Sanctuary Research

Old phishing asked for a seed phrase. Newer draining often never needs one. The user signs an approval, visits a hijacked frontend, opens a fake revoke page, or installs a fake wallet app. The transaction looks like interaction, not theft, until the assets move.
Blockaid has documented fake revoke pages and frontend hijacking. Kaspersky found fake crypto wallet apps in Apple's App Store. Hacken's 2026 reporting keeps showing the same lesson: the attack surface is no longer only the smart contract.
A drain victim can become a tainted-funds sender without understanding what happened. The stolen assets may pass through routers, bridges, and fresh wallets before touching a venue. If your team only looks for old scam labels, you miss the first wave.
Wallet screening needs to treat recent drain patterns, fresh approval abuse, and known drainer infrastructure as live signals. The goal is to catch the address before the funds become someone else's deposit problem.
When a customer says "I was hacked", do not treat it as a support anecdote. Capture the wallet, time, transaction, token, destination, and any site or app involved. Those details are evidence. They can protect later counterparties and explain why an address became risky.
The crypto front door is now web2 plus web3. DNS, app stores, social ads, wallet approvals, and contracts all sit in the same incident path.
Blockaid, fake revoke sites and Twitter phishing: https://blockaid.io/blog/how-wallet-drainers-use-fake-revoke-sites-and-twitter-phishing-to-exploit-victims
Blockaid, frontend hijacking: https://www.blockaid.io/blog/frontend-hijacking-and-the-web2-attack-surface-threatening-web3-protocols
Kaspersky, fake crypto wallet apps in App Store: https://www.kaspersky.com/about/press-releases/kaspersky-finds-26-fake-crypto-wallet-apps-on-apples-app-store-that-can-drain-digital-assets
Hacken, Q1 2026 security report: https://hacken.io/insights/q1-2026-security-report/
Scam alerts, new sanctions, and investigation techniques. One email per week. Unsubscribe anytime.