Domain Security Reports

Search our database of flagged domains. Check if a website is a scam, phishing, or legitimate.

0
Total Tracked
0
Detected
0
Content Alive
0
Content Dead
0
VT Pending
Angel Drainer
CRITICAL THREAT

Angel Drainer Threats: A Deep Dive into Crypto Phishing Scams

Angel Drainer is a notorious crypto phishing toolkit targeting Web3 users, draining wallets through malicious smart contracts. PhishDestroy has tracked 4,385 domains associated with this threat, with 431 currently active as of our latest scans. This critical threat exploits trust in popular platforms, often using domains mimicking legitimate services like OpenSea or Vercel.

4,381
Domains Detected
CRITICAL
Threat Level

How This Attack Works

Angel Drainer operates by luring victims into interacting with malicious websites that appear legitimate. The attack unfolds in a series of deceptive steps designed to steal cryptocurrency assets.

STEP 1
Baiting with Fake Offers
Attackers create phishing sites mimicking trusted platforms like NFT marketplaces or DeFi protocols, often using domains like opensea.com.offer-proposal.com to appear authentic. Victims are enticed with fake airdrops, giveaways, or urgent account verification prompts.
STEP 2
Wallet Connection Request
Once on the site, users are prompted to connect their crypto wallets (e.g., MetaMask) to 'claim' rewards or 'verify' their accounts. This step often bypasses user suspicion by mimicking standard Web3 interactions.
STEP 3
Malicious Smart Contract Execution
Upon connection, the site triggers a malicious smart contract that requests sweeping permissions, allowing attackers to drain funds or NFTs from the wallet. Victims often don’t realize they’ve approved a transaction that compromises their assets.
STEP 4
Asset Drainage and Laundering
Stolen funds are quickly transferred to attacker-controlled wallets and laundered through mixers like Tornado Cash or cross-chain bridges, making recovery nearly impossible.

Technical Analysis

Angel Drainer is a sophisticated phishing-as-a-service (PhaaS) toolkit that emerged in late 2022, primarily targeting cryptocurrency users. It leverages malicious JavaScript embedded in phishing websites to interact with victims’ wallets. The core mechanism involves tricking users into signing transactions that call functions like 'approve()' or 'transferFrom()' on ERC-20 tokens or NFTs, granting attackers full control over assets. These scripts are often obfuscated to evade detection by antivirus software or browser security extensions. Infrastructure-wise, attackers rely on cheap or compromised domain registrars—PhishDestroy data shows NICENIC INTERNATIONAL GROUP CO., LIMITED (1,173 domains) and Cloudflare, Inc. (434 domains) as top choices for hosting these threats. Common TLDs include .com (1,212 domains), .xyz (712), and .app (290), often paired with free hosting on platforms like Vercel, as seen in examples like mysteryclaims6345-live.vercel.app.



The toolkit also employs advanced evasion techniques, such as IP-based redirects to show benign content to bots or security researchers while serving malicious payloads to real users. Angel Drainer campaigns frequently clone legitimate Web3 interfaces, using typosquatting or subdomain tricks (e.g., opensea.com.offer-proposal.com) to deceive users. On the blockchain side, stolen assets are often routed through intermediary wallets before being mixed, with on-chain analysis revealing connections to known money laundering services. This combination of social engineering and technical exploitation makes Angel Drainer a persistent and evolving threat in the Web3 ecosystem.



Additionally, attackers customize their campaigns based on trending topics in the crypto space, such as new token launches or NFT drops, to maximize victim engagement. The use of decentralized hosting and domain privacy services further complicates takedown efforts, as seen with the 431 active domains still operational in PhishDestroy’s database. This infrastructure resilience, paired with the toolkit’s low barrier to entry for cybercriminals, underscores why Angel Drainer remains a critical risk.

Real Cases

ParaSpace NFT Exploit (2023)
$5 million stolen
In March 2023, attackers used Angel Drainer to target users of the ParaSpace NFT lending platform, tricking them into signing malicious transactions via a fake update prompt, resulting in $5 million in stolen assets.
Fake OpenSea Campaign (2023)
$1.7 million stolen
A widespread phishing campaign in late 2023 mimicked OpenSea’s interface, using domains similar to opensea.com.offer-proposal.com, draining $1.7 million in NFTs and tokens from unsuspecting users.
Blur Marketplace Scam (2024)
$2.3 million stolen
Early 2024 saw Angel Drainer used in a fake Blur marketplace airdrop scam, where users connected wallets to claim 'free tokens,' losing $2.3 million in assets to malicious smart contracts.

