Pink Drainer just shut down. The wallet-drainer world did not.

What is a wallet drainer, in one paragraph?

A wallet drainer is a piece of JavaScript that runs on a fake or hacked website. When you connect your wallet (MetaMask, Phantom, Trust Wallet, Ledger, Trezor, anything), the script asks you to sign what looks like a normal transaction. It is not normal. It is a request that gives the attacker permission to move every token, NFT, and stablecoin out of your wallet. You click "Confirm" once. Within seconds, your wallet is empty. There is no support line to call. There is no "undo" button on the blockchain.

Drainers are sold "as-a-service" the same way Netflix is sold. The maker of the drainer is one person or small team. They license the code to dozens or hundreds of scammers, who run the actual phishing sites. The maker takes a cut (usually 20–30 percent) of every wallet drained. Pink Drainer was one of the top three kits in that market.

So what happened to Pink Drainer?

At the end of May 2026, the operators of Pink Drainer posted a goodbye message and stopped servicing new affiliates. That sounds like a win for the good guys. It is not. Here is why.

The on-chain wallet that received Pink's cuts did not get drained or seized. There was no FBI press release. There was no Chainalysis bounty. The crew quietly stepped back. In the drainer economy, "shutdown" almost always means the same thing: the developers learned enough heat was coming that they wanted to rebuild under a new name, with cleaner infrastructure, and probably new affiliates. The old name burns. The team behind it does not.

Meanwhile, every affiliate who was running Pink phishing sites needs a new kit by tomorrow. Their phishing infrastructure (typosquatted domains, ad budgets, fake Twitter accounts) is still in place. They just need a new payload. That payload will come from one of the other active drainers.

Who picks up Pink's customers?

The drainer market is small enough that we already know who benefits. Three names dominate what happens next:

Inferno Drainer

Inferno is the largest active drainer kit. It targets Ethereum, Base, Arbitrum, Optimism, Polygon, BNB Chain, and a long tail of smaller EVM chains. Its specialty is signature-based theft. You sign a Permit2 or eth_signTypedData message that looks routine, and within seconds Inferno's contract drains every approved token. Inferno's affiliates are the ones most likely to absorb Pink's customers because the onboarding is the easiest.

Angel Drainer

Angel is mid-sized, but it is dangerous because it innovates faster than the rest. Angel was one of the first kits to wrap NFT-mint pages with hidden setApprovalForAll calls and to use cross-chain bridges to launder stolen funds within minutes. If Pink's customers want a kit that still works against users running wallet-warning extensions, Angel is the closest match.

MS Drainer and Atomic Drainer

MS Drainer is heavy on Solana. Atomic targets multichain wallets including TON. Together they cover the chains Inferno and Angel are weakest on. Any Pink affiliate who was running Solana-specific phishing (fake Solana NFT mints, fake Jupiter pages) will likely jump to MS or Atomic in the next week.

The takeaway is simple. Pink's shutdown does not reduce the number of phishing sites you might land on tomorrow. It just changes the logo of the JavaScript that runs when you connect your wallet.

Why drainers keep working in 2026

Wallet drainers stole roughly half a billion dollars from crypto users in 2024, hitting more than 300,000 unique wallet addresses, according to research published by Group-IB and confirmed by independent analyst ZachXBT. The number for 2025 looks similar. So the obvious question is: why is this still working when every major wallet now ships a transaction-warning screen?

Three reasons.

The first reason is that the warning screens are not specific. Your wallet might say "this is a token approval." It does not say "you are about to give a contract permission to move every USDC you own to an address that has been seen in 14,000 prior thefts." The user reads "token approval," shrugs, and clicks Confirm.

The second reason is Permit2. Permit2 is a clever signature standard from Uniswap that lets a user pre-approve multiple tokens in one signature. It saves gas in legitimate use. In phishing, the same signature gives the attacker a single click that drains the wallet, often without a transaction popup at all. The user thinks they are signing into a website. They are signing the wire transfer.

The third reason is search ads. The biggest drainer affiliates pay to outrank the real sites. When you Google "Uniswap" or "MetaMask download" during a busy market moment, the first result is often a paid ad that points to a typosquat. Pink Drainer affiliates spent six figures a month on Google and X ads. Inferno spends more.

5 things to do this week, in plain English

1. Revoke unused approvals on Revoke.cash

Open revoke.cash, connect your wallet, and look at the list of contracts you have approved over the years. Most users have 30 to 100 stale approvals. Some of those approvals are unlimited. If a contract you approved two years ago turns out to be compromised tomorrow, the attacker can use that approval to drain the matching token. Revoke anything you do not actively use. The gas cost is small. The protection lasts forever.

2. Move long-term holdings to a hardware wallet you do not connect to dApps

Hardware wallets do not stop you from signing a malicious message. They just make it harder. You have to physically press a button on the device. That extra step gives you a chance to read the signature request. If you also keep that hardware wallet completely off any dApp (use a separate "hot" wallet for trading, NFTs, and DeFi), the drainer never gets a chance to ask for a signature in the first place.

