Angel Drainer
A wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
Also known as: Angel Drainer, Angel X Drainer
Overview
Angel Drainer was a "malware-as-a-service" wallet drainer focused on EVM chains. Like other drainer crews it gave affiliates ready-made infrastructure — on-demand smart contracts and tailored malicious transactions designed to sweep funds when a victim signs an approval, "permit," or fake "claim." Per Ledger's incident report, proceeds were split roughly 85% to the affiliate and 15% to Angel Drainer. [1][2]
Ledger Connect Kit attack
Angel Drainer is best known for the December 14, 2023 supply-chain compromise of Ledger's "Connect Kit," a JavaScript library used by hundreds of dApps. A phishing attack on a former Ledger employee's npm credentials let attackers publish malicious versions (1.1.5–1.1.7) carrying the Angel Drainer payload; because many sites loaded the library from a CDN, the malicious code executed widely and automatically. The active draining lasted about two hours and stole roughly $500,000–$600,000 before Ledger pushed a clean version. [1][2]
Bracketed numbers refer to the numbered sources listed below.
Linked scams & cases
- Ledger Connect Kit hackDrainer used in the attackProjectsA December 2023 software supply-chain attack: a phished former Ledger employee's npm key let attackers publish malicious versions of Ledger's widely used 'Connect Kit' library, injecting the Angel Drainer into many dApps. About $500K–$600K was drained in a few hours before a fix shipped.
- Inferno DrainerRelatedOrganizations & groupsA 'drainer-as-a-service' operation that rented phishing/wallet-draining software to affiliates for a ~20% cut. Group-IB and Scam Sniffer say it stole roughly $80M+ from ~137,000 victims (Nov 2022–Nov 2023) by spoofing 100+ Web3 brands; it later resumed activity.
Sources (2)
See also
- Monkey DrainerOrganizations & groupsAn early, prolific wallet-drainer-as-a-service crew (active into early 2023) that focused on high-value NFTs and is estimated to have facilitated roughly $13–16.5M in theft before announcing it was 'shutting down' and pointing affiliates to rival drainers.
- Ledger Connect Kit hackProjectsA December 2023 software supply-chain attack: a phished former Ledger employee's npm key let attackers publish malicious versions of Ledger's widely used 'Connect Kit' library, injecting the Angel Drainer into many dApps. About $500K–$600K was drained in a few hours before a fix shipped.
- Platypus FinanceProjects
This page was last updated on Jun 8, 2026. View revision history.