Skip to main content
Sign in

Pink Drainer

avoid.net/pink-drainer0/100·90% conf.
[AI-DRAFTED · AWAITING VERIFICATION][src:zachxbt]

Summary

Pink Drainer was a phishing-as-a-service (drainer-as-a-service) criminal toolkit active from approximately April 2023 through May 2024, during which it facilitated the theft of an estimated $75–85 million in cryptocurrency and NFTs from more than 21,000 victims. Operated by a pseudonymous developer known as 'Pink' (previously 'Blockdev'), the service sold access to a wallet-draining toolkit to phishing affiliates who ran attack campaigns via compromised Discord servers, hijacked social media accounts, and fake airdrop and NFT-claim websites. The operators announced a self-described 'retirement' on May 17, 2024, though associated wallet addresses have continued to hold and move funds post-shutdown, and copycat operations and successor drainer services have continued the attack model.

Have evidence about Pink Drainer?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

What Is Pink Drainer

Pink Drainer is a phishing-as-a-service (also described as drainer-as-a-service, or DaaS) criminal operation that provides a pre-built software toolkit to allow paying affiliates to steal cryptocurrency and NFTs from user wallets. Unlike traditional malware that steals private keys, the drainer kit works by socially engineering victims into connecting their wallets to malicious websites and signing transactions or off-chain messages that grant the drainer contract permission to transfer all eligible assets. The service was first identified by Web3 anti-scam firm ScamSniffer in mid-2023 after on-chain analysis traced a series of phishing incidents to an Ethereum Name Service address 'pink-drainer.eth.' The operation takes its name from that ENS handle. The toolkit was built and maintained by a pseudonymous individual known as 'Pink,' who also previously operated under the handle 'Blockdev' and ran an X (Twitter) account called @ChainThreats, where they posed as a legitimate blockchain security researcher before pivoting to developing criminal tooling. According to reporting by Cointelegraph Magazine, the operator claimed prior experience as a security researcher and expressed no remorse for victims, referring to them as 'participants' and stating 'I don't phish anyone, I just code.'

Sources

Business Model and Fee Structure

Pink Drainer operated on a scam-as-a-service model. The operator (Pink / Blockdev) developed and maintained the draining toolkit and sold access to it to criminal affiliates — phishing teams who ran the actual attack campaigns. In keeping with the broader drainer-as-a-service industry standard, the arrangement involved an upfront access fee and a revenue-share cut of between 20% and 30% of all funds stolen by the affiliate, depending on the tier of service purchased. The operator could also build phishing websites for clients who lacked the technical skills to do so independently, charging accordingly. The operator stored earnings primarily in DAI and sDAI stablecoins rather than converting to fiat, a tactic that simultaneously preserves asset value against crypto volatility and delays KYC-triggering fiat off-ramps. By early 2024, PeckShield and SlowMist identified Pink Drainer-affiliated addresses staking approximately 12–18.1 million DAI into the MakerDAO Spark protocol (earning approximately 10% APY interest), making Pink Drainer one of the largest individual sDAI holders. The operator commanded roughly 28% market share of the drainer-as-a-service sector at the peak of operations in early 2024.

Sources

Attack Methods and Technical Infrastructure

Pink Drainer affiliates employed a multi-stage attack chain combining social engineering with smart contract exploitation. The core technical mechanism exploits the ERC-20 token approval system: victims are directed to malicious websites that prompt them to sign transactions using standard wallet interfaces. Once a victim signs, the drainer contract invokes the approve() function to grant unlimited token spend authority, the setApprovalForAll() function to seize control of all ERC-721 and ERC-1155 NFTs, or EIP-2612 permit signatures, which authorize asset transfers via off-chain signatures without requiring an explicit on-chain approval transaction. Permit-based attacks are particularly dangerous because they bypass many wallet warning screens and do not require gas. Advanced campaigns also abused Uniswap's Permit2 contract. After collecting approvals, the drainer contract immediately calls transferFrom() to move all accessible assets to the attacker's collection wallet. The primary delivery vectors were: (1) Social engineering via journalist impersonation — attackers posed as journalists from Cointelegraph and Decrypt, conducting fake 'interviews' with crypto project administrators over 1-3 days, then redirecting targets to a false KYC verification process that involved opening a malicious Carl-bot verification flow and dragging a JavaScript bookmark onto the browser bar; the bookmark code silently exfiltrated the target's Discord authentication token, enabling full account takeover without needing passwords or bypassing MFA. (2) Compromised social media accounts — once Discord admin accounts or high-profile Twitter/X accounts were captured, attackers posted phishing links to fake airdrop or NFT mint pages to the project's entire community. (3) Fake airdrop and mint sites — purpose-built phishing pages mimicking legitimate protocols, usually promoted via compromised accounts.

