⚠ Threat Intelligence

The attacks that drain wallets.
How Intentra stops them.

Plain-language breakdowns of the real techniques attackers use — and exactly what happens when Intentra is active.

$494M Stolen via EVM phishing (2024) ↗
56.7% Via Permit signatures ↗
10 Vectors covered by Intentra
What it is

When you use a DeFi app for the first time, it asks you to "approve" it to spend your tokens. Legitimate apps request exactly what they need.

Drainer apps request the maximum possible amount — every token you'll ever have, forever. Once approved, the attacker can drain your wallet anytime, even while you sleep.

1Fake DeFi app asks you to approve tokens to "start using" the platform.
2Approval is for MAX_UINT256 — the largest number possible in Ethereum.
3Attacker calls transferFrom() on your wallet at any future time, draining everything.
💸
Real impact: Permit and approval drains accounted for 56.7% of all EVM phishing losses in 2024 — $494M total. Once approved, no further action is needed from the victim.
How Intentra detects it

Intentra inspects every approval transaction before it reaches your wallet. If the amount equals MAX_UINT256 (or any equivalent maximum), it flags it as UNLIMITED_APPROVAL.

This is a hard rule — it cannot be bypassed by changing security mode. No configuration disables it.

Blocked automatically
All modes → DENY · No override possible

The transaction is rejected before your wallet even sees it. No popup to accidentally approve. The attacker never gets the permission they need.

What it is

A newer, more dangerous version of the approval attack. Instead of a transaction, the site asks you to "sign a message" — which feels harmless, like logging in.

That signature is a Permit: a cryptographically valid authorization that lets the attacker drain your tokens with no further action from you. No gas. No second confirmation.

1Site shows a "sign to continue" prompt. Looks like a standard login.
2The signature is actually a Permit for unlimited tokens, valid for 30 days.
3Attacker submits the signature to the blockchain. No second interaction needed from you.
💸
Real impact: Permit-type signatures were the #1 drain method in both 2024 (56.7% of EVM losses) and 2025. The largest single Permit drain of 2025 took $6.5M in a single transaction.
How Intentra detects it

Intentra intercepts signature requests, not just transactions. When a site requests a typed signature (eth_signTypedData), Intentra decodes the hidden contents and checks for Permit structures.

If the permit value is MAX_UINT256 or the expiry deadline is excessively long, the request is blocked before you can sign.

Blocked automatically
Unlimited value → DENY · Excessive TTL → REVIEW

Intentra reads the hidden contents of the signature request and rejects it before it reaches your wallet screen. The attacker never gets a valid signature.

What it is

Once a malicious site has partial wallet access, an automated script fires multiple transactions in rapid succession — trying to move assets before you can react.

The speed is intentional: human reaction time is ~500ms. Scripts operate in milliseconds. By the time you see anything happen, it may be over.

1Malicious site gains partial wallet interaction.
2Script fires 10+ transactions per minute, each moving a portion of your assets.
3Wallet is empty before you can process what's happening.
How Intentra detects it

Intentra tracks transactions per minute in real time. When the rate exceeds your configured threshold (default: 5 TX/min), it automatically activates the emergency kill switch.

The kill switch blocks all further transactions until you manually reset it. The UI turns orange to alert you immediately. This is the very first check Intentra runs — before any other rule.

Auto-blocked + kill switch
All modes → DENY · Session locked until manual reset

Velocity protection is the first check Intentra runs on every transaction. No drain script can get past this without first disabling Intentra entirely.

What it is

Many DeFi protocols use upgradeable proxy contracts — the address you approve stays the same, but the underlying logic can be silently replaced. You approved a safe contract. The attacker upgrades it to malicious code. Your existing approval now grants access to logic you never reviewed — and never had a chance to reject.

1You approve a token spend to a legitimate-looking upgradeable proxy contract.
2The contract owner (or an attacker who compromised the owner key) upgrades the implementation to malicious logic.
3The new implementation uses your existing approval to drain your wallet — no second interaction needed from you.
💸
Real impact: Multiple DeFi protocols have suffered governance or key compromise attacks enabling malicious upgrades — including Tornado Cash (2023) and several Compound forks. Existing approvals became instant drain vectors with no further action needed from victims.
How Intentra detects it

Intentra checks every contract interaction against known proxy patterns. When the destination address contains a delegatecall structure or matches known upgradeable proxy signatures (EIP-1967, EIP-897), the transaction is flagged for review before it reaches your wallet.

Flagged for review
Balanced + Paranoid → REVIEW · Permissive → allowed

Intentra surfaces the proxy structure before you sign, giving you the context to decide — not just a silent pass-through.