How to Detect

Unsolicited offers or urgent prompts for wallet connection on websites mimicking platforms like OpenSea or Vercel, often using domains tracked by PhishDestroy such as mysteryclaims6345-live.vercel.app.
Suspicious domain structures, especially subdomains or unusual TLDs like .xyz or .app, which account for a significant portion of the 4,385 domains in our database.
Transaction requests that ask for broad permissions or unlimited token approvals when connecting a wallet to a site.
Lack of HTTPS or mixed content warnings on supposed Web3 platforms, often a sign of hastily deployed phishing pages.
Unexpected wallet activity or pop-ups prompting signature approvals without clear explanations of the transaction purpose.

How to Protect Yourself

1 Always verify the URL of Web3 platforms before connecting your wallet—avoid clicking links from unsolicited emails or social media, as PhishDestroy has identified 4,385 Angel Drainer-related domains.
2 Use hardware wallets or wallet extensions with transaction simulation features to preview smart contract interactions before signing.
3 Enable two-factor authentication (2FA) and set spending limits on your crypto wallets to minimize potential losses.
4 Regularly monitor your wallet for unauthorized transactions using blockchain explorers and revoke permissions for unused dApps.
5 Leverage PhishDestroy’s threat database to check suspicious domains or report potential Angel Drainer phishing sites for community protection.

