Mobile-first “drainer” scams exploiting WalletConnect have become a major threat to crypto users, leveraging cloned dApps, phishing infrastructure, and Drainer-as-a-Service kits to deceive users into approving malicious transactions. Blockaid addresses this risk by integrating off-chain and on-chain analysis, transaction simulation, and machine learning to detect and block suspicious activities at the point of signature. By embedding these defenses into wallet apps like Tangem, users receive clear warnings and explanations before approving risky actions, helping to neutralize scams before assets are stolen.
Over the past year, mobile-first “drainer” scams that exploit WalletConnect flows have emerged as a dominant threat vector for crypto users. When millions of cryptocurrency users tap a Connect Wallet button or scan a QR code to link a mobile wallet to a decentralized app, they surrender a bit of trust to WalletConnect. This tool quietly ferries approval requests between wallets and dApps and was built to simplify a messy ecosystem. But that convenience has been weaponized in the past year, and a string of clever attacks has exposed how fast a single signature can turn into a theft.
The attack surface has expanded to include phishing emails, impersonator apps, and malicious dApps that send seemingly harmless requests while draining wallets. Since WalletConnect relays transaction requests for users to approve, scammers pretending to be legitimate dApps or the WalletConnect client itself can deceive users into signing away their assets.
How malicious dApps operate
Let’s explore malicious dApps: how attackers build and distribute them, the technical tricks they use to turn a WalletConnect signature into an instant drain, and the concrete signals and checks (including what Blockaid specifically looks for) that defenders can use to detect and stop them in real time.
Cloning a trusted platform
Attackers copy entire dApps, wallets, and DeFi protocols, not just their logos or styles. They usually clone the whole website, including the HTML, CSS, and JavaScript files, often using tools like HTTrack or custom scripts. Then, they re-host the copied site with slight changes.
This asset hijacking also involves embedding references to brand logos, fonts, and icons that are hotlinked directly from the original Content Delivery Network (CDN). It reduces forensic indicators, making the website appear authentic and trustworthy. Attackers use smart contract abstraction instead of rewriting the actual protocol. They create fake proxy contracts that look like real ones, but instead send calls to addresses they control.
Fraudulent support ecosystems, including fake knowledge bases, live chat widgets, and Telegram “support admins," are created to further deceive users. These elements give the illusion of end-to-end legitimacy. As a result, cybercriminals can produce a pixel-perfect clone of legitimate sites, capable of intercepting seed phrases and private keys or misleading users into signing malicious transactions.
Phishing infrastructure
Attackers use domain generation algorithms to create many potential phishing domains in advance. These domains often look very similar to real sites using tricks like typosquatting, homoglyph substitutions, or Unicode confusables.
They are usually registered in large groups, so new ones are always available. To make takedowns harder, attackers use Fast Flux hosting, where the IP addresses of a domain change quickly through botnets or compromised servers. Many phishing sites also act as reverse proxy mirrors, looking legitimate on the outside but actually redirecting to attacker-controlled servers. These sites often have valid SSL certificates from services like Let’s Encrypt, making them seem real to users.
They can also register domains at the last minute, keeping them inactive until they are ready to use for phishing. This makes it hard for monitoring systems to detect them early.
The attack setup is designed to be temporary and easy to change. Even if defenders shut down one domain or server, many copies still exist, allowing the attackers to continue their campaign without much trouble. This creates a continuous game where attackers stay ahead by quickly changing their infrastructure faster than defenders can keep up.
Drainer-as-a-Service (DaaS)
Drainer-as-a-Service (DaaS) has made crypto phishing easier and more industrial. Instead of requiring technical skills, criminals can buy ready-to-use kits that include everything they need to run attacks. These kits often contain phishing templates for popular wallets, malicious smart contracts to steal tokens, and systems to manage campaigns.
Some kits even identify the wallet being used and customize attacks accordingly. The business model is similar to SaaS, where operators rent access or share in the stolen money. They frequently update these kits to stay ahead of security patches and blacklists.
Distribution channels
Once hackers set up phishing sites and drainers, they focus on getting people to click on them. They use popular channels such as Telegram, Discord, and X by pretending to be trusted members or hijacking existing groups. They also manipulate search engines by boosting malicious sites to appear higher in search results. Paid ads are another method, showing fake links as sponsored results.
