How Wallet Drainers Use Fake Revoke Sites and Twitter Phishing to Exploit Victims

Introduction

The past several weeks have seen an unprecedented wave of hacks sweep across the crypto ecosystem. April 2026 is already the worst month for crypto theft on record, with over $629 million drained across more than 20 incidents, led by the $292M KelpDAO breach and the $285M Drift Protocol exploit. Each incident sends shockwaves through the community, with users, investors, and protocol teams alike glued to their feeds, watching events unfold in real time and waiting anxiously for guidance on what to do next.

Crypto drainers have learned to weaponize that panic. As exploits unfold and official communications tell users to revoke approvals or migrate assets, drainer operations move in parallel, registering lookalike domains and flooding social media with posts that mimic legitimate guidance. Users who are doing exactly what they should be doing, following security advice and acting quickly, end up on fake sites that drain their wallets instead of protecting them.

In recent weeks, Blockaid's threat intelligence team has tracked this pattern play out across five separate high-profile exploits. Each time the playbook was identical, and each time real users were put at risk. Here is what we found, what it tells us about how drainer operations are evolving, and how Blockaid's real-time protection stops users from falling victim before they ever connect to a malicious site.

How the Fake Revoke Phishing Attack Works

When a DeFi protocol is exploited, the immediate response from security teams, including Blockaid, is to alert users and advise them to revoke approvals or avoid interacting with affected contracts. This guidance creates a predictable window of behavior: users flooded with fear, asking where and how to protect their wallets before more damage is done.

Drainer operations monitor this in real time. The moment a major exploit hits, they register lookalike domains, often variations of the affected protocol's name paired with words like "revoke" or "claim," and spin up convincing replica sites within hours. Rather than impersonating the protocol directly, they more often work through fake community members, ordinary-looking accounts on X posting helpful-seeming links into active threads, blending into the noise of a community scrambling for answers.

The trap is simple: the user arrives at a site that looks exactly right, connects their wallet expecting to revoke permissions, and instead signs a transaction that hands the drainer everything. 

The Pattern Across Five Recent Incidents

Across five separate incidents in April 2026, Blockaid's threat intelligence team observed the same pattern repeat. Each time a major exploit hit, drainer operators were ready within hours, with fake domains live and social posts circulating before most users even understood what had happened. Notably, these campaigns were not all run by the same actor. Different kits, different infrastructure, and different operators, all exploiting the same window of panic. This is not a coordinated group running a single campaign. It is a technique that has been widely adopted across the drainer ecosystem.

Drift Protocol - On April 1, 2026, Drift Protocol, Solana's largest perpetuals DEX, was drained of approximately $285M through a sophisticated governance-layer attack targeting its Security Council multisig. Within hours of Drift's public acknowledgment, drainer-linked accounts on X were flooding reply threads under legitimate security posts with links to revokes-drift[.]trade, a lookalike domain registered to intercept high-alert users who had just read the breach announcement and were ready to act.
Read the report: $285M Gone: How Blockaid's Cosigner Could have Protected Drift Protocol →

KelpDAO - On April 18, KelpDAO's rsETH bridge was exploited for $292M via a compromised LayerZero DVN, the largest DeFi exploit of 2026. Drainer operators registered revoke-kernelsdao[.]com the same day, deploying a phishing campaign across X directing rsETH holders to migrate their tokens to a new contract. Blockaid's team identified a burst of nine coordinated retweets from repurposed accounts within a six-minute window, timed precisely to the moment community anxiety was at its peak.
Read the report: How a Single LayerZero DVN Compromise Drained $292M from KelpDAO →

ZetaChain - On April 27, 2026, ZetaChain's cross-chain exploit saw approximately $334K drained across nine transactions on five chains. As the community scrambled for guidance and security teams advised users to revoke approvals on all EVM chains, drainer operators were already moving. revoke-zetachain[.]com appeared shortly after the incident went public, with posts showing up in direct reply threads to Blockaid's own community alert, pointing users toward the malicious site under the guise of helping them take protective action.

Aftermath Finance - On April 29, 2026, Aftermath Finance, a DEX on Sui, was exploited for approximately $1.1M through a fee accounting flaw in its perpetuals system. As Aftermath paused the protocol and its official account posted recovery updates, a fake account replied directly under their post, including one that specifically thanked Blockaid for its rapid response, pushing users to aftermathfi[.]xyz/migrate. The message warned of a second vulnerability and threatened that users who did not migrate immediately would not be reimbursed.

