One Signature, Then Silence: What We Recovered After a Wallet-Drainer
She never typed her seed phrase into anything. She clicked “Sign” on what looked like a login for an airdrop. Ninety seconds later her tokens and two NFTs were gone. This is one of the hard ones — and we told her so on day one.
How a signature becomes a key
The message she signed was not a login. It was a token-approval and permit that handed transfer rights for her assets to a spender she had never heard of. A sweeper bot watching the approval drained the wallet almost instantly. There is no transaction to reverse here — she authorized the movement cryptographically.
What we could still do
We decoded the malicious signature, matched the drainer-as-a-service contract to a known kit, and clustered the sweeper wallets. Most fungible tokens were instantly swapped and bridged within minutes. The two NFTs, however, were identifiable — and both were re-listed on a marketplace, which gave us a freeze point.
The honest outcome
About 19% recovered — one NFT through a marketplace freeze plus a small residual the sweeper missed. We could have padded the expectation; instead we set it honestly and still got something back rather than nothing.
The lesson
“Sign to verify” or “sign to log in” is a red flag — a signature is not a login and can be a blanket approval. Never sign a request you did not initiate, and revoke old token approvals regularly.
Think your loss might be traceable?
Send us the platform, the transactions, and the timeline. We’ll tell you honestly whether a recovery path exists — no upfront fees, no guarantees we can’t keep.