Outside the web, attackers spread harmful browser extensions that inject malicious scripts into legitimate decentralized apps (dApps) and distribute fake mobile apps through unofficial app stores or sometimes even through app stores, despite reviews. All these methods aim to make victims encounter phishing content in places they already trust.
Common scam tactics
These are the specific on-chain/off-chain patterns malicious dApps use to convert an Approve or other signature into stolen funds:
Unlimited token approvals/approve(MAX_UINT). The dApp asks the user to approve a token with no spending limit; later, the attacker calls transferFrom to sweep tokens. This is the single most common vector.
Permit/EIP-712 offline signatures (Permit, Seaport, Permit2): Instead of an on-chain approve, the dApp asks the user to sign an EIP-712 structured message that authorizes spending. This makes it harder for users to parse and is often executed outside the app’s user interface. Blockaid has documented drains that use EIP-712 signatures to authorize transfers.
Encoded calldata obfuscation: The transaction payload contains ABI-encoded, compressed, or multi-call data, so the wallet’s UI only shows a vague “contract call” line, which users can’t easily understand.
Proxy or intermediary contracts: Drainers use short-lived or proxy contracts that receive approvals and quickly forward funds to attacker addresses, making attribution and blacklist-based defenses harder.
Token rug or fake tokens: Asking to “add” a token or to approve an airdrop that is actually a malicious token with transfer logic that steals approvals or executes a drain.
Meta-transactions & relayers: Off-chain signed messages combined with relayers allow attackers to trigger transfers without sending the transaction themselves, increasing stealth.
Multistage UX manipulations: A dApp performs a benign-looking step first (connect/ small allowance), then immediately triggers a second opaque request (approval or permit) while the user is still in the session.
What does Blockaid do?
Enter Blockaid, a company that has become a go-to vendor for several wallets and platforms looking to purify the moment of user approval. Blockaid’s purpose is direct: it does the heavy lifting for the user when a signature is requested, scans the destination, simulates what the transaction would do, compares the request to a library of known scams, and then warns or blocks if something smells malicious.
The company’s platform blends broad internet crawling and dApp cataloging with fast transaction simulation and on-chain intelligence. It is increasingly embedded inside wallets, so the warning appears inside the app where the user decides.
The technology is less magic and more orchestration. Blockaid says it scans millions of web pages and dApp endpoints daily, maintaining a threat intelligence feed of malicious domains, deceptive token contracts, and known drainer signatures. Before a user attempts to sign, Tangem Wallet forwards the metadata about the dApp to Blockaid’s service.
Blockaid then runs a rapid simulation of the call, analyzes token and contract behavior, checks address reputations, and applies heuristics and learned patterns to decide whether the action is high risk.
What Blockaid looks out for in dApps
Blockaid emphasizes internet-wide dApp scanning, fast transaction simulation, and on-chain heuristics. Let's review the signals and techniques they use to decide whether to allow, warn, or block transactions.
Frontend indicators (Off-chain)
The first line of defense lies in off-chain metadata inspection. Attackers rely on cloned frontends and disposable domains, which provide measurable signals.
Domain and hostname reputation: DNS telemetry can be checked against threat intel feeds to identify newly registered domains (NRDs), domains with short-lived TTLs (common in Fast Flux), or those previously associated with malicious campaigns. Registrars linked to high volumes of phishing campaigns are also strong signals.
UI/UX cloning patterns: DOM-level similarity analysis detects HTML/CSS structures, JavaScript bundles, or inline strings that match known brands or previously flagged phishing templates. Crawlers scrape millions of domains daily, extracting these features to identify fraudulent frontends at scale.
Logo and asset hashing: Image assets (SVGs, PNGs) are fingerprinted and matched against known legitimate brand repositories. Hash collisions or near-duplicates across unrelated domains can flag impersonation attempts.
This frontend analysis identifies malicious infrastructure before a user interacts with it on-chain.
Transaction-level simulation
Once a user initiates a transaction, deterministic simulation provides the most reliable indicator of malicious behavior.
Stateful fork and dry run: The unsigned transaction is executed against a forked state of the blockchain at the current block height. This simulates the exact state changes (token transfers, storage updates, event emissions) without committing them on-chain. For example, if the simulation shows that signing an approve call grants an attacker contract unlimited allowance followed by an immediate transfer, the transaction is flagged as high risk.
