Phishing Drainer & Malicious Approval — Trace the Setup Transaction

Drains often start before assets leave

Victims focus on the sweep tx, but the damage was often done earlier: a malicious approval, Permit2 signature, or SPL delegate that let a drainer contract move tokens later without further prompts.

Warning signs you may have signed a drainer setup

• Zero-value ETH or SOL transfers from unknown addresses (address poisoning).
• Unexpected “Claim airdrop” or “Verify wallet” sites linked from X or Discord.
• Approval txs to unknown contracts days before the sweep.
• WalletConnect session to a site you do not recognize.

Immediate response

• Revoke EVM approvals at revoke.cash — or run a $10 Tracefunds approval audit for a ranked list.
• On Solana, review SPL token-account delegates in Phantom or Solscan.
• Copy the approval/setup tx hash — decode it with $5 single_tx before paying for full wallet index.
• Do not interact further with the phishing site.

Decode the setup transaction ($5)

Paste the suspicious hash into tracefunds.app/analyze?mode=single_tx. You will see which contract received approval, which tokens were affected, and labeled counterparties when public data matches — scoped to that hash only.

After the sweep

• Run $20 incident report on the victim wallet for full outbound fund-flow graph.
• Include both approval tx and sweep txs in exchange abuse tickets.
• See seed phrase guide if you typed your recovery phrase on the phishing site.

Prevention

• Use a burner wallet for experimental mints and airdrops.
• Read transaction simulation warnings in MetaMask / Phantom before signing.
• Periodic approval audits even when you have not been drained.