tradingkey.logo
tradingkey.logo
Search

StepDrainer drains crypto wallets across +20 networks

CryptopolitanApr 30, 2026 11:34 PM
facebooktwitterlinkedin
View all comments0

A crypto-stealing tool called StepDrainer is draining money from wallets across Ethereum, BNB Chain, Arbitrum, Polygon, and at least 17 other networks.

StepDrainer operates as a malware-as-a-service kit. It uses fake but realistic Web3 wallet pop-ups to trick people into approving transfers. Some of those screens are made to look like Web3Modal wallet connections.

Once someone connects their wallet, StepDrainer looks for the most valuable tokens first and automatically sends them to wallets controlled by the attackers, according to LevelBlue.

StepDrainer misuses smart contract tools

StepDrainer misuses real smart contract tools like Seaport and Permit v2 to show wallet approval pop-ups that look normal. But the details inside those pop-ups are fake.

In one case, cybersecurity researchers found that victims saw a fake message saying they were receiving “ 500 USDT,” making the approval look safe.

StepDrainer loads its harmful code through changing scripts and gets its setup from decentralized on-chain accounts.

That setup helps the attackers dodge normal security tools because the harmful code is not stored in one fixed place where it can be easily scanned.

StepDrainer is not just one person’s project. Researchers said there is a developed underground market selling ready-made drainer kits, making it easier for many attackers to add wallet-stealing features to scams they already run.

EtherRAT siphons crypto from Windows users

Researchers also found another malware besides StepDrainer, called EtherRAT. It targets Windows through a fake version of the Tftpd64 network admin tool.

According to LevelBlue, EtherRAT hides Node.js inside a fake installer, makes sure it stays on the computer through the Windows registry, and uses PowerShell to check the system.

EtherRAT first targeted Linux. Now it is bringing malware tricks and crypto theft to Windows.

EtherRAT quietly runs in the background. It checks things like antivirus tools, system settings, domain details, and hardware before it starts stealing.

According to a recent Cryptopolitan report, over 500 Ethereum wallets have been drained in the past 24 hours. The attacker siphoned more than $800K in crypto assets and then swapped the funds via ThorChain.

Many of the drained wallets have been inactive for over 7 years, according to on-chain research Wazz. The drained funds were directed by a single wallet address controlled by the attacker.

Cybersecurity researchers advise users connecting wallets to unknown sites to verify the domain, read the transaction details before signing, and remove any unlimited token approvals.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.

Disclaimer: The information provided on this website is for educational and informational purposes only and should not be considered financial or investment advice.

Comments (0)

Click the $ button, enter the symbol, and select to link a stock, ETF, or other ticker.

0/500
Commenting Guidelines
Loading...

Recommended Articles

tradingkey.logo
* References, analysis, and trading strategies are provided by the third-party provider, Trading Central, and the point of view is based on the independent assessment and judgement of the analyst, without considering the investment objectives and financial situation of the investors.
Risk Warning: Our Website and Mobile App provides only general information on certain investment products. Finsights does not provide, and the provision of such information must not be construed as Finsights providing, financial advice or recommendation for any investment product.
Investment products are subject to significant investment risks, including the possible loss of the principal amount invested and may not be suitable for everyone. Past performance of investment products is not indicative of their future performance.
Finsights may allow third party advertisers or affiliates to place or deliver advertisements on our Website or Mobile App or any part thereof and may be compensated by them based on your interaction with the advertisements.
© Copyright: FINSIGHTS MEDIA PTE. LTD. All Rights Reserved.