StepDrainer Drains Wallets on 20+ Blockchains

StepDrainer is a malware-as-a-service kit that has drained crypto wallets on more than 20 blockchains, including Ethereum, BNB Chain, Arbitrum and Polygon. Researchers at LevelBlue report the tool presents fake but realistic Web3 wallet pop-ups to prompt users to approve transactions that transfer assets to attacker-controlled addresses.

The kit shows interfaces that mimic common wallet connection dialogs, including screens designed to resemble Web3Modal. After a wallet connects, StepDrainer scans for the most valuable tokens in the account and automatically initiates transfers to attacker wallets.

StepDrainer abuses legitimate smart-contract mechanisms such as Seaport and Permit v2 to make approval prompts look normal while altering transaction details. In one instance victims were shown a message indicating they were receiving “+500 USDT,” which made the approval appear safe. The malware injects malicious logic by modifying front-end scripts and loading setup data from decentralized on-chain accounts, a method that keeps the harmful code distributed rather than in a single static repository.

LevelBlue researchers found copies of the drainer available for purchase in underground markets, enabling lower-skilled attackers to add automated wallet-stealing features to phishing pages and other scams.

A separate campaign uses malware called EtherRAT to target Windows users. The malware is distributed through a fake installer for the Tftpd64 network administration tool that contains a bundled Node.js runtime. EtherRAT establishes persistence through the Windows registry, runs PowerShell commands to gather system information, and checks for antivirus tools, system settings, domain details and hardware before initiating theft. The malware was previously observed targeting Linux systems and has since expanded to Windows.

On-chain investigation shows rapid, large-scale losses tied to the campaigns. More than 500 Ethereum wallets were drained within a 24-hour window, on-chain records indicate. One attacker address collected over $800,000 in crypto assets and then swapped the funds through a cross-chain liquidity protocol. Many of the compromised wallets had been dormant for seven years or longer.

Security teams recommend that users verify the domain of any site before connecting a wallet, carefully review transaction details before signing, and revoke unlimited token approvals that allow contracts to move assets without additional consent. Users are advised to disconnect wallets from unknown sites and consider using hardware wallets for high-value holdings. Developers and platform operators are urged to monitor front-end script integrity and notify users when approval dialogs originate from nonstandard sources.