Sources

Scale of Theft and Victim Count

According to ScamSniffer's Dune Analytics dashboard tracking on-chain data, Pink Drainer stole approximately $75–85 million in cryptocurrency and NFTs from an estimated 19,810 to 21,100 victims between approximately July 2023 and May 2024. The discrepancy in reported totals reflects data collected at different points in time; later analyses by both ScamSniffer and Dune Analytics converged on the higher $85 million figure. In calendar year 2023 alone, Pink Drainer was responsible for approximately $18.7 million stolen from 9,068 victims. The single largest known individual theft attributed to the operation was $4.4 million (275,700 LINK tokens) drained from a single victim via a fake 'Increase Approval' transaction in December 2023. At its operational peak, Pink Drainer held approximately 28% of the entire drainer-as-a-service market by stolen value. The broader DaaS industry drained approximately $494 million in 2024 per ScamSniffer's annual report.

Sources

Notable Attacks and High-Profile Targets

Pink Drainer affiliates were linked to a significant number of high-profile phishing campaigns. In the initial campaign identified by ScamSniffer between May 8 and June 2, 2023, attacks targeted the Discord servers and social media accounts of Evmos, Starknet ID, LiFi, Cherry Network, Pika Protocol, Orbiter Finance, Flare Network, and the personal X account of OpenAI CTO Mira Murati, collectively stealing approximately $3 million from 1,932 victims. On May 26, 2023, the X account of DJ and NFT collector Steve Aoki was compromised and used to post a phishing link that led to approximately $170,000 in losses. In September 2023, Ethereum co-founder Vitalik Buterin's X account was hijacked via a T-Mobile SIM swap attack; the attacker used it to promote a fake commemorative NFT mint built on Pink Drainer infrastructure, resulting in approximately $700,000 in stolen cryptocurrency and NFTs. On February 26, 2024, MicroStrategy's X account was compromised and used to advertise a fake Ethereum-based MSTR token airdrop; ZachXBT and ScamSniffer confirmed that over $440,000 was stolen, with funds flowing to wallets associated with Pink Drainer. In December 2023, a single victim lost $4.4 million in Chainlink LINK tokens after being tricked into signing an 'Increase Approval' transaction.

Sources

The 'Retirement' Announcement (May 2024)

On May 17, 2024, Pink Drainer announced its retirement via a private Telegram message that was subsequently shared publicly by blockchain investigator ZachXBT. The announcement stated: 'We have reached our goal and now, according to plan, it's time for us to retire.' The message urged affiliates to 'take a step back from the grind and enjoy what this world has to offer,' and assured clients that all operational data would be 'wiped and securely destroyed.' The operators predicted their exit would have 'no major impact on the scene' and warned of potential impersonators. No remorse was expressed toward victims. SlowMist founder Yu Xian commented publicly that retirement may prove difficult given the existence of law enforcement records and expressed anticipation for eventual apprehension. Skepticism about the finality of the shutdown is well-founded historically: both Monkey Drainer and Inferno Drainer preceded Pink Drainer's retirement pattern, and Inferno Drainer later re-emerged. Post-announcement, wallets associated with Pink Drainer continued to hold substantial sDAI and other assets. As of March 2026, a wallet labeled as Pink Drainer: Wallet 2 (0x9fa7bb759641fcd37fe4ae41f725e0f653f2c726) on Etherscan continued to hold several million dollars in assets, and a $117,000 fund transfer from a Pink Drainer-associated wallet was reported, suggesting some level of continued activity or fund management.

Sources

On-Chain Tracking and Fund Flows

Several known Ethereum wallet addresses have been publicly labeled as Pink Drainer by on-chain analytics platforms and security researchers. The two primary addresses labeled on Etherscan are: Wallet 1 at 0x63605e53d422c4f1ac0e01390ac59aaf84c44a51 and Wallet 2 at 0x9fa7bb759641fcd37fe4ae41f725e0f653f2c726. The original attribution address used by ScamSniffer was 0xf529127107c91bbf6c141304718491a437fb2f5f, connected to the ENS handle 'pink-drainer.eth.' PeckShield identified that Pink Drainer-affiliated addresses staked approximately 12–18 million DAI into the Spark (MakerDAO sDAI) protocol, making them one of the largest individual holders of sDAI at the time — a tactic SlowMist described as gradually leveraging MakerDAO to launder illicit gains while earning yield. Stolen funds were also allegedly converted to MakerDAO's sDAI stablecoin to earn approximately 10% annual interest during the period of peak DeFi yields. Fund flows reportedly passed through decentralized exchanges, cross-chain bridges, and in some cases mixing services to obscure the trail before reaching centralized exchanges. The operator was known to hold earnings in DAI rather than converting to fiat, partly to avoid KYC-triggering off-ramps. In an ironic incident documented in July 2024, a wallet associated with Pink Drainer fell victim to an address poisoning attack, losing 10 ETH (approximately $30,000) by accidentally sending funds to a vanity address that mimicked a trusted counterparty.

