Phishing and wallet drainer attacks stole $83.85 million from 106,106 crypto users in 2025, an 83% drop from nearly $494 million the prior year, even as broader crypto scam losses climbed to $17 billion with impersonation tactics growing 1,400% year over year, according to Scam Sniffer’s 2025 annual report and recent Chainalysis figures. The reversal sits alongside a sharp jump in average scam payment and a new Ethereum-native attack vector that did not exist twelve months ago.

Crypto phishing attacks tied to wallet drainers fell to $83.85 million in 2025, down 83% year over year from nearly $494 million in 2024. Chainalysis estimates $17 billion was stolen through crypto scams and fraud in 2025, with impersonation tactics growing 1,400% year over year. The 2024 victim pool did not disappear; it shifted attack rails.

Key Takeaways

Wallet-drainer losses fell to $83.85 million in 2025 (down 83% year over year), with the victim count dropping to 106,106 (down 68%).
Average per-victim loss dropped to $790 in 2025, suggesting a shift toward broader retail-focused campaigns instead of isolated high-profile thefts.
The Inferno Drainer kit victimized more than 30,000 wallets for at least $9 million in losses during the six months ending March 2025, despite a publicly announced shutdown in late 2023.
Phishing-resistant multifactor authentication helps stop over 99% of identity attacks even when the attacker has the correct username and password, per the Microsoft Digital Defense Report 2025.
Address poisoning attempts surged from 628,000 in November 2025 to 3.4 million in January 2026, a 5.5x increase, with Blockaid flagging over 65.4 million poisoning transactions since January 2025.
The FBI IC3 logged roughly 150,000 cryptocurrency-related complaints in 2024, totaling $9.3 billion in losses, a 66% increase from the previous year.
Phishing was the most common cause of breaches at 16% of incidents, with an average cost of $4.8 million and a detection-and-containment window of 254 days, per IBM’s 2025 Cost of a Data Breach.

Editor’s Choice

$83.85 million in total wallet-drainer losses in 2025.
3.8 million phishing attacks tracked by APWG in 2025.
$17 billion stolen via crypto scams and fraud in 2025.
158,000 individual wallet compromises affected roughly 80,000 unique victims in 2025, with $713 million stolen.
Over 65.4 million address-poisoning transactions have been flagged by Blockaid since January 2025.
5 billion emails are scanned daily by Microsoft for malware and phishing threats.
$50 million lost in a single address-poisoning incident in December 2025.

Recent Developments

January 2026: Blockaid recorded 3.4 million address-poisoning attempts in a single month, a 5.5x rise from November 2025.
Q4 2025: APWG observed 853,244 phishing attacks, a 4% decrease from Q3’s 892,494.
Q3 2025: Phishing-related wallet-drainer losses hit $31 million during Ethereum’s strongest rally of the year.
2025: Shortly after Ethereum’s Pectra upgrade, scammers began abusing EIP-7702 in active phishing campaigns.
2025: Check Point Research published its Inferno Drainer “reloaded analysis, documenting active drainer infrastructure despite the kit’s 2023 shutdown announcement.
December 2025: A single victim lost $50 million in USDT to address poisoning 26 minutes after sending a test transaction.

Wallet Drainer Losses by Year

Victims lost close to $500 million from wallet-drainer attacks in 2024, a 67% annual increase from 2023, per Group-IB.
The $494 million lost to wallet drainers in 2024 came from 332,000 wallet addresses, up just 3.7% from 2023 figures.
Total 2025 losses dropped to $83.85 million, with victims falling to 106,106, an 83% decline in dollar losses and a 68% decline in victim count.
The largest single 2025 theft was $6.5 million, down 88.3% from $55.48 million the prior year.
Large cases exceeding $1 million declined 63.3% to 11 incidents in 2025 from 30 the prior year.
The third quarter of 2025 recorded the highest phishing losses at $31 million, with August and September accounting for nearly 29% of annual losses.

Period	Drainer Losses	Victims	Largest Single Theft
2023	~$295 million	~320,000	data not disclosed
2024	$494 million	332,000	$55.48 million
2025	$83.85 million	106,106	$6.5 million
Q3 2025 alone	$31 million	included in annual	included in annual

Source: Scam Sniffer 2025 Annual Crypto Phishing Report; Group-IB Wallet Drainer Knowledge Hub.

By the numbers: Per Scam Sniffer’s 2025 annual report, wallet drainers stole $83.85 million from 106,106 victims, with the largest single theft dropping to $6.5 million from 2024’s $55.48 million. The $1 million+ loss tier shrank from 30 incidents to 11, a structural shift away from whale-targeted thefts toward retail mass campaigns.

Crypto Phishing Victims and Average Loss

Average loss per victim fell to $790 in 2025, signaling a shift toward broader retail-focused campaigns instead of isolated high-profile thefts.
Personal-wallet phishing accounted for $713 million stolen across 158,000 individual incidents in 2025, affecting roughly 80,000 unique victims, per Chainalysis’s stolen-funds analysis.
Average per-victim loss on personal-wallet compromises was about $8,900 in 2025.
The average crypto-scam payment grew from $782 in 2024 to $2,764 in 2025, a 253% year-over-year increase.
AI-enabled scams were 4.5 times more profitable than traditional scams in 2025.

Year	Avg Loss / Victim (drainers)	Avg Scam Payment	Wallet Compromises	Compromise Loss
2024	~$1,486	$782	(baseline)	(baseline)
2025	$790	$2,764	158,000	$713 million

Source: Scam Sniffer 2025 Annual Crypto Phishing Report; Chainalysis 2026 Crypto Crime Report; Chainalysis 2026 Stolen Funds Report.

The data on cryptocurrency wallet adoption growth puts the per-victim figures in context. Wallet ownership has continued expanding even as drainer-specific dollar losses contracted, which dilutes the per-user denominator and helps explain the lower average ticket size.

How much money was stolen in phishing and wallet drainer attacks?

Wallet-drainer phishing losses totaled $83.85 million across 106,106 victims in 2025, while broader crypto scam revenue reached $17 billion the same year. Personal-wallet compromises specifically accounted for $713 million across 158,000 incidents. The drainer-specific drop is real, but the wider scam-and-fraud surface kept expanding.

Inferno Drainer and the Drainer-as-a-Service Market

Inferno Drainer remained fully operational after its publicly announced 2023 shutdown, with smart contracts deployed in 2023 still being used into 2025.
More than 30,000 wallets were victimized by Inferno Drainer in the six months ending March 2025, resulting in at least $9 million in losses.
Inferno Drainer dominated 2024 as the leading kit, holding a market share ranging from 40 to 45% of all crypto drainer hits.
Pink Drainer retired in May 2024 after amassing about $85 million from more than 21,000 victims.
Angel Drainer required a $40,000 deposit from its “customers” plus a 20% fee for use of its phishing service.
Drainer kits typically claim a 20-30% cut of the phishing proceeds in exchange for the turnkey infrastructure.
Check Point Research observed Inferno operators redirecting victims from a legitimate Web3 site to a fake Collab. Land bot, then to a phishing site running the Inferno script directly.

Kit	2024 Market Share	Lifetime Take	Status (2025)
Inferno Drainer	40-45%	$9 million+ (Sept 2024-Mar 2025)	Operational
Pink Drainer	data not disclosed	~$85 million	Retired May 2024
Angel Drainer	data not disclosed	$40,000 entry + 20% fee	Operational

Source: Group-IB Wallet Drainer Knowledge Hub; Check Point Research, May 2025.

What is Inferno Drainer?

Inferno Drainer is a crypto wallet phishing kit using short-lived smart contracts, on-chain encrypted configurations, and proxy-based communication to bypass wallet security mechanisms and anti-phishing blacklists. It operates on a drainer-as-a-service model, claiming a 20-30% cut of phishing proceeds.

The kit’s affiliates frequently impersonate household names, including Microsoft and other widely-trusted enterprise vendors.

EIP-7702 Phishing Attacks After Ethereum’s Pectra Upgrade

Ethereum‘s Pectra upgrade in 2025 introduced EIP-7702, which allows multiple actions to be bundled into one signature.
Within weeks of the upgrade, scammers began abusing EIP-7702, with several campaigns causing millions in losses.
Permit and Permit2 approvals remained the most effective tools for attackers in 2025, accounting for 38% of losses in cases exceeding $1 million.
A single approved EIP-7702 signature now grants what previously required several discrete authorizations.
The drainer ecosystem remains active, with new kits emerging to fill gaps left by retired operators.

Event	Date	Loss Profile
Pectra upgrade activates EIP-7702	May 2025	n/a
First EIP-7702 drainer campaigns observed	Within weeks of Pectra	Several million combined
Permit/Permit2 share of losses exceeding $1 million	Full-year 2025	38%

Source: Scam Sniffer 2025 Annual Crypto Phishing Report.

Key data point: Per Scam Sniffer, 38% of losses in cases exceeding $1 million came through Permit and Permit2 approvals in 2025. EIP-7702 added a second consolidated-signing rail; its full annual impact will only become visible in the 2026 data, since the mechanism did not exist before May 2025.

What is EIP-7702, and why is it being exploited?

EIP-7702 is an Ethereum proposal activated in the 2025 Pectra upgrade that allows multiple actions to be bundled into a single signature. The convenience of one-click batched authorizations has a flip side: a single signed transaction can now grant broad delegation that previously required several discrete approvals. Scam Sniffer documented campaigns abusing this mechanism within weeks of activation, with several causing millions in losses. Protocol-level upgrades that aggregate signing power compress the attacker’s window of opportunity into a single click.

Address Poisoning Attack Volume and Single-Victim Losses

Poisoning attempts surged from 628,000 in November 2025 to 3.4 million in January 2026, a 5.5x increase, per Blockaid.
Blockaid flagged over 65.4 million address-poisoning transactions since January 2025, averaging more than 160,000 per day.
A single address-poisoning attack in December 2025 resulted in $50 million in USDT losses when a victim copied a spoofed address just 26 minutes after a test transaction.
In May 2025, one trader lost $2.6 million to address poisoning using zero-value transfers that require no private-key signatures.
Zero-value-transfer poisoning techniques have secured over $83 million in confirmed losses across the Ethereum and BNB blockchains.
Carnegie Mellon CyLab researchers identified 270 million address-poisoning attempts targeting 17 million victims between July 2022 and June 2024, with confirmed losses of $83.8 million.

Blockchain Address Poisoning Attempt Trends

Key finding: Per Blockaid’s telemetry, the December 2025 $50 million address-poisoning incident triggered just 26 minutes after the victim sent a test transaction, attackers are now monitoring the mempool for the exact security practice users are taught to follow, then planting poisoned addresses in real time.

The on-chain footprint of this vector overlaps heavily with ETH mainnet activity, where the dominant share of high-value transactions makes mempool monitoring economically viable for attackers.

What is address poisoning?

Address poisoning is a wallet-targeting phishing technique in which attackers monitor mempool activity and send small or zero-value transactions to victims’ wallets to plant a spoofed address that may later be reused. Carnegie Mellon researchers identified 270 million attempts targeting 17 million victims between July 2022 and June 2024. The mechanism exploits a UX shortcut, copying addresses from history rather than re-pasting them, that wallet interfaces actively encourage, which is why the technique scales so well.

Permit and Permit2 Approval Attacks

Permit and Permit2 approvals remained the most effective tools for attackers in 2025, accounting for 38% of losses in cases exceeding $1 million.
The shift in attacker tactics tracked market cycles, with losses rising during periods of higher on-chain activity and easing as markets cooled.
Q3 2025 phishing losses reached $31 million, coinciding with Ethereum’s strongest rally of the year.

Crypto Approval Mechanisms And Loss Distribution

The takeaway: Permit-style signatures remain attacker-friendly because they grant durable spending rights without an obvious on-chain transaction, the malicious approval can sit dormant in a victim’s wallet for weeks before being exercised, making detection-and-revoke playbooks structurally reactive.

APWG Phishing Volume by Quarter

APWG observed 853,244 phishing attacks in Q4 2025, a 4% decrease from Q3 2025’s 892,494.
Q2 2025 saw 1,130,393 attacks, the largest quarterly total since Q2 2023.
APWG tracked 3.8 million phishing attacks during 2025, up slightly from 3.76 million in 2024.
SMS phishing volume rose during Q4 2025, while QR-code phishing decreased by 9%.
Social media platforms accounted for 30.5% of all phishing activity in 2025.

Phishing Attacks by Targeted Sector

Social media and SaaS/webmail were each among the sectors most attacked by phishing in Q4 2025, each suffering 20.3% of all phishing attacks.
The finance sector was the primary target 35.5% of the time, followed by retail at 17.7% and the federal sector at 15.7%.
Social media threats in 2025 were predominantly scams and impersonation, which together accounted for 86% of all confirmed threats.

Phishing Attack Share By Industry Sector

By the numbers: Per APWG’s Q4 2025 trends report, social media and SaaS/webmail tied at 20.3% of total phishing attacks each, while inside the social-media surface, 86% of confirmed threats were scams and impersonation, the same impersonation surge Chainalysis tracked at 1,400% YoY.

Business Email Compromise BEC Volume and Wire-Transfer Sizes

Fortra identified a 136% increase in wire-transfer attempts in BEC attacks during Q4 2025, with the average request amount rising to $50,297.
The Scripted Sparrow threat group sends as many as 6 million targeted BEC emails each month, making it the most prolific BEC actor worldwide.

Metric	Q4 2025
BEC wire-transfer attempts (YoY change)	+136%
Average wire-transfer request	$50,297
Scripted Sparrow monthly email volume	6 million

Source: APWG Phishing Activity Trends Report Q4 2025; Fortra BEC analysis embedded in APWG report.

FBI IC3 Cryptocurrency Fraud Complaints

Total US cybercrime complaints reached 859,532 in 2024 with losses of $16.6 billion, a 33% increase from 2023, per the FBI Internet Crime Complaint Center.
Nearly 150,000 complaints involved digital assets, amounting to $9.3 billion in losses, a 66% increase from the previous year.
Cryptocurrency investment fraud, often called pig butchering, accounted for $5.8 billion in damages across 41,557 complaints.
Phishing remained the most reported cybercrime category in 2024, with 193,407 complaints, and the reported financial impact jumped to $70 million, nearly quadrupling year over year.
California, Texas, and Florida produced the most complaints in 2024, according to the 2024 IC3 report.

Metric	2024	YoY Change
Total IC3 complaints	859,532	up
Total reported losses	$16.6 billion	+33%
Crypto-related complaints	~150,000	up
Crypto-related losses	$9.3 billion	+66%
Crypto investment fraud (pig butchering)	$5.8 billion / 41,557 complaints	up
Phishing complaints	193,407	down in volume
Phishing-reported losses	$70 million	~4x increase

Source: FBI Internet Crime Complaint Center, 2024 Annual Internet Crime Report.

Why it matters: Per the FBI IC3, crypto-investment fraud losses of $5.8 billion across 41,557 complaints average roughly $140,000 per filed complaint, an order of magnitude higher than typical phishing-only losses, reflecting how pig-butchering schemes drain accumulated savings rather than single-session balances.

The downstream offramps for funds drained through these channels concentrate on regulated venues, which is why analyzing cryptocurrency exchanges and their KYC postures has become central to tracking recovery rates and chokepoint regulation.

IBM Cost of a Phishing Breach

Phishing was the most common cause of breaches at 16% of incidents, with an average cost of $4.8 million, per the IBM 2025 Cost of a Data Breach report.
Phishing breaches take an average of 254 days to detect and contain.
Generative AI cut the time to write a convincing phishing email from as long as 16 hours to just 5 minutes.
1 in 6 breaches involved attackers using AI, most commonly for phishing (37%) and deepfake impersonation (35%).
The global average cost of a data breach fell 9%, from $4.88 million in 2024 to $4.44 million in 2025.
The US average cost of a breach hit $10.22 million, driven by regulatory fines and slower detection times.

Metric	2024	2025
Phishing share of all breaches	(baseline)	16%
Avg cost of phishing breach	(baseline)	$4.8 million
Detection-and-containment time	(baseline)	254 days
Global avg breach cost	$4.88 million	$4.44 million
US avg breach cost	(baseline)	$10.22 million
AI-assisted breaches	(baseline)	1 in 6

Source: IBM Cost of a Data Breach Report 2025 (Ponemon Institute methodology, 600 organizations).

Key finding: Per IBM’s 2025 study, generative AI compressed phishing email drafting from 16 hours to 5 minutes, and 1 in 6 breaches now involves AI on the attacker side, with phishing (37%) and deepfake impersonation (35%) as the dominant use cases. Our breach cost tracking reveals a gap that keeps widening: breach costs climb roughly 10% annually while security budgets grow at about half that rate.