What it is

Attackers create artificial urgency — "claim your airdrop in 60 seconds," "your position is being liquidated" — to make you send large ETH amounts without reading carefully.

This also covers honest mistakes: mistyping an amount, approving the wrong field, or clicking confirm while distracted.

1Site creates urgency: countdown timer, fake liquidation warning, exclusive offer.
2You confirm quickly without checking the exact ETH amount.
3Transaction sends 2–10x more ETH than intended to an attacker address.
How Intentra detects it

Any native ETH transfer above your configured threshold (default: 0.5 ETH) triggers the overlay with a clear breakdown: destination address, exact amount, and a warning that this exceeds your limit.

The overlay interrupts the urgency — giving you the seconds needed to actually read what you're signing.

Flagged for review
Balanced + Paranoid → REVIEW · You make the final call

Intentra doesn't block the transfer — you might legitimately be sending a large amount. Instead, it forces a deliberate pause and shows you exactly what you're about to sign.

What it is

Multiple small transactions that individually look harmless can add up to significant losses in a single session. Attackers exploit this by spacing transactions just far enough apart to avoid velocity detection.

Without a daily cap, a session starting with a legitimate 0.5 ETH swap could end with 8 ETH moved to attacker addresses across 6 separate transactions.

1Legitimate transaction goes through. Intentra allows it.
2Attacker triggers additional transactions spaced 2+ minutes apart.
3Each amount looks reasonable. The daily total does not.
How Intentra detects it

Intentra tracks the total ETH moved since midnight. When a new transaction would push that total above your configured daily hard cap (default: 10 ETH), it is denied automatically.

Even if you approve each individual transaction, the daily cap cannot be exceeded without manually adjusting your settings.

Blocked automatically
All modes → DENY when cap exceeded · Configurable

The daily hard cap is your circuit breaker. No matter how many individual transactions you approve, your total daily exposure is capped at the limit you set.

What it is

Most crypto losses happen on the first interaction with a contract. The user has no history with it — and attackers know this is the moment of maximum vulnerability.

Phishing sites, rug pulls, and fake token claims all rely on getting you to sign one transaction with a contract you've never touched before.

1You visit a new DeFi site, NFT mint, or "claim" page.
2Site asks you to interact with a contract you've never used.
3Without checking, you approve — and the contract drains your wallet.
How Intentra detects it

Intentra maintains a history of every contract you've successfully interacted with. Any contract not in your history and not on the trusted seed whitelist triggers an overlay showing the address and a first-use warning.

Once you interact with a contract safely, it joins your trusted list — future interactions pass without friction.

Flagged for review
Balanced → REVIEW on first use · Paranoid → REVIEW always

Every first-time contract interaction gets a moment of deliberate review. You see the exact address, can verify it, and decide whether to proceed.

What it is

The most dangerous combination: a large ETH amount sent to a contract you've never interacted with. This is the signature of fake investment platforms, bridge scams, and "guaranteed yield" traps.

Legitimate protocols rarely ask for significant ETH on your first interaction. Scams almost always do.

1Fake yield platform promises 30% APY. "Deposit at least 1 ETH to activate."
2You've never interacted with this contract before.
3Transaction sends ETH directly to attacker wallet. There is no yield platform.
How Intentra detects it

When both conditions are true — ETH value above your contract call threshold AND the destination is not in your trusted list — Intentra flags it as HIGH_VALUE_CONTRACT_CALL.

The overlay shows the exact ETH amount, the unknown contract address, and a clear warning about the combination of risk factors present.

Flagged for review
Balanced + Paranoid → REVIEW · Threshold: 0.5 ETH

You might have a legitimate reason to send ETH to a new contract. Intentra doesn't assume otherwise — it just makes sure you're deciding consciously, not by accident.

What it is

For users managing significant holdings, even trusted contracts can be compromised. A protocol you've used 50 times safely might have its contract upgraded to a malicious version overnight.

In high-stakes situations, every transaction deserves a deliberate human review — regardless of history.

1You've used a protocol 20 times. It's in your trusted history.
2The protocol's contract was upgraded to a malicious implementation overnight.
3Balanced mode lets it pass as trusted. Paranoid mode flags it for review.
How Intentra detects it

In Paranoid mode, CONTRACT_CALL_PARANOID is added to every single contract interaction — known or unknown, high or low value. No interaction passes silently.

Every transaction gets the overlay. You confirm every action deliberately. Nothing moves without your eyes on it.

Flagged for review
Paranoid mode → REVIEW on every contract call, no exceptions

Paranoid mode trades convenience for maximum control. Every contract interaction gets your explicit approval — no exceptions, no history bypass.

What it is

A newer Ethereum feature (EