Daily Vecsignal - StepDrainer: The Multichain Malware Emptying Crypto Wallets Worldwide

 May 01, 2026 | VECS News

Cybersecurity researchers have identified a rapidly evolving threat sweeping through the cryptocurrency ecosystem. A malware-as-a-service platform called StepDrainer is actively draining wallets across more than 20 blockchain networks including Ethereum, BNB Chain, Arbitrum, Polygon, and at least 17 other chains. The operation has already stolen over $800,000 from more than 500 Ethereum wallets in just the past 24 hours according to on-chain data compiled by Cryptopolitan .

StepDrainer operates as a sophisticated drainer kit available on underground marketplaces. The tool uses fake but highly realistic Web3 wallet pop-ups that mimic legitimate interfaces like Web3Modal wallet connections. When unsuspecting users connect their wallets believing they are interacting with a trusted platform, StepDrainer immediately scans for the most valuable tokens and automatically transfers them to attacker-controlled addresses. The malware prioritizes high-value assets first ensuring maximum financial damage before victims realize what has happened .

What makes StepDrainer particularly dangerous is its abuse of legitimate smart contract tools. The malware misuses established protocols including Seaport and Permit v2 to generate wallet approval pop-ups that appear completely normal to the average user. However the transaction details inside these pop-ups are entirely fabricated. In one documented case cybersecurity researchers found that victims saw a fake message claiming they were receiving +500 USDT which made the approval request seem harmless when in fact they were granting unlimited spending permissions to the attacker .

The technical sophistication of StepDrainer represents a significant evolution in crypto theft. The malware loads its harmful code through dynamically changing scripts rather than using static files that can be easily scanned. It retrieves its operational configuration from decentralized on-chain accounts meaning the malicious code is not stored in any single fixed location. This distributed architecture helps the attackers evade traditional signature-based security tools because there is no consistent file or pattern for antivirus software to recognize and block .

A particularly alarming pattern has emerged from the on-chain analysis. Researchers using the handle Wazz discovered that many of the drained wallets had been inactive for over seven years. These long-dormant wallets likely belonged to early adopters who had forgotten about their holdings or lost access. The attackers systematically targeted these forgotten assets and after draining them converted the stolen funds via ThorChain, a cross-chain decentralized exchange that provides anonymity to users. This technique makes tracking the stolen money significantly more difficult for law enforcement and blockchain analysts .

The threat landscape is shifting dramatically through what researchers call a progressive convergence. According to a LevelBlue SpiderLabs report traditional malware infrastructures once dedicated to credential theft are being repurposed to host wallet-phishing content. Actors traditionally associated with commodity malware operations have begun incorporating drainer tooling as an additional revenue stream. This means that even users who never visit crypto-specific websites can still be compromised if their computer is infected by any form of malware that now includes crypto-draining capabilities as part of its standard toolkit .

StepDrainer is not operating alone. Researchers have identified another threat called EtherRAT which represents a different but equally dangerous attack vector. EtherRAT is a Windows-based malware that targets users through a trojanized version of the legitimate Tftpd64 network administration tool. Users who unknowingly download the fake installer receive a bundle containing hidden Node.js components alongside the legitimate software. EtherRAT establishes persistence through Windows registry keys ensuring it runs automatically whenever the victim logs in. Once active it performs quiet system reconnaissance using PowerShell to collect information about antivirus products system settings domain details and hardware before initiating crypto theft .

Security professionals warn that the separation between traditional cybercrime and crypto-focused attacks has effectively eroded over the past two years. The LevelBlue report explains that infrastructure once dedicated exclusively to credential theft is now routinely repurposed to host wallet-phishing content. This convergence means that any compromised workstation or browser extension regardless of whether the organization maintains a corporate crypto footprint can serve as a foothold for broader intrusion. Crypto drainers are no longer a niche Web3 problem. They represent a broad threat category with meaningful implications for enterprise security .

For cryptocurrency investors the implications are direct and severe. The malware-as-a-service model means that technical skill is no longer a barrier to entry for aspiring crypto thieves. Ready-made drainer kits are available for purchase on underground marketplaces allowing attackers with minimal technical knowledge to launch sophisticated multichain theft operations. This democratization of hacking tools has dramatically increased the volume and frequency of wallet-draining attacks. Investors must assume that any website requesting wallet connection could be malicious and that any approval signed without careful review could result in total loss of funds .

Security experts have issued clear guidance for protecting against StepDrainer and similar threats. Users should always verify the domain name of any website before connecting their wallet paying close attention to subtle misspellings or unusual top-level domains. Before signing any transaction users must read the transaction details carefully and never rely solely on the visual appearance of wallet pop-ups. Most importantly users should regularly review and revoke unlimited token approvals using tools like Etherscan token approval checkers or similar services for other blockchains. Removing unused approvals eliminates a common attack vector that drainers actively exploit .

The bottom line for the crypto industry is sobering. StepDrainer demonstrates that the threat landscape has fundamentally transformed. Attackers now combine traditional malware distribution with blockchain-native theft techniques creating hybrid attacks that can compromise users through multiple vectors simultaneously. The convergence of Web2 and Web3 threats means that security can no longer be siloed. Investors need to protect not only their on-chain practices but also their general computing hygiene. A single malware infection on a desktop computer can now lead to the complete loss of crypto assets stored in hardware wallets if the malware can intercept and modify transaction details before they are signed. The age of hybrid crypto threats has arrived.