Adopting cyber insurance has become a complementary financial control for enterprises that have absorbed multiple phishing-triggered breaches, since policy economics now price phishing exposure as a default class.

Microsoft Digital Defense Identity Attack Volume

More than 97% of identity attacks are password attacks, and identity-based attacks surged by 32% in the first half of 2025, per the Microsoft Digital Defense Report 2025.
97% of identity attacks are password-spray attacks.
Microsoft scans 5 billion emails for malware and phishing threats daily.
Phishing-resistant multifactor authentication helps stop over 99% of identity attacks even when the attacker has the correct username and password.
over 52% of cyberattacks with known motivations are driven by extortion and ransomware, while espionage accounts for just 4%.
In 80% of incidents, attackers aimed to steal data.

Metric	Value
Identity attacks (% password-based)	97%
Identity attacks H1 2025 YoY change	+32%
Daily emails scanned (Microsoft)	5 billion
Phishing-resistant MFA stop rate	over 99%
Cyberattacks driven by extortion/ransomware	52%+
Espionage share	4%
Data-theft motivation	80% of incidents

Source: Microsoft Digital Defense Report 2025.

The human element was a factor in approximately 60% of breaches, encompassing social engineering, user error, and privilege misuse, per the Verizon 2025 DBIR.
22% of breaches began with credential abuse, and 16% began with phishing.
88% of Basic Web Application attacks involved stolen credentials.
The 2025 DBIR analyzed over 22,000 security incidents, of which more than 12,000 were confirmed data breaches.
Breaches involving external partners doubled year over year to 30% of all breaches, up from 15% in 2024.
Weak MFA using one-time codes, number-matching, and push notifications is being bypassed at scale, with the DBIR documenting prompt bombing, token theft, MFA interrupt, and adversary-in-the-middle attacks.

Cyber Breach Initial Access Vector Analysis

Is MFA enough to stop crypto phishing?

Phishing-resistant MFA helps stop over 99% of identity attacks even with correct credentials in hand, per Microsoft, but weak MFA using one-time codes and push notifications is being bypassed at scale through prompt bombing, token theft, and adversary-in-the-middle attacks, per the Verizon DBIR. The implementation matters as much as the label. SMS-based or push-only MFA leaves measurable residual risk, while hardware-key or passkey-based factors close most of the gap.

Top Impersonated Brands in Crypto Phishing

Social media and SaaS/webmail tied at 20.3% of all phishing attacks each in Q4 2025.
Microsoft scanned 5 billion emails daily for phishing in 2025. Its consumer and enterprise brands sit among the most-impersonated targets observed in industry reporting.
Threats on social media in 2025 were predominantly scams and impersonation, together accounting for 86% of all confirmed threats.

Impersonated Sector	Q4 2025 Phishing Share
Social media	20.3%
SaaS / webmail	20.3%
Finance	35.5% (primary-target metric)
Retail	17.7%
Federal	15.7%

Source: APWG Phishing Activity Trends Report Q4 2025; Microsoft Digital Defense Report 2025.

Beyond the SaaS-and-social cluster, phishing campaigns increasingly weaponize brand familiarity around payment rails, productivity suites, and crypto-native interfaces like MetaMask, where a single misclicked update prompt can launch a drainer signing flow.

Where Drained Crypto Funds Offramp

Chainalysis estimates illicit crypto addresses received at least $154 billion in 2025, a 162% year-over-year increase.
A widespread “E-ZPass” phishing campaign targeted millions of Americans using the electronic road-toll system in 2025, with operators loading stolen credit cards onto mobile wallets.
Gary Warner, Director of Intelligence at DarkTower, is tracking eight major Chinese-language “Crime-as-a-Service” groups on Telegram, each offering iMessage and RCS phishing services.
The goal of these Telegram-coordinated phishing campaigns is to load credit cards onto mobile wallets, then deploy to a network of shoppers who facilitate trade-based money laundering.

