Token approvals and wallet drains: the one crypto scam professionals should warn clients about

Many wallet drains don't need seed phrases. Token approvals create standing permissions. Learn how drains happen and how to reduce risk safely.

Introduction

Most clients believe wallet theft requires a seed phrase. That used to be the dominant fear. Today, many high-impact losses happen through a quieter mechanism: token approvals. A token approval is permission that allows a contract or address to move a token on a user's behalf. Approvals can be legitimate. The risk is that approvals are often set to unlimited and forgotten. Professionals who serve HNW clients should include this in their standard warning set because it is simple, common, and preventable.

How the scam typically plays out

1. A client is urged to connect a wallet to a site (airdrop claim, 'support', exclusive mint, urgent verification) 2. The site requests an approval 3. The approval grants broad permission 4. Tokens are drained later — sometimes minutes, sometimes days The client insists: 'I never shared my seed phrase.' That can be true.

Why approvals are so effective for attackers

Approvals exploit normal user behaviour: • users click 'confirm' quickly • wallets display technical prompts that feel routine • approvals do not always trigger immediate loss • unlimited approvals create a standing door, not a one-time event

The professional explanation that clients understand

Use this analogy: Approvals are like giving a third party a standing permission to move money from a specific account. If you grant unlimited permission, you may not notice it until it is abused.

The mitigation framework that fits professional boundaries

1) Separate 'hold' and 'use' wallets For clients with meaningful sums: • a holdings wallet that rarely connects anywhere • a smaller interaction wallet for DeFi, NFTs, and claims This reduces 'blast radius'. 2) Use the 'approve only what you need' rule Where possible, clients should avoid unlimited approvals and approve smaller amounts. If a platform only offers unlimited, treat that as a risk signal. 3) Build a revocation routine After any meaningful interaction: • revoke approvals • review connected sites • update device security hygiene This can be scheduled as part of a 4–6 month crypto review. 4) Make phishing discipline non-negotiable HNW clients are targeted. Your firm should actively recommend: • bookmarks for important sites • no 'support' links from DMs • domain checking and cautious behaviour around urgent prompts

How to discuss this without becoming technical support

Professionals should not be walking clients through live transactions. The safer approach is: • educate on the risk • provide a checklist • signpost tools and best practices • document that you warned the client and offered a review cadence Learn more about our security approach and how Bitzo helps clients maintain security hygiene without custody.