StepDrainer and EtherRAT Drain Crypto Wallets Across 20+ Networks, Stealing $800K+

Crypto thieves are getting more organized, more automated, and a whole lot uglier. New research shows StepDrainer drains crypto wallets across 20+ networks, while EtherRAT is quietly infecting Windows machines through a fake installer and turning them into crypto targets.

• StepDrainer hits Ethereum, BNB Chain, Arbitrum, Polygon, and 17+ other networks
• Fake Web3 prompts and malicious approvals are used to trick victims
• EtherRAT disguises itself as a legitimate Windows tool and hides Node.js inside
• 500+ Ethereum wallets were reportedly drained in 24 hours
• More than $800,000 was stolen and routed through ThorChain

According to cybersecurity researchers at LevelBlue, StepDrainer is a malware-as-a-service crypto wallet drainer, which is exactly as grim as it sounds: a ready-made theft kit sold in the underground market so scammers can launch attacks without building the machinery themselves. It uses fake Web3 wallet pop-ups and manipulated approval screens to convince users to sign away control of their tokens. Once a wallet is connected, it goes straight for the most valuable assets first and automatically sends them to attacker-controlled wallets. Efficient? Sure. Shameless? Obviously.

For readers less deep in the weeds, a wallet drainer is malware or scam infrastructure designed to trick someone into approving a transfer or giving away permissions that let an attacker move funds later. In crypto, that approval can be every bit as dangerous as handing over the keys.

The reach is broad. StepDrainer targets wallets across Ethereum, BNB Chain, Arbitrum, Polygon, and at least 17 other networks. That makes this more than a one-chain nuisance; it is a cross-chain theft system built to exploit one of crypto’s biggest weak points: trust in wallet prompts. Some of the fake screens even imitate Web3Modal connection prompts, which many users will recognize as the standard front door to a dApp. In these attacks, the front door is just painted onto a wall.

“A crypto-stealing tool called StepDrainer is draining money from wallets across Ethereum, BNB Chain, Arbitrum, Polygon, and at least 17 other networks.”

What makes the campaign especially nasty is how normal the malicious approvals can look. StepDrainer abuses legitimate smart contract tools like Seaport and Permit v2 to make the wallet approval pop-ups seem routine. Seaport is a widely used marketplace protocol, especially tied to NFT trading, and Permit v2 is a token approval mechanism that lets apps request permissions more efficiently. In the hands of a thief, both become costume pieces in a very expensive con.

“StepDrainer misuses real smart contract tools like Seaport and Permit v2 to show wallet approval pop-ups that look normal.”

In one case, researchers found victims were shown a fake message saying they were receiving “+500 USDT,” which made the approval appear harmless. That is the sort of bait scammers love: a tidy little reward prompt that nudges people into clicking before they think. A fake gain is still a theft attempt wearing a party hat.

“In one case, cybersecurity researchers found that victims saw a fake message saying they were receiving ‘+500 USDT,’ making the approval look safe.”

LevelBlue says the payload is delivered through changing scripts and decentralized on-chain accounts, making it harder to block than the usual single-domain phishing page. That matters because defenders can blacklist a website; it is much harder to stop a scheme that keeps shifting its skin and leans on decentralized infrastructure. Researchers also noted there is a mature underground market for ready-made drainer kits, which means low-skill criminals can buy their way into high-skill theft. Crime-as-a-service: the worst subscription model on the internet.

“Researchers said there is a developed underground market selling ready-made drainer kits.”

StepDrainer is only part of the mess. Researchers also identified EtherRAT, a separate malware strain with a different delivery method but the same goal: compromise a machine, stay hidden, and steal crypto. EtherRAT targets Windows users using a fake version of Tftpd64, a network admin tool, and hides Node.js inside a fake installer. It persists through the Windows registry and uses PowerShell to inspect the system, which gives it the kind of persistence that makes cleanup annoying and infection quiet.

“EtherRAT hides Node.js inside a fake installer, makes sure it stays on the computer through the Windows registry, and uses PowerShell to check the system.”

EtherRAT originally targeted Linux and has now expanded to Windows. That shift matters. It suggests the operators are broadening their attack surface and going after the huge pool of users who still download tools, plug-ins, or installers without checking whether the file came from a legitimate source. Windows users, in particular, remain prime prey if they treat every installer like a harmless utility instead of a potential payload delivery system.

The wider loss figures show how quickly these tactics can scale. According to a recent Cryptopolitan report, over 500 Ethereum wallets were drained in the past 24 hours, with more than $800,000 siphoned out and then swapped via ThorChain. ThorChain is a cross-chain liquidity protocol, which is useful for legitimate asset movement but also handy for criminals who want to shuffle stolen funds across networks fast. Decentralized rails do not care whether the user is a trader or a thief; the chain just settles the transaction and moves on.

“According to a recent Cryptopolitan report, over 500 Ethereum wallets have been drained in the past 24 hours.”

“The attacker siphoned more than $800K in crypto assets and then swapped the funds via ThorChain.”

On-chain researcher Wazz noted that many of the drained wallets had been inactive for more than seven years. That detail is important. Dormant wallets are often assumed to be low-risk, but old approvals, forgotten browser wallets, stale permissions, and long-lost seed phrases can turn them into easy targets. An inactive wallet is not a protected wallet; it is often just an unattended one.

There is also a bigger lesson here about how crypto security actually fails. Most thefts do not require breaking the blockchain. They exploit the human layer around it: fake prompts, misleading interface design, rushed clicks, and users who do not understand what they are signing. That is why “self-custody” is powerful but unforgiving. The chain is secure; your wallet habits may not be.

That does not mean crypto is broken. It means the attack surface is real, and pretending otherwise is just marketing fluff with a lower IQ. Open systems let anyone transact permissionlessly, which is the point. They also let attackers build convincing traps around that freedom. The upside is financial sovereignty. The downside is that one sloppy signature can become a very expensive lesson.

Users trying to stay safe should follow the boring advice that keeps proving useful: verify site domains, inspect every transaction detail before signing, and revoke unlimited token approvals whenever possible. Unlimited approvals are convenient, but they also hand a contract broad access to your tokens if something goes wrong. Convenient is not the same as safe, and in crypto that distinction can cost real money.

• What is StepDrainer?
  A crypto wallet drainer sold as malware-as-a-service that uses fake wallet prompts and malicious approvals to steal tokens across multiple blockchains.
• How does StepDrainer trick victims?
  It mimics legitimate Web3 wallet pop-ups and smart contract approval flows, sometimes even showing fake rewards like “+500 USDT” to make a malicious action seem safe.
• What is EtherRAT?
  A separate malware strain that targets Windows users, hides inside a fake installer, and uses registry persistence plus PowerShell to remain active.
• Why are fake approvals so dangerous?
  Because signing a transaction can grant permissions to move tokens later, not just approve one harmless action. That permission can be abused to drain a wallet.
• How were the stolen funds moved?
  The stolen crypto was swapped through ThorChain, a cross-chain liquidity protocol that can help move assets between networks quickly.
• Why are old wallets being targeted?
  Inactive wallets may still carry old approvals or forgotten access paths, making them easy targets if the owner is not watching closely.
• What should users do to protect themselves?
  Check the domain, read every transaction before signing, avoid unlimited approvals where possible, and revoke permissions you no longer need.

Industrialized crypto crime is not a theory anymore; it is a business model. The good news is that the industry is getting better at spotting these schemes. The bad news is that scammers are also getting better, and they have zero shame, zero ethics, and apparently no shortage of reinvested stolen funds.