Offramp Channel	2025 Indicator
Illicit-address inflow (Chainalysis)	$154 billion (+162% YoY)
CaaS Telegram groups (DarkTower)	8 major Chinese-language operators tracked
Dominant secondary use	Mobile-wallet card-load + reshipper laundering

Source: Chainalysis 2026 Crypto Crime Report; Chainalysis 2026 Crypto Scams chapter.

Key data point: Per Chainalysis, illicit crypto addresses received at least $154 billion in 2025, a 162% rise from 2024 that captures the full laundering surface, of which wallet-drainer proceeds are a small fraction. Drained funds typically pass through chain-hopping, mixers, or non-KYC venues before settling, with the offramp profile heavily influenced by the dark web marketplaces that intermediate cash-out.

AI-Generated Phishing and Voice-Cloning Volume

Generative AI cut phishing email drafting from 16 hours to 5 minutes, dramatically increasing both scale and personalization, per IBM.
1 in 6 breaches involved attackers using AI, with phishing (37%) and deepfake impersonation (35%) as the leading use cases.
Threat actors are turning to AI to scale phishing and automate intrusions, according to the Microsoft Digital Defense Report 2025.
AI-enabled scams were 4.5 times more profitable than traditional scams in 2025.

AI Phishing Indicator	Value	Source
Email drafting time (pre-AI -> AI)	16 hours -> 5 minutes	IBM 2025
Breaches involving attacker AI	1 in 6	IBM 2025
AI use within attacker AI breaches: phishing	37%	IBM 2025
AI use within attacker AI breaches: deepfake impersonation	35%	IBM 2025
AI-enabled scam profitability vs traditional	4.5x	Chainalysis 2026

Source: IBM Cost of a Data Breach Report 2025; Microsoft Digital Defense Report 2025; Chainalysis 2026 Crypto Crime Report.

The attacker’s marginal cost per personalized lure approaches zero while the defender’s per-incident response cost stays flat. The deepfake side of this equation deserves its own treatment; see our Deepfakes data for the synthetic-media surface that increasingly accompanies AI-assisted phishing.

Common Questions

Which countries are most affected by crypto phishing?

Within the United States, the FBI IC3 received the most cybercrime complaints in 2024 from California, Texas, and Florida, and the US alone reported $9.3 billion in cryptocurrency-related losses across roughly 150,000 complaints that year. Gary Warner, Director of Intelligence at DarkTower, tracks eight major Chinese-language Crime-as-a-Service groups on Telegram that operate iMessage and RCS phishing infrastructure targeting users globally, per Chainalysis. Country-level distribution skews toward jurisdictions with the highest crypto adoption and the most accessible electronic-payment rails.

How can I protect my crypto wallet from a drainer attack?

Adopting phishing-resistant multifactor authentication helps stop over 99% of identity attacks even when the attacker has the correct credentials, per Microsoft. Standard SMS-based or push-notification MFA is being bypassed at scale through prompt bombing, token theft, and adversary-in-the-middle attacks, per the Verizon DBIR. Permit and Permit2 approvals drove 38% of losses in cases exceeding $1 million in 2025, so periodically revoking unused token approvals materially reduces a wallet’s standing exposure. Hardware wallets, transaction-warning browser extensions, and revoking dormant approvals after each campaign cycle form the practical baseline; nothing eliminates the risk, but each layer compresses it.

Conclusion

The 2025 data tells two stories at once. Wallet-drainer losses fell sharply to $83.85 million from nearly $494 million the year before, victim counts dropped to 106,106, and the largest single theft shrank from $55.48 million to $6.5 million, a reset on the whale-targeting era. At the same time, broader crypto scams reached $17 billion, impersonation tactics grew 1,400% year over year, and address-poisoning attempts surged to 3.4 million per month by January 2026. The attacker economy did not contract; it diversified.

For the year ahead, three forces will shape the trajectory: the adoption rate of phishing-resistant MFA, which Microsoft reports stops over 99% of identity attacks even when attackers hold correct credentials though the stop figure only translates into protection when the control is actually deployed, how wallet providers respond to EIP-7702 abuse following Ethereum’s Pectra upgrade, and whether Web3 transaction-warning tools, including Blockaid, Pocket Universe, and Wallet Guard, can keep pace with mempool-aware poisoning techniques like the one behind December 2025’s $50 million single-victim incident. The volume side of the curve, not the dollar side, is where the next twelve months will be measured.