Frequently Asked Questions

What is Angel Drainer?
Angel Drainer is a phishing toolkit used by cybercriminals to steal cryptocurrency and NFTs by tricking users into connecting their wallets to malicious websites. It exploits trust in Web3 platforms through fake offers or urgent prompts, executing harmful smart contracts to drain assets. PhishDestroy has identified 4,385 domains linked to this threat.
How much money has been stolen through Angel Drainer?
Angel Drainer has facilitated significant financial losses, with documented cases like the 2023 ParaSpace exploit ($5 million), the 2023 fake OpenSea campaign ($1.7 million), and the 2024 Blur marketplace scam ($2.3 million). Total losses tracked across various incidents exceed $9 million in stolen assets.
How do I protect myself from Angel Drainer?
Protect yourself by verifying URLs before connecting your wallet, avoiding unsolicited links, and using hardware wallets with transaction previews. Monitor wallet activity, revoke unnecessary dApp permissions, and check suspicious domains against PhishDestroy’s database of 4,385 tracked Angel Drainer threats.
What should I do if I'm a victim of Angel Drainer?
If you’re a victim, immediately disconnect your wallet from the malicious site and revoke all permissions via a blockchain explorer or wallet interface. Report the incident to authorities, file a report on PhishDestroy.io to alert the community, and contact your wallet provider for assistance. Unfortunately, recovering stolen crypto is often difficult due to the nature of blockchain transactions.
Data sourced from PhishDestroy threat intelligence database — 4,381 domains tracked for this threat type
Angel Drainer — Threat Intelligence Smart Contract High Threat
4,381
Domains
1,973
Alive
2,286
Taken Down
6.8
Avg VT
45%
Alive Rate
96.1%
Detected
Since Jul 2025 2,530 domains with VT ≥ 5
Angel Drainer 4,381 domains
deep.airdropsalert.sbs
15 VTUnknowninstagram
dolomite.live
15 VTLivearbitrum
drop-defichain.live
15 VTLiveacross
eigencloud.app
15 VTLiveEigenLayer
exclusive-mints02.vercel.app
15 VTUnknownOpenSea
exclusive-mints03.vercel.app
15 VTUnknownOpenSea
exclusive-mints10.vercel.app
15 VTUnknownOpenSea
fix-trustwallet.com
15 VTLiveTrustWallet
gaibfoundation.help
15 VTLivediscord
haedal.airdropalert.sbs
15 VTUnknownbinance
hbar.airdrpsalerts.click
15 VTUnknowncoinbase
hyperliquid-traces.xyz
15 VTUnknownethereum
jupiair.xyz
15 VTUnknownjupiter
jupiterofficial-ag.com
15 VTUnknownJupiter
kilergf.xyz
15 VTLiveAirdrop Scam
kite.claims
15 VTLivebitget
l2dydx.top
15 VTUnknowndYdX
ledger-wallet.pro
15 VTLiveLedger
lido.fi-edge-wallets-api-online.cloud
15 VTUnknownLido
lineamainnet-hub.xyz
15 VTUnknownLinea
magmareward.info
15 VTUnknowncompound
marketplace.opensea-team.help
15 VTUnknownOpenSea
megaeht.click
15 VTLivemetamask
monad-signup.net
15 VTLivediscord
monero-chan.info
15 VTUnknownacross
myofficialdecentralized.top
15 VTLivebinance
opensea-login.app
15 VTUnknownOpenSea
padre-pump.fun
15 VTLivecoinbase
paijkcakeswap.com
15 VTUnknownbnb chain
paikecakeswap.com
15 VTUnknownbnb chain
panitcakeswep.com
15 VTUnknownbnb chain
plume.airdropsalert.sbs
15 VTUnknownbinance
plume.airdrpsalerts.click
15 VTUnknownbinance
prophexchain.com
15 VTUnknownacross
proposal-aethircloud.net
15 VTUnknown
pswap.flnanceconnect.app
15 VTUnknownacross
pumpstake.fun
15 VTUnknownsolana
pyth.airdrpsalerts.sbs
15 VTUnknowninstagram
rewards-binance.app
15 VTUnknownBinance
rexas-token.xyz
15 VTLiveacross
s.airdropsalert.bar
15 VTUnknownbinance
saferevokhelp.com
15 VTLive1inch
sca.airdrpsalerts.click
15 VTUnknownbinance
smartpooliq.xyz
15 VTLive
spaceandtime.airdrpsalerts.click
15 VTUnknownbinance
spendafrica.com
15 VTLivesolana
streamprotocol.app.multiupdate.live
15 VTLivemetamask
suilendfinonce.org
15 VTLivecompound
syembiesis.com
15 VTUnknown
testdomain1928.com
15 VTLiveacross
tornado-cash.cc
15 VTCF Banned
turtleclaimpad.uno
15 VTLivegoogle
turtlefranklin.com
15 VTUnknowndexscreener
turtlefrankline.fun
15 VTUnknowndexscreener
umbraprivacy.io
15 VTLivesolana
uni-distribution.com
15 VTUnknownUniswap
vote-chainlink.com
15 VTLiveaave
w.airdrpsalerts.click
15 VTLivebinance
whop-web3.netlify.app
15 VTLivediscord
wlfi-unlock-box.com
15 VTLivelinkedin
wollrdllberteyflnanclale.info
15 VTLivebinance
worldliberltyfinancial.com
15 VTUnknownlinkedin
wrhyper.com
15 VTLive
www-cakev3pool.com
15 VTUnknownbinance
www-launchcake.com
15 VTUnknownbinance
www-uniswaps.vote
15 VTUnknownUniswap
www.streamprotocol.app.multiupdate.live
15 VTLivemetamask
www.unswp.org
15 VTCF BannedUniswap
xn--moonhot-gpb.com
15 VTUnknownceler
xwg-rewards.games
15 VTUnknownbnb chain
yield.airdrpsalerts.click
15 VTUnknownbinance
yieldblasis.com
15 VTLive
1inch.app-airdropalert.sbs
14 VTUnknown1inch
1ittlepepe.com
14 VTUnknown
67to67billions.com
14 VTUnknownPhantom
aawe.finance
14 VTUnknownbnb chain
ai-trade.live
14 VTLivegemini
airdrop-espresso.bet
14 VTUnknownfoundation
airdrop-gaib.com
14 VTUnknowndiscord
airdrop-onbasebrian.com
14 VTUnknownAirdrop Scam
airdrop-troll.io
14 VTUnknownacross
airdropalert.you
14 VTUnknownAirdrop Scam
allocation-phantom.live
14 VTUnknownPhantom
anniversary-ethereum.com
14 VTUnknownEthereum
app-bullishdegen.com
14 VTLive
app-cowswap-launch.com
14 VTLiveethereum
app-cowswap-v7.com
14 VTLiveethereum
app-giggle.xyz
14 VTLivecoinbase
app-hyper.com
14 VTUnknownaave
app.fulul.xyz
14 VTLivemetamask
appether.fi
14 VTUnknownapple
arbitrum-drip.com
14 VTLiveArbitrum
asterdex-transfer.app
14 VTUnknownbnb chain
asterdex.com-stake.app
14 VTUnknown
asuredefi.com
14 VTUnknownaave
blockchainfx.org
14 VTLiveBlockchain.com
blockchaln.xyz
14 VTLiveethereum
bob.portal-drops.dev
14 VTUnknownbinance
buidlpad.site
14 VTLivediscord
camp-network.com
14 VTUnknown
« Prev 1 2 3 4 5 6 Next » Page 3 of 44