Crypto Basics

Seed Phrase Phishing and Wallet Drainers: How Wallets Get Emptied

Self-custody puts you in control — and makes you the only line of defense. Almost every 'hacked wallet' traces back to a revealed seed phrase or an approved malicious transaction, not a broken blockchain. Here is how draining scams work and the habits that keep your wallet safe.

3 min read
Table of Contents

People say their wallet was "hacked," but the blockchain itself is almost never broken. What actually happens is quieter: you are tricked into revealing your seed phrase, or into signing a transaction that hands your assets away. Understanding those two attacks is most of your defense.

What a seed phrase actually is

When you set up a self-custody wallet like MetaMask or a hardware device, it gives you a list of 12 or 24 words — your seed phrase (or recovery phrase). Those words are your wallet. Anyone who has them can recreate it on their own device and take everything, instantly and irreversibly. (For how a seed phrase differs from a single private key, see our plain-English breakdown.)

Your seed phrase is never needed by anyone but you.

No legitimate wallet, exchange, support agent, airdrop, or "wallet validation" tool will ever ask for your seed phrase. Wallet makers like MetaMask and Ledger say this plainly: they never ask for it. Anyone who does is a thief — no exceptions.

How seed phrase phishing works

The goal is simply to get you to type those words somewhere.

  1. 1

    The lure

    A fake support message, a 'your wallet is at risk' popup, or a too-good airdrop draws you to a website.

  2. 2

    The clone

    The site mimics your real wallet's interface down to the logo, often on a near-identical misspelled domain.

  3. 3

    The ask

    It prompts you to 'import', 'validate', or 'sync' your wallet by entering your 12 or 24 words.

  4. 4

    The drain

    The moment you submit them, the attacker has your wallet. Funds are gone within seconds.

Wallet drainers: theft by signature

The second attack never asks for your phrase at all. Instead, a malicious site gets you to sign a transaction or approval that grants a contract permission to move your tokens. You think you are "claiming a reward" or "connecting" — but you are authorizing the theft yourself. This is the engine behind fake airdrops and token-approval scams.

Common lures

LureWhat it claims
Fake support DM"I'm from wallet support — let's validate your wallet"
Wallet-risk popup"Your wallet is compromised — migrate now"
Fake airdrop / mint"Claim your free tokens" or "mint before it sells out"
Malicious extensionA browser add-on that swaps addresses or captures input
Cloned websiteA near-perfect copy on a misspelled domain

These share the red flags of a crypto scam: urgency, an unsolicited approach, and a request to reveal or approve something.

How to protect your wallet

  • Never type your seed phrase into anything but your own wallet during setup or recovery. Not a website, not a form, not an app someone sent.
  • Use a hardware wallet for meaningful amounts — it keeps your keys offline.
  • Bookmark official sites and use the bookmarks; do not click wallet links from DMs, ads, or search results.
  • Use a separate "burner" wallet for mints and airdrops, holding nothing you cannot lose.
  • Review what you sign. If a prompt asks to approve token access you did not intend, reject it.
  • Revoke old approvals periodically with a tool like Etherscan's Token Approvals checker.

The U.S. Cybersecurity and Infrastructure Security Agency publishes plain-language guidance on recognizing phishing that applies directly here.

If your wallet was drained

Move quickly and calmly:

  1. Assume the wallet is permanently compromised. If your seed phrase was exposed, that wallet can never be trusted again.
  2. Create a brand-new wallet and move any remaining or future assets to it.
  3. Revoke approvals from the old wallet if it still holds anything.
  4. Preserve the transaction hashes of the theft, then report it using our reporting guide. The funds can still be traced on-chain.

Frequently asked questions

Someone got my seed phrase — can I change it?

No. A seed phrase cannot be changed like a password. Once it is exposed, the only safe move is to create a new wallet with a new phrase and move everything to it immediately.

Is a hardware wallet completely safe?

It dramatically reduces risk by keeping your keys offline, so phishing for your phrase fails. But you can still be tricked into signing a malicious approval, so you must still check what each transaction does.

What is a token approval?

It is permission you grant a smart contract to move specific tokens on your behalf — normal in DeFi, but abused by drainers. We break it down in fake airdrops and token-approval scams.

Key takeaways

  • Wallets are rarely 'hacked' — you are tricked into revealing keys or signing.
  • No legitimate service ever asks for your seed phrase. Ever.
  • Drainers steal by getting you to approve a malicious transaction yourself.
  • Use a hardware wallet, bookmark official sites, and revoke stale approvals.
  • If drained, abandon the wallet, move to a new one, preserve hashes, and report.

Know someone who needs this? Share it.

Scambulance will never ask for your private keys, passwords, or seed phrases. Anyone promising guaranteed fund recovery is likely a scammer.

Were you the victim of a crypto scam?

Knowledge is your first defense — but if it has already happened, the most important step is reporting it properly. Scambulance guides you through every step, free.