Skip to main content
← Back to blog
TUTORIAL Solana Wallet Drainer Scams: How They Work and How to Avoid Them MoonHydra · moonhydra.com/blog
Tutorial Security Scams Solana

Solana Wallet Drainer Scams: How They Work and How to Avoid Them

· 10 min read · MoonHydra Research

A wallet drainer rarely "hacks" anything. In almost every case, it convinces you to sign a transaction that moves your assets to an attacker, or it tricks you into typing your seed phrase into a fake box. The exploit is the moment you click approve. That is uncomfortable news, but it is also good news: because the defense is behavioral, you can avoid nearly all of these scams with a handful of habits and the right wallet setup. This guide explains what a Solana drainer actually is, the common ways one reaches you, how a single bad signature can empty a wallet, and the practical steps that keep your funds out of reach. It also covers exactly what to do in the first minutes if you think you have been drained.

What a wallet drainer actually is

A wallet drainer is a malicious site or script designed to get you to authorize a transfer of your own assets. Think of it as a trap dressed up as something you want: a free token claim, an NFT mint, an airdrop, a giveaway, or a "connect your wallet to continue" gate. The page itself does nothing harmful until you connect a wallet and sign. The harm is in the signature.

Many drainers today are sold as a service. An operator builds and maintains the drainer code, and affiliates spread the phishing links and split the stolen funds with the operator by a preset percentage. That industrialization is why these scams look polished, refresh constantly, and reappear under new domains the moment one gets flagged. You are not facing a lone hobbyist. You are facing a product with a marketing funnel, and the funnel ends at your approve button.

The key mental model: on Solana, the network does exactly what a signed transaction tells it to. There is no "undo," no support desk, and no chargeback. If you sign something that hands over your tokens or reassigns control of an account, that action is final the moment it lands.

The common ways a drainer reaches you

The script is always the same underneath, but the bait varies. These are the vectors that show up again and again:

  • Fake airdrop, claim, and mint sites. "Claim 15 SOL," "you are eligible for an airdrop," or a limited-time mint for a hyped collection. The page mimics a real project, asks you to connect, and presents a transaction to "claim." Approving it drains you instead.
  • Malicious "connect wallet" plus blind signature. The site asks you to connect, then immediately pushes a signature request you cannot easily read. If you sign without understanding what it does, you may be transferring tokens or handing over account authority.
  • Fake wallet popups. A counterfeit Phantom or Solflare window appears asking for your recovery phrase. Real wallets never ask for your seed phrase to "verify," "sync," or "unlock." Any popup that does is a thief.
  • Hacked or spoofed Discord and X links. A trusted project account or moderator gets compromised and posts a "mint is live" link, or a lookalike handle replies under a real announcement. The link points to a drainer.
  • Fake support DMs. Nobody from a real project, wallet, or exchange will DM you first to "help." The "support agent" who messages you out of the blue is setting up either a seed-phrase ask or a malicious signature.
  • Malicious browser extensions. A fake or trojaned extension can swap addresses you copy, inject fake prompts, or read what is on the page. Install extensions only from official stores, and keep the list short.
  • Outright seed-phrase phishing. The bluntest version: a site, form, or "wallet migration" tool asks you to enter your 12 or 24 words directly. Handing those over gives the attacker your wallet entirely, with no signature needed.

How one bad signature drains a wallet

It helps to understand why a single approval can be so costly. A Solana transaction can bundle several instructions together, and a drainer hides the dangerous one among innocent-looking ones. A common pattern stacks something harmless, like creating a token account, next to a fee transfer for "gas," next to the instruction that actually does the damage. At a glance it reads as "create account and pay a small fee," so people approve it.

The damaging instruction takes a few forms. The simplest just transfers your SPL tokens out to the attacker in the same transaction you signed. A nastier variant reassigns the ownership or authority of an account you control, so the attacker can move assets later, on their own schedule, without needing you again. Some drainers also abuse durable nonces, a legitimate Solana feature that lets a signed transaction stay valid indefinitely, so a signature you give today can be executed at a more convenient moment for them.

Attackers also play games with the transaction preview itself, trying to make a wallet's simulation look benign or confusing so the warning you rely on does not fire clearly. The takeaway is not to memorize every technique. It is this: if you cannot clearly read what a transaction does and why, do not sign it. A vague or unreadable request is the warning.

Warning signs to watch for

Most drainer encounters share a few tells. Any one of these should make you stop:

  • Urgency. "Ends in 10 minutes," "only 50 spots left," "claim now." Pressure exists to stop you from checking.
  • Free money. Unprompted airdrops, giveaways, and "you won" messages are bait far more often than gifts.
  • A seed-phrase request, ever. No legitimate site, popup, wallet, or person needs your recovery phrase. This one is absolute.
  • An unreadable or mismatched signature. If the transaction preview does not match what the page claims you are doing, or you cannot tell what it does at all, reject it.
  • A link you did not seek out. Links from DMs, replies, ads, and random posts deserve far more suspicion than ones you navigated to yourself from a known source.
  • A lookalike domain. Subtle misspellings, extra words, or odd top-level domains. Attackers register names one character off from the real one.
  • A wallet drainer warning from your wallet. If Phantom, Solflare, or Backpack flags a site or transaction as suspicious, believe it and back out.