Calldata decoding: ABI decoding maps calldata into human-readable method invocations (approve, permit, transferFrom, fillOrder, etc.), exposing intent even if the UI obfuscates it. When ABI is unavailable, heuristics such as function selector matching are applied.
Multicall expansion: Many drainers hide logic inside nested multicall structures. Simulation recursively expands each subcall to reveal latent actions, preventing attackers from masking transfers behind batched operations.
This execution-layer inspection is the only way to deterministically validate the actual economic effect of a transaction.
On-chain heuristics
Beyond direct simulation, additional heuristics detect patterns associated with drainers and malicious contracts:
Contract age: Transactions granting approvals to contracts with recent deployment timestamps, few interactions, or ties to previously blacklisted addresses raise suspicion.
Unlimited allowance immediate transfer: If a recurring drainer requests infinite ERC-20 approval followed by a sweep transaction, detection engines flag sequences in which approve or permit calls precede outbound transfers within a short block window.
Drainer fingerprints: Many DaaS kits reuse function call sequences, opcode-level gas signatures, or known router contracts. Once profiled, these behavioral fingerprints can be stored as YARA-like signatures and matched against future transactions. Blockaid has documented such fingerprints and publishes indicators of compromise (IOCs), including contract addresses, router patterns, and drainer behaviors.
These heuristics provide a continuously updated rule set, catching known and newly deployed drainers with common tactics, techniques, and procedures.
Behavioral and machine learning signals
Finally, statistical and behavioral anomaly detection augments deterministic checks:
UX Flow deviation: Detection systems monitor unusual signing flows, such as multi-step approvals where the second transaction is the exploit, or popups requesting improbable token amounts relative to wallet history.
Third-party sweep patterns: Malicious contracts often forward assets to “sweep” addresses in the same transaction path. By clustering addresses involved in these sweep patterns, ML models can identify malicious wallets even before they’re widely reported.
Telemetry and network effect: When a phishing attempt is detected by one integrated wallet, that signal can be distributed instantly across all others. This creates a collaborative defense layer, turning a single incident into a preventative measure for thousands of users. Blockaid highlights this as a key strength of its detection pipeline.
TL;DR
A layered defense strategy integrates multiple approaches to enhance security. Blockaid does the following:
Combines off-chain metadata analysis, including domain and asset verification and frontend similarity checks.
Uses on-chain simulation techniques such as fork execution, calldata analysis, and multicall expansion.
Employs heuristic rulesets to assess contract provenance, identify unlimited approvals, and detect drainer fingerprints.
Monitors behavioral and machine learning telemetry for flow anomalies, sweep detection, and rapid propagation of blocklists.
Creates a comprehensive defense-in-depth model that detects threats from initial infrastructure setup through on-chain execution.
Enables the neutralization of drainer campaigns before irreversible damage occurs.
Practical rules Tangem Wallet implements
These are practical checks we added to the signing pipeline; thanks to our integration with Blockaid offers:
When approve or permit-like signatures are present, Tangem provides a clear human-readable explanation: “This grants SPENDER X permission to transfer up to Y TOKEN.
The wallet simulates the transaction before signing. If the simulation returns any transfer from the user to an external address, it is flagged as high risk.
We provide options for both limited and unlimited approvals and require a strong, explicit confirmation.
Tangem UI shows the decoded contents and a plain-English summary of what the signature will authorize.
If the spender/recipient is new or associated with known drainer addresses, the app warns users.
For suspicious flows from the same domain or address, the app surfaces an “Are you sure?” confirmation for high-risk combos.
We have a precise “revoke” flow in wallet UI and educate users on revoking approvals.
Conclusion
Malicious dApps weaponize UI trust and opaque signatures. The most vigorous defense is to move detection to the signing moment: decode calldata, simulate the exact state changes, check on-chain reputation, and surface a clear warning, precisely what Blockaid’s scanning and simulation pipeline is built to do. That combination makes an Approve button informative instead of lethal.
The contest between scammers and defenders in Web3 is a familiar one. It's a cycle of invention and response that has defined security since the early days of the internet. WalletConnect made transactions easier. Attackers responded by making deception easier.
Companies like Blockaid try to make approval safer without undermining the decentralized ethos that makes Web3 attractive. Whether the balance tips are in the user's favor will depend on the platform's vigilance, faster detection shared industry-wide, and, crucially, the choices of users who continue to click Approve.
