Logo

How Wallet Drainers Exploit New Blockchain Launches

Blog Post
Criminal Chains

Executive Summary

Across 2025 and early 2026, a wave of new Layer 1 and Layer 2 blockchains launched. Each arrived with its own community, token narrative, and rush of early users. As every new chain pushes to win attention from users, that same attention quietly draws in malicious actors looking to take advantage of it and scam the people rushing to join new chains, projects, and tokens. The qualities that make a launch successful are the same ones that make it a target, an engaged community, a high-profile token event, and a crowd of users rushing to connect their wallets.

Blockaid tracked these responses across underground forum posts, Telegram channels, and on-chain activity to understand which chain launches attracted threat actors, and why. EVM-compatible chains with high hype, airdrop narratives, and strong DeFi ecosystems attracted the fastest and most intense cybercriminal adoption. Chains that drew the strongest reactions saw multiple drainer-as-a-service operations announce support within days of mainnet launch.

This report breaks down the consistent patterns behind which launches attracted criminal attention, the factors that determined the intensity of that response, and the threat actors driving it. For teams operating blockchains, and the wallets and exchanges of users engaging with those chains, the pattern matters because the conditions that invite criminal targeting are visible before a chain goes live. Blockaid's End User Protection turns that predictability into a defense, screening the dApps, tokens, and transactions these launches attract in real time so users are warned before they connect to malicious infrastructure or sign a draining transaction.

How Drainer-as-a-Service Powers Attacks on New Blockchains

Blockaid assessed the criminal response to recent chain launches by combining three signals:

  • Drainer-as-a-service announcements: advertised in underground posts and Telegram channels, showing what operators claimed they could target.
  • Malicious dApps: fake decentralized applications built to impersonate legitimate projects detected by Blockaid 
  • Malicious tokens: scam tokens, fake duplicates of legitimate assets, fraudulent meme coins, and honeypots designed to trap buyers detected by Blockaid

Together these reveal both what criminals said they could do and what they actually built. Most of that activity runs through the drainer-as-a-service model.

Drainer-as-a-service is a commercialized model for crypto theft that mirrors the structure of legitimate software-as-a-service businesses, complete with subscription tiers, technical support, and revenue-sharing arrangements. It operates through two layers of participants. Drainer developers build and maintain the malicious infrastructure, the JavaScript draining kits that siphon assets the moment a victim connects a wallet and signs, along with the backend that supports them. Affiliates take that infrastructure, deploy malicious dApps from the templates developers provide, and drive victim traffic to them. Affiliates keep most of the stolen funds, with the remainder going to the developers.

This division of labor is what lets these operations scale. A developer does not need to manage distribution, and an affiliate does not need to write draining code. It also explains the behavior in this report. When supporting a new chain is cheap for the developer, the entire affiliate network can target it almost immediately.

What Makes a Newly Launched Blockchain a Target?

EVM-compatible chains are the most common environment in the market today, and that ubiquity is exactly what attracts criminal activity. When a new EVM chain is introduced, the economics of attacking it are already favorable before it goes live, because the tooling needed to exploit it already exists.

The EVM Monoculture Advantage

The single most powerful predictor of cybercriminal adoption is EVM compatibility. The data reveals a stark asymmetry. Every chain that attracted drainer-as-a-service operator attention is EVM-compatible, and every non-EVM chain was either ignored or attracted only bespoke, low-sophistication attacks.

This is driven by the economics of the drainer-as-a-service industry. Modern wallet drainers are built on a shared EVM toolkit, ERC-20 token approvals, permit signatures, multicall contracts, and DEX router interactions. When a new EVM chain launches, an operator can add support by simply configuring a new RPC endpoint and chain ID in their existing infrastructure. Forum posts confirm this directly, with operators listing newly launched EVM chains using standard ERC-20 notation alongside every other chain they support, treating each one as identical infrastructure.

For non-EVM chains, supporting wallet draining requires building entirely new transaction construction, signing, and submission logic. The return on that investment rarely justifies it, especially when dozens of EVM chains offer trivially exploitable targets.

The Hype-to-Exploit Pipeline

EVM compatibility is necessary, though it is not enough on its own. Two chains can both be EVM-compatible L1s and still see their criminal outcomes diverge dramatically. In one case, a high-hype EVM launch drew four distinct drainer operations and a surge of malicious activity, while another EVM chain that launched on quieter, more technical footing drew almost none.