How to protect your wallet

Because the attack targets your behavior, the defenses are mostly habits plus a sensible wallet structure. None of these are exotic, and together they block the overwhelming majority of drainers.

  • Never sign blind. Read every transaction preview. Confirm the action matches what you intended, check the destination, and reject anything you cannot understand. Slowing down for ten seconds is the single highest-value habit here.
  • Bookmark official sites and use the bookmarks. Go to dApps, mints, and your wallet only through bookmarks you saved from a verified source. Do not reach them through search ads or links people send you.
  • Use a burner wallet for mints and airdrops. Keep a separate, lightly funded wallet for anything experimental. If a "mint" turns out to be a drainer, it can only reach the little that wallet holds. A dedicated burner wallet setup is the cleanest way to do this.
  • Keep serious size in a hardware wallet. A hardware device keeps your keys offline and forces a physical confirmation to sign. It does not make you immune to approving a bad transaction, but it removes the easiest theft paths and protects your main holdings.
  • Separate wallets to limit the blast radius. Do not keep your savings, your active trading funds, and your degen experiments in one address. If one wallet is compromised, the others are untouched. The logic behind a multi-wallet strategy is exactly this kind of containment.
  • Never enter your seed phrase anywhere online. Not into a site, not into a popup, not into a "support tool." Your recovery phrase lives offline, on paper, and is typed only into your real wallet during setup or restore.
  • Revoke stale approvals. Old token approvals you granted to dApps can linger. Periodically review and revoke approvals you no longer use, so a contract you forgot about cannot move your tokens later.
  • Install software carefully. Download your wallet only from its official site or a verified store listing, and keep your browser extension list short. A fake wallet or a malicious extension defeats every other precaution.

If you are still setting up your main wallet, a clean install matters. Our guide on how to set up Phantom walks through doing it safely, and the best Solana wallets in 2026 compares how Phantom, Solflare, and Backpack handle the signing screen where these attacks happen.

What to do immediately if you are drained

If you think a transaction just took your funds, act fast and stay methodical. Speed matters because attackers often sweep what is left.

  1. Move what is still there. Open a fresh, clean wallet on a device you trust and transfer any remaining assets out of the compromised wallet immediately. Assume the compromised wallet is no longer safe to use.
  2. Stop interacting with the source. Close the malicious site, leave the Discord or DM thread, and do not sign anything else it offers, including any "recovery" or "reverse the transaction" prompt. Those are second-stage scams.
  3. Treat the seed as burned if you typed it. If you entered your recovery phrase anywhere, that wallet is permanently compromised. No software can re-secure it. Generate a brand-new wallet with a new seed and migrate going forward.
  4. Revoke approvals from the affected wallet. If your keys were not exposed but you approved a malicious contract, revoke its approvals so it cannot pull more later.
  5. Document and report. Save the transaction signatures, the wallet addresses, and the scam URL. Report the phishing site to the relevant wallet and to security trackers so others get warned.
  6. Be skeptical of "recovery" offers. Anyone who DMs you promising to recover stolen crypto for a fee is running another scam. Realistically, on-chain transfers are not reversible.

How MoonHydra fits

MoonHydra is a non-custodial Solana trading bot that runs inside Telegram, and its design lines up with the containment idea above. The wallet it uses for you is encrypted at rest with AES-256-GCM, and trades route through Jupiter, the established Solana aggregator. There are no custom smart contracts of ours in the path for an attacker to abuse, and there is no subscription. Pricing is a flat 1% per trade, on both buys and sells.

What MoonHydra does not do is protect you from a drainer you sign yourself. Nothing can. A drainer lives on a web page and depends on you approving its transaction or pasting your seed, which happens entirely outside the bot. The honest framing is that a trading bot's encrypted wallet works well as a separate, purpose-built wallet that limits your blast radius. You fund it for active trading and keep your long-term holdings in a hardware wallet elsewhere, so a bad signature anywhere can only touch the slice it can reach. If you want the broader checklist, our Solana trading bot security checklist ties these habits together, and the difference between non-custodial and custodial bots explains why key control matters in the first place.

Bottom line

Solana wallet drainers are not magic and they are not unbeatable. They are social engineering with a signature at the end. Read every transaction before you approve it, never type your seed phrase anywhere online, reach official sites only through your own bookmarks, use a burner for mints and airdrops, keep serious funds on a hardware wallet, and split your holdings across wallets so one mistake cannot take everything. Those habits cost you nothing and shut down the vast majority of these scams. The single rule that carries the most weight: if you cannot clearly read what a transaction does, do not sign it.

Next: review the trading bot security checklist, learn how a burner wallet contains the damage, and read up on honeypot tokens for the on-chain traps that sit alongside these off-chain ones. When you are ready to trade with a non-custodial setup, start at t.me/moonhydrabot.


Ready to put this into practice?

MoonHydra is a multi-wallet Solana memecoin trading bot on Telegram. 1% per trade. AES-256-GCM encrypted. Non-custodial.

Open MoonHydra