Skip to main content
T TON Adoption
RU
← Glossary
NODE/03 · Term

Drainer

A pre-built kit of scripts and contracts that scammers deploy on a phishing site to siphon as many assets as possible from a wallet through a single user signature. Sold as a service: the kit author keeps a cut of the stolen funds.

Aliases: wallet drainer, drainer kit

Drainer is the bundle of frontend scripts, smart contracts, and exfiltration infrastructure that an attacker installs on a phishing site. In the early days every scam was hand-rolled; today drainer kits are sold as a service — the kit author hosts the code and takes 20 to 30 percent of every successful theft.

The attack workflow

  1. Lure the victim to a phishing site — a fake airdrop, a fake NFT mint, a cloned DEX. Traffic comes from paid ads on X, replies under official posts, and unsolicited Telegram messages.
  2. Show a “Connect Wallet” button that uses TON Connect, exactly like a legitimate service.
  3. Scan the wallet as soon as it connects: how much TON, which jettons, which NFTs, and what each is worth at market.
  4. Build a malicious signature request. On TON this is usually a single transaction with a large internal-message payload that moves multiple jettons and NFTs to the attacker’s address in one shot.
  5. The user signs without inspecting the details. Funds leave. The attacker immediately routes them through mixers or cross-chain bridges.

What is specific to TON

  • The target is jettons and NFTs, not TON. A plain TON transfer is easy to read — the amount is right there. Mass jetton transfers and NFT batch moves are harder to evaluate: the wallet UI does not always sum up the total dollar value, so the victim sees “a few transfers” without realising the combined worth.
  • Mint-flow impersonation. On a fake NFT mint site, the drainer requests a “mint” signature that is actually an approval/transfer of every valuable NFT in the wallet.
  • TON Connect is the transport, not the vulnerability. The protocol itself works correctly: it shows the domain and forwards the message. The drainer relies on the user not reading the request.
  • Speed. A well-built drainer empties a wallet in a single signature, faster than the victim can think it through.

Signs of a drainer site

  • The domain looks legitimate but does not match character for character.
  • The site demands a wallet connection before showing any real content.
  • The transaction you are asked to sign is long and contains several internal messages at once.
  • The recipient address in the signing screen is unfamiliar and does not match the project’s published contract.
  • An aggressive countdown timer pushing you to “claim now”.

Defence

  • Hardware wallet for anything valuable. A drainer cannot silently push a transaction through — the device displays exactly what is being signed.
  • Burner address for new dApps. Connect a low-balance wallet to anything unfamiliar; even a successful drain only loses pocket change.
  • Read the signing screen. If the wallet shows “Send 5 jettons plus 3 NFTs to EQXxx…”, that is not minting. That is an exit. Refuse.
  • Updated wallet app. Tonkeeper, MyTonWallet, and Tonhub keep adding heuristics: suspicious domains, known drainer addresses, blocklists. Stay on the latest version.
  • Known scam lists. Tonviewer and Tonscan label malicious addresses. If the destination of your transaction is already flagged as a drainer wallet, the wallet may surface a warning.

Drainers are an industry and will exist as long as victims do. There is no purely technical fix that turns them off. The only defence is user attention at the moment of signing and hardware isolation of the private key.

Related terms