Sources

Relationship to the Broader Drainer Ecosystem

Pink Drainer emerged as part of a second wave of drainer-as-a-service operations following the March 2023 shutdown of Monkey Drainer, which had operated since August 2022 and stolen approximately $16.5 million from over 18,000 victims before retiring after being exposed by ZachXBT. Within a month of Monkey Drainer's closure, at least four successor operations emerged: Inferno Drainer, MS Drainer, Pink Drainer, and Angel Drainer, while Venom Drainer also disappeared around April 2023. According to reporting, the operator known as Pink (previously Blockdev) had previously researched and conducted DDoS and competitive hacking attacks against Monkey Drainer, suggesting detailed insider knowledge of the drainer ecosystem before building a competing service. Inferno Drainer, which claimed to be Monkey Drainer's successor, operated until November 2023 and stole approximately $80-81 million from 134,000 victims before its first announced retirement; it later re-emerged in mid-2024 after Pink Drainer's shutdown, absorbing much of Pink's former client base. Angel Drainer shut down in early 2024 after alleged de-anonymization of its members. Venom Drainer was also active in the same period. Security researchers have noted a historical pattern in which the departure of one drainer service is quickly followed by successor operations inheriting the client base, suggesting possible rebranding, resource transfer, or simply market replacement among the same criminal ecosystem. As of 2025-2026, the drainer-as-a-service space has continued with new entrants, though overall phishing losses fell to approximately $84 million in 2025, down 83% from the 2024 peak.

Sources

Law Enforcement and Attribution Challenges

As of the time of this investigation, no public arrests, charges, or prosecutions have been reported in connection with Pink Drainer's operators or affiliates. The operation was run entirely pseudonymously, with the primary operator known only by the handle 'Pink' and formerly 'Blockdev.' Attribution in drainer-as-a-service cases is complicated by the separation between the toolkit developer and the phishing affiliates who actually execute attacks, creating layers of plausible deniability. Blockchain analytics firms SlowMist, PeckShield, and ScamSniffer have tracked on-chain fund flows and labeled wallet addresses, and ZachXBT documented the retirement announcement publicly. SlowMist founder Yu Xian stated at the time of shutdown that it 'may not be easy for the gang to retire as there are numerous law enforcement records,' suggesting active investigative interest without confirming any specific proceedings. The conversion of stolen funds to sDAI rather than fiat significantly slows law enforcement's ability to force asset seizure through regulated exchanges. The decentralized, pseudonymous, and cross-jurisdictional nature of the operation — combined with the use of non-custodial wallets, DeFi protocols, and cross-chain bridges — presents substantial barriers to conventional law enforcement asset recovery and prosecution.

Sources

Prevention and Defense

Several tools and practices are effective in reducing exposure to Pink Drainer-style attacks. ScamSniffer (scamsniffer.io) is a browser extension and Web3 anti-scam solution that provides real-time malicious website detection, dangerous signature request warnings, and token approval monitoring. It maintains blocklists of known drainer infrastructure and phishing pages. Revoke.cash and similar token approval management tools allow users to audit and revoke previously granted token approvals and ERC-721 setApprovalForAll permissions; revoking standing approvals after every DeFi interaction is a critical mitigation. Hardware wallets provide an additional layer of protection by requiring physical confirmation of each transaction, making it harder to blindly sign drainer transactions, though permit-based attacks can still succeed if a user signs a malicious message without reading it. Key user-level defenses include: (1) never connecting a wallet to an airdrop or claim site promoted via a social media post, even from a previously trusted account, since that account may be compromised; (2) treating any request to sign a 'permit' message or approve an unlimited token allowance with extreme suspicion; (3) verifying all transaction details in the wallet interface before signing, particularly the 'to' address and function being called; (4) using a separate wallet with limited funds for interacting with unfamiliar DeFi protocols; and (5) removing phone numbers from social media accounts such as X to reduce SIM swap attack surface, a vector used in the Vitalik Buterin incident.