3. Bookmark the real domains, never search for them

Type, do not search. If you Google "uniswap" or "metamask" or "phantom" or "ledger live download," there is a non-zero chance the first result is a paid ad pointing to a typosquat. Bookmark the real sites once, then never search for them again. This single behavior change blocks the majority of drainer entries.

4. Slow down on signatures

If a website prompts your wallet to sign something within the first ten seconds of you landing on it, that is a red flag. Legitimate sites almost never ask for an immediate signature. They ask you to choose a network, pick a token, enter an amount, and click a button. The signature comes at the end. If a site you have never used asks you to sign before you have done anything, close the tab.

5. Add a browser-layer scanner

This is where we are biased, and we are going to be direct about it. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders. It checks the domain against a database of 550+ brands and the page content against known drainer-JavaScript signatures (Inferno, Pink, Angel, MS, Atomic). When it detects a wallet drainer page, it shows a full-screen warning before your wallet ever loads. The free tier blocks all of this. Premium ($14.99/year) adds AI scanning of page content in 100+ languages for sites we have not seen before. Install SafeBrowz if you want a second line of defense.

What we are watching next

Two trends to watch over the next 30 days. Both come directly from what we are seeing on our own detection pipeline.

First, expect a spike in typosquats of legitimate Web3 brand names. When affiliates switch kits, they often rebuild their phishing inventory at the same time, snapping up new lookalike domains. We caught one this month: hyrpia.xyz, a typosquat of the Farcaster client hypria.app (note the r-p swap). The domain went from registered to actively draining wallets within 48 hours. Expect more of that.

Second, expect ClickFix-style fake CAPTCHA pages to start funneling users directly into wallet-connect popups. ClickFix has been growing at over 500 percent in 2025 according to Microsoft's data. Until now it has mostly delivered Windows infostealers like Lumma. The next obvious evolution is a ClickFix page that, instead of asking you to paste a PowerShell command, asks you to connect your wallet and "verify" it. We have not seen that variant in the wild yet. We expect to within the quarter.

Frequently asked questions

If Pink Drainer is shut down, are my old wallet approvals safe?

Not automatically. Approvals you gave to Pink-affiliated phishing contracts are still live on-chain. The attacker can use those approvals at any time, even if the original phishing site is gone. Revoke any approvals you do not recognize on revoke.cash today.

How do I know if my wallet was drained by Pink Drainer specifically?

Open your wallet on a block explorer (Etherscan, BaseScan, Solscan). Look for outgoing transactions you did not initiate. If you see a Permit2 signature or a setApprovalForAll call to an unknown contract followed by a transferFrom that moved your tokens, that is the drainer pattern. ZachXBT and the team at SlowMist maintain lists of known drainer contract addresses you can cross-reference.

What is the difference between a wallet drainer and a regular phishing site?

Phishing sites traditionally steal usernames and passwords. Wallet drainers do not need either. They steal through a signed transaction or a token approval. Your seed phrase is never compromised. The drainer just uses the permission you granted to move funds. That is why "I never gave out my seed phrase" is not enough.

Does a hardware wallet fully protect me from drainers?

No. A hardware wallet protects your private keys from being copied. It does not stop you from signing a malicious transaction with those keys. If you connect your hardware wallet to a drainer site and press the physical Confirm button, the drainer wins. The hardware wallet's value is that it gives you a slower, more deliberate signing step where you can read the request first.

Why do drainers keep targeting accounts under $2,000?

Small wallets get less attention. The owners are less likely to file a police report, less likely to be active on crypto Twitter, less likely to triggerblockchain analytics alerts. Drainers prefer high volume over high value. Half a billion dollars in 2024 came from hundreds of thousands of small thefts, not a few headline-grabbing whale drains.

Is there anything wallets like MetaMask or Phantom could do to fix this?

They are trying. MetaMask Snaps and Phantom's built-in transaction simulator are real steps forward. But the underlying problem is human-readable signatures. Until every wallet shows "this contract has been used in X prior thefts" instead of "Approve transaction," drainers will keep winning. Browser-layer detection (extensions like SafeBrowz, Scam Sniffer, Wallet Guard) fills the gap by warning before the wallet popup ever appears.

Bottom line

Pink Drainer's shutdown is not a victory. It is a reshuffle. The crews behind it walk away with their funds and rebuild. Their affiliates port their phishing sites to Inferno, Angel, MS, or Atomic by next week. The phishing ads keep running. The signature-trick playbook keeps working.

The defense has not changed. Revoke old approvals. Use a hardware wallet for what matters. Bookmark real sites. Slow down on signatures. And add a browser-layer scanner that catches the kit before the kit catches you.

If you have not installed SafeBrowz yet, you can do it in 30 seconds: free for Chrome, Firefox, and Edge. If you want to dig deeper into wallet-drainer mechanics, our Permit2 signature attack explainer walks through the exact signature flow drainers use to bypass token approvals. And if you want a more general primer, how to tell if a website is a scam covers the visual cues that distinguish a real dApp from a phishing clone.