The differentiator is hype intensity and the presence of exploitable user behavior. Chains that generate airdrop speculation attract large speculative communities and promise token distributions. That combination creates the conditions drainer operations require, with users actively connecting wallets to unfamiliar interfaces, signing transactions with elevated approvals, and interacting with new contracts that carry no established security reputation. Chains that launch as technically focused events, without that token rush or mass onboarding, do not produce the same wallet-connecting behavior, and criminal interest stays low even when the chain is fully EVM-compatible.

Speed of Criminal Response

The data reveals notable timing patterns in criminal adoption.

Criminals pre-position ahead of mainnet. In one case, a threat group distributed malicious dApps themed around an upcoming chain more than three weeks before its mainnet went live, and another chain saw malicious dApps appear at its public sale over three months before launch. Malicious deployment then surges during launch week, when the largest pool of users is actively connecting wallets, with peak dApp and token deployment for several chains landing precisely on launch day. Drainer-as-a-service announcements follow within days rather than weeks. Across the chains that drew the strongest response, operators announced support anywhere from 4 to 17 days after mainnet, a cadence confirming these are low-effort configuration changes rather than development projects. And once a chain enters the criminal targeting set, it stays there indefinitely, carried forward in operator chain lists long after launch.

Key Learnings: What We Can Learn From the Past

  1. EVM compatibility is the primary enabler of rapid criminal exploitation. Drainer tooling is overwhelmingly built for EVM chains, so a new EVM chain can be targeted almost immediately using kits that already exist. Non-EVM chains are harder to attack because doing so requires building new tooling from scratch, which gives them a real, though not absolute, security advantage. It is a head start, not immunity, since a determined attacker can still target them when the payoff is high enough.
  2. Airdrop and token generation events are the primary accelerant. Chains that combine EVM compatibility with high-profile token distributions face the steepest criminal targeting, while chains with multiple capital-inflow events but lower DeFi depth attract sustained phishing activity even without dedicated drainer engagement. The combination creates both the technical attack surface and the behavioral vulnerability, as users rush to claim tokens through unfamiliar interfaces. Chain migrations and infrastructure upgrades that introduce no new token, airdrop, or fresh user onboarding do not trigger criminal activity spikes, even when the underlying chain is EVM-compatible and already supported.
  3. Infrastructure and niche chains are structurally safer. Chains built for network infrastructure or for narrow utility such as stablecoin transfers lack the application-and-wallet interaction patterns that drainers exploit.
  4. Privacy-preserving architectures create meaningful friction. The minimal criminal engagement around zero-knowledge chains, despite EVM compatibility, suggests these architectures may inherently resist the approval-based attack patterns that define current drainer tooling.
  5. Criminal operations are predictable and can be anticipated. The 3 to 23 day window between chain announcements and active drainer support means security teams for new chains should have monitoring and protection in place well before mainnet day, not after.

Key Threat Actors: Wallet Drainer Tooling

Quark Lab is the most prolific drainer operation observed in this dataset. Operating across Telegram and cybercrime forums, Quark offers a comprehensive criminal toolkit including cross-platform infostealers for Windows and macOS, drainers covering more than 70 blockchains and 480 wallets, and ready-made phishing templates such as airdrop landing pages built to impersonate new chain launches. Quark's ability to support EVM, Solana, TON, and Tron chains demonstrates significant engineering capability.

AngelFerno is a top-tier drainer-as-a-service operation targeting EVM, Tron, Solana, and XRPL, and was the first to announce Berachain support, listing it using standard ERC-20 notation. A known impersonator of AngelFerno also claimed Monad support, and while impersonator claims are unreliable, the practice of impersonators copying official materials suggests the legitimate operation likely added Monad support as well.

The dataset captures several smaller or newer actors. Eleven is a recently emerged drainer aiming to be a sophisticated player, which announced Monad support alongside Lisk, Hashkey, and Gravity. After 2.0 operates an affiliate model claiming support for more than 100 chains. Anthill offers a turnkey affiliate program with EIP-7702 bypass capabilities. Noir operates a similar model allegedly supporting more than 22 EVM networks. Together these actors demonstrate that the barrier to entry for multi-chain drainer development keeps dropping, particularly for EVM-compatible chains.