Sources

Red Flags and Indicators of a Pink Drainer Campaign

Pink Drainer-style attacks share a consistent set of indicators. Users and project administrators should treat the following as high-risk signals: (1) A Discord or X account of a known project or influencer posts an unexpected airdrop, NFT mint, or token claim with an urgent deadline, particularly if the account has recently shown unusual activity or been quiet. (2) An inbound contact from a person claiming to be a journalist from a named publication (Cointelegraph, Decrypt, or similar) seeks an interview, then later asks for KYC verification involving Discord. (3) A 'Drag Me' or similar drag-to-browser-bar button appears on any website during a verification or interview process — this is a common delivery mechanism for Discord token theft scripts. (4) A website prompts a wallet connection and immediately requests signing a Permit, Permit2, or unlimited approve() transaction for tokens far in excess of the interaction's stated purpose. (5) An airdrop site URL does not match the official project domain exactly, or uses a lookalike domain (e.g., orbiter-finance.io instead of orbiter.finance). (6) The site shows urgency indicators ('Claim expires in 10:00') or inflated reward promises. (7) Any wallet transaction contains a setApprovalForAll call unless it is a fully understood NFT marketplace interaction. (8) Social media posts promoting a claim site appear in the replies of a hacked account rather than as original posts.

Sources

Timeline

2023-03-01

Monkey Drainer, a predecessor drainer-as-a-service operation, announces shutdown after exposure by ZachXBT, having stolen approximately $16.5M. Within weeks, multiple successor operations emerge including Pink Drainer.

2023-04-01

Pink Drainer first emerges and quickly executes an initial 156 ETH heist, establishing the operation.

2023-05-08

Pink Drainer affiliates begin a systematic campaign against crypto projects, targeting Discord servers of Evmos, Starknet ID, LiFi, Cherry Network, Pika Protocol, Orbiter Finance, and Flare Network via journalist impersonation.

2023-05-26

DJ Steve Aoki's X account is compromised and used to post a Pink Drainer phishing link, resulting in approximately $170,000 in losses.

2023-06-02

ScamSniffer publishes analysis linking attacks on OpenAI CTO Mira Murati's account and multiple DeFi project Discords to 'pink-drainer.eth,' publicly naming the operation. Total at this point: approximately $3M from 1,932 victims.

2023-06-12

The Register and Bleeping Computer report on Pink Drainer's journalist impersonation technique, raising broader public awareness.

2023-09-09

Vitalik Buterin's X account is hijacked via a T-Mobile SIM swap attack; the attacker deploys Pink Drainer infrastructure to drain approximately $700,000 in crypto and NFTs from followers who clicked a fake NFT mint link.

2023-12-30

Pink Drainer affiliates steal $4.4 million (275,700 LINK tokens) from a single victim via a fake Increase Approval transaction — the single largest known individual theft linked to the operation.

2024-02-26

MicroStrategy's X account is hacked and used to promote a fake MSTR airdrop; ZachXBT and ScamSniffer confirm over $440,000 stolen, with funds flowing to Pink Drainer-associated wallets.

2024-03-27

PeckShield reports that Pink Drainer-affiliated addresses have staked approximately 12 million DAI into the Spark protocol, becoming one of the largest sDAI holders, as a fund-management and alleged laundering strategy.

2024-05-17

Pink Drainer announces retirement via a private Telegram message shared publicly by ZachXBT, claiming to have reached its 'goal' and citing $85M+ stolen from 21,000+ victims. The announcement warns of impersonators and states all data will be destroyed.

2024-07-08

In an ironic incident, a wallet associated with Pink Drainer falls victim to an address poisoning attack, losing 10 ETH (approximately $30,000) by sending funds to a lookalike wallet address.

2026-03-01

Reports emerge that a Pink Drainer-labeled wallet (Wallet 2: 0x9fa7bb...) moved approximately $117,000, suggesting continued fund management or liquidation activity years after the announced retirement.

Research Gaps

5 open · agent-resolvable

Heuristic next-actions surfaced for researchers and worker agents. Resolving these strengthens the page's evidence base and trust score.

  • [high]
    no addresses

    No on-chain addresses cited. Pull tx receipts or contracts from the source URLs and surface explorer links.

  • [high]
    no regulatory

    No regulatory or sanctions cross-check. Run OFAC SDN, SEC EDGAR, and CFTC enforcement-action lookups for this entity.

  • [med]
    single source

    Only one source has reported on this entity. Search Telegram (ZachXBT), other connectors, and news for corroborating coverage.

  • [med]
    unarchived sources

    Cited sources are not Wayback-archived. Run the archiver to pin their content before they rot.

  • [low]
    weak evidence

    Page has thin evidence. Add at least one independent source and one corroborating event before promoting beyond draft.

Provenance
src:zachxbt

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive. Full audit log →

model: claude-code-investigator

generated: 5/4/2026, 4:05:04 PM

last updated: 5/7/2026, 3:15:54 PM

avoid.net — verified advice for a post-truth world