 million across two large cases that emerged in August 2025.
Each of these has a specific shape. setApprovalForAll grants unlimited transfer authority over every NFT in an entire collection to a chosen spender — irrevocable until the user manually revokes it. Permit (EIP-2612) and Permit2 are off-chain signatures that authorize ERC-20 spending with no on-chain transaction from the victim: no gas, no broadcast, no second confirmation screen. Permit2, Uniswap's universal approval standard, widens the blast radius by letting one signed message govern spending across many tokens. Seaport signed orders go further — OpenSea's protocol lets a user sign a listing at any price, including zero, which is why malicious sites sometimes simply ask for a "free verification signature" that is really a zero-ETH sale order for the user's most valuable NFT.
Blind signing is the underlying failure mode. A hardware wallet that cannot decode the calldata it is being asked to sign shows the user opaque hex. The user approves because the transaction "looks normal." Clear signing — Ledger's decoded typed-data view, modern transaction simulators — is the direct remedy.
Fake mints and Discord takeovers
Two delivery channels dominate the NFT-specific side of the drainer economy. The first is Discord admin and moderator compromise: a mod receives a DM from a fake verification bot, enters credentials into a cloned captcha, loses their Discord token, and within minutes the attacker is posting an announcement in the real project's server — countdown timer, scarcity language, "surprise stealth mint live now." The link points to opensea-mint[.]com or projectname-claim[.]xyz. Members who trust the server trust the link.
The second is paid search. Attackers outbid the real project on Google Ads for its own keyword, so the top search result for a well-known collection is a pixel-perfect clone. The sponsored label reads the same regardless of who paid.
Verification takes five minutes. Confirm the URL from the project's pinned post on its verified X account. Cross-check the mint contract address in the project's documentation, not on the mint site itself. Treat every "surprise drop" announced during a hyped mint window as hostile by default — legitimate teams almost never operate that way, because they know attackers do. If the link arrived via DM in a server that was joined the same day, the default should be refusal. When in doubt, check how a minting site is supposed to flow: the shape of a real mint is visible in the project's weeks of prior communication, not in a single urgent timer.
Urgency is the entire lever. Drainers depend on FOMO defeating verification. The five-minute pause is the defense.
Seed phrases and fake support
A separate family of attacks targets the seed phrase directly. The pipeline is familiar: a user posts a question in a project's help channel, receives a DM from a "support bot" within minutes, follows a link to a Zendesk-styled form promising to "restore wallet access," and enters the twelve or twenty-four words. The wallet is emptied before they close the tab. Telegram variants mirror real team members' photos and usernames with zero-width or Cyrillic lookalike characters, then pitch exclusive allocations.
The rule is simple and absolute: no legitimate wallet, exchange, or project team will ever ask for a seed phrase. Not for support. Not for verification. Not for airdrop claims. Not for migration. A form field that accepts twelve words is, by definition, hostile. A seed that never touches a computer cannot be phished — which is the core of the hardware wallet threat model, and why a hardware device paired with the 25th-word passphrase trick reduces even a stolen-seed scenario to a non-event.
Address poisoning
Address poisoning exploits the habit of copying addresses from transaction history. An attacker generates a vanity address whose first and last characters match a victim's frequent counterparty, then sends a dust or zero-value transfer. The spoofed address now appears in the victim's history, sitting next to the legitimate one. Next time the victim copies "the address I usually send to," they may copy the wrong one.
The zero-value variant weaponizes an ERC-20 quirk: a contract can emit a Transfer event from any address without that address's signature, so the fake transfer appears on Etherscan without the attacker paying anything. In December 2025, a single trader lost roughly $50 million USDT after copy-pasting a poisoned address that had been planted in their own transaction history — the attacker laundered the funds through DAI and ETH into Tornado Cash. Industry trackers have tied the broader address-poisoning technique to hundreds of millions of dollars in cumulative losses.
The defense is equally mechanical: verify the entire address, not just the first and last four characters. Maintain a wallet address book. Never copy a destination from transaction history — copy it from the original source.
The five-layer setup
Serious holders converge on a similar architecture.
Layer 1 — Separation. A dedicated hot minting wallet holds only gas and in-progress NFTs. A vault wallet, hardware-secured, holds the collection long-term and never touches a mint site. If the hot wallet is drained, the loss is bounded to whatever was actively in play.
Layer 2 — Revocation hygiene. Tools like revoke.cash or Etherscan's Token Approvals page are reviewed monthly. Every setApprovalForAll on a collection no longer being actively traded is revoked. Permit2 allowances past their use-by date are cleared.
Layer 3 — Transaction simulation. Wallet Guard, Pocket Universe, Blockaid, and Scam Sniffer's extension show the net result of a transaction before signing. The prompt worth trusting reads "You will lose 14 NFTs," not "Signature request."
Layer 4 — Hardware wallet with clear signing. Ledger, Trezor, and GridPlus decode typed data on-device. Blind signing is refused for anything non-trivial. The device becomes the last line that FOMO cannot bypass.
Layer 5 — Operational discipline. Real URLs are bookmarked. Discord DMs from non-friends are disabled. No "claim" link from a DM is ever clicked. Team members are verified via ENS or verified X handles, on-chain or off-chain but never through whoever sent the message. Every airdrop offer is treated as phishing until proven otherwise.
The closing rule is the one drainers fear most: slow down. The entire business model assumes a panicked click inside a thirty-second countdown. A five-minute verification pause destroys the majority of attacks before they begin.
Key takeaways
- NFT losses in 2025 shifted from broad, shallow phishing to a smaller number of professionalized hits — Scam Sniffer counted $83.85M across 106K victims, with Permit and Permit2 signatures driving 38% of large losses.
- Drainer-as-a-service is a real market: BlockSec attributed $135M to 56 operators and 6,087 affiliates, with Inferno, Angel, and Pink kits responsible for 93.9% of profits.
- The dangerous signatures to learn by name are
setApprovalForAll, Permit (EIP-2612), Permit2, Seaport zero-price orders, and post-Pectra EIP-7702 batches. - Fake mint sites and hijacked Discords weaponize urgency; the only reliable defense is refusing to act inside the countdown.
- Separate hot and vault wallets, revoke monthly, simulate before signing, keep a hardware wallet with clear signing, and assume every unsolicited "claim" is hostile.