Why Existing Onchain Security Tools Miss This

The defining feature of this threat is timing. Criminal infrastructure is live before most users have any reason to be cautious, often before the chain itself is live. That is exactly what conventional defenses are built to handle poorly.

A domain or contract has to be known and reported before it gets flagged, and by then the launch-week surge has already happened. Post-hoc monitoring has the same problem in a different form. It tells you what was lost after the fact rather than stopping the transaction at the moment of intent. And because the same chain is targeted by many independent operators using different kits, there is no single actor to track and block. The technique itself has spread across the ecosystem, which means the only reliable defense is one that evaluates every connection and transaction in real time, regardless of who is behind it.

How Blockaid’s End User Protection Stops Attacks in Real Time

The pattern in this report points to a clear conclusion. Criminal targeting of new chains is predictable, fast, and largely automated, which means protection has to be in place before the targeting begins rather than assembled in response to it.

Blockaid's End User Protection addresses this at the moment it matters, when a user attempts to connect a wallet or sign a transaction, before anything executes.

  • dApp Scanning: detects malicious dApps in real time, surfacing a warning in the wallet UI before a user connects to a malicious site. Blockaid's web crawler continuously analyzes DNS records, certificate transparency logs, and live web data to detect newly registered or compromised domains within minutes of appearing, which is what catches the impersonation infrastructure criminals pre-position around a launch.
  • Token Scanning: detects the malicious and impersonation tokens that cluster around launch events, flagging harmful tokens and warning users before they interact.
  • Address Scanning: checks every address involved in a transaction against Blockaid's threat intelligence database, which tracks addresses tied to drainer campaigns and known malicious infrastructure across chains, and warns the user before funds or approvals route to one of them.

Blockchains preparing to launch should pre-engage wallet security providers, coordinate with threat intelligence sources for pre-launch monitoring, and put transaction-level protection in place from day one rather than after the first wave of users arrives. Any user on a Blockaid-enabled wallet, including MetaMask, Coinbase, Rainbow, Ledger, and Zerion, would be warned in real time before connecting to the malicious infrastructure these launches attract.

Conclusion

The recent chain launch cycle shows that criminal behavior around new chains is neither random nor reactive. It follows conditions that can be identified in advance, from EVM compatibility that makes exploitation cheap, to token events that draw exploitable user behavior, to a launch timeline that criminals track as closely as the teams building the chains. The 3 to 23 day window between a chain's announcement and active drainer support means the chains that prepare early are the ones that deny criminals the easy, automated opportunity these launches usually provide.

Blockaid's End User Protection screens the dApps, tokens, and transactions that cluster around new chain launches in real time, warning users before they connect to a malicious site or sign a draining transaction. Because the criminal timeline is predictable, teams operating chains and the wallets and exchanges serving their users can have that protection in place before the first wave of targeting begins rather than after. Any user on a Blockaid-integrated wallet is warned the moment a connection or transaction is malicious, across 50+ chains Blockaid supports.

About Blockaid

Blockaid is the onchain security platform trusted by the largest companies operating in Web3. Built by veterans of elite intelligence and cybersecurity units, Blockaid provides end-to-end protection for financial institutions, protocols, and end users, combining direct wallet and dApp integrations with real-time monitoring, detection, and response across smart contracts, infrastructure, and externally owned accounts. Since 2025, Blockaid scanned over 6.3 billion transactions and blocked 585 million attacks. Blockaid is the security infrastructure behind Coinbase, MetaMask, Uniswap, Safe, and dozens of the most widely used platforms in the industry.

Learn more at blockaid.io, and follow us on Twitter and LinkedIn.


Blockaid is securing the biggest companies operating onchain

Get in touch to learn how Blockaid helps teams secure their infrastructure, operations, and users.

Request a Demo

Related Posts

Jaredfromsubway Incident Report.jpg

The Predator Becomes the Prey: How a Counter-MEV Honeypot Drained $7.5M from JaredFromSubway

Announcements
It's Time to Reevaluate your Private Key Security Practices.jpg

Compromised Private Keys Remain the Biggest Source of DeFi Losses

Announcements
Aztec

$2.19M Drained on Aztec: How Blockaid Flagged an Exploit Before It Happened

Announcements