Wasabi Protocol - On April 30, 2026, Wasabi Protocol was exploited for approximately $5M across Ethereum and Base via a compromised admin key used to upgrade and drain multiple vault contracts. Within hours, a fake account on X impersonating Wasabi pushed users toward exploit-wasabi[.]com/migrate, a lookalike site telling users their funds were at risk and urging them to migrate their positions immediately. The account posted directly into reply threads under Wasabi's official incident communications, borrowing the credibility of the real announcement to reach panicked users.

Why Existing Security Tools Miss This

When users fall for these attacks, it is not because they ignored security best practices. They are responding to a real crisis the way any reasonable person would, following guidance, acting fast, and trusting sources that look legitimate. Drainer operators build their campaigns around that predictability, and it works because the sites look real, the social posts blend into genuine community conversations, and the domains are brand new with no history for anyone to flag.

That is the core problem with how most security tools approach this. Static blocklists are reactive by nature: a domain has to be known and reported before it gets flagged, and by then the damage is done. Most wallet-level defenses do not evaluate what a site is actually doing at the moment a user tries to connect, what they are being asked to sign, where funds would go, and whether the contracts involved are linked to known malicious activity. The fact that these five campaigns were run by different actors using different drainer kits makes the problem worse, because there is no single threat actor to track and block. The technique itself is what has spread, and that means the only reliable defense is one that evaluates every connection in real time regardless of who is behind it.

Without that real-time check happening at the moment a user connects their wallet, they are effectively on their own during the window when they are most at risk.

How Blockaid's End User Protection Prevents This in Real Time

Blockaid's End User Protection addresses this threat at the exact moment it matters: when a user attempts to connect their wallet to a site, before anything is signed.

• dApp Scanning - Blockaid's advanced web crawler continuously analyzes DNS records, certificate transparency logs, and real-time web crawling to detect newly registered or compromised domains within minutes of appearing. When a user attempts to connect their wallet, Blockaid scans the site for malicious code signatures, JavaScript drainer kits, and infrastructure tied to known threat actors, returning a verdict before the user signs anything. The fake revoke sites tied to Drift, KelpDAO, and ZetaChain were flagged through this layer, with integrated wallets surfacing warnings and blocking the connection before any funds were at risk.
• Address Scanning - Every address involved in a transaction is checked in real time against Blockaid's threat intelligence database, which tracks addresses linked to drainer campaigns, phishing operations, and known malicious infrastructure across chains. This includes evaluating transaction history, cluster associations, token approvals, and behavioral patterns that indicate an address is operating as part of a drainer operation. If a user is about to sign a transaction that routes funds or approvals to one of these addresses, the wallet surfaces a warning before execution.

Both dApp Scanning and Address Scanning are part of Blockaid's End User Protection suite, which screens every surface a user encounters and returns actionable security verdicts before harm can occur. Any user on a Blockaid-integrated wallet, including MetaMask, Coinbase, Rainbow, Ledger, and Zerion, would have been warned in real time that these sites were malicious before ever connecting.

Learn more about Blockaid's End User Protection →

Conclusion

Drainer operations are no longer waiting for users to stumble onto a fake airdrop. They are watching the same news feeds, responding to the same alerts, and registering domains within hours of an exploit going public. The attack does not look like a scam because it is built on top of a real crisis, borrowing legitimacy from the very guidance users are trying to follow.

Static defenses and after-the-fact blocklists cannot keep pace with a threat that is live before most people have finished reading the breach announcement. The protection has to be real-time, embedded at the point of wallet connection, and informed by continuous threat intelligence. That is what Blockaid's End User Protection delivers for users on Blockaid-integrated wallets across the ecosystem.

About Blockaid

Blockaid is the onchain security platform trusted by the largest companies operating in Web3. Built by veterans of elite intelligence and cybersecurity units, Blockaid provides end-to-end protection for financial institutions, protocols, and end users — combining direct wallet and dApp integrations with real-time monitoring, detection, and response across smart contracts, infrastructure, and externally owned accounts. Since 2025, Blockaid scanned over 6.3+ billion transactions and blocked 585+ million attacks. Blockaid is the security infrastructure behind Coinbase, MetaMask, Uniswap, Safe, and dozens of the most widely used platforms in the industry.

Learn more at blockaid.io, and follow us on Twitter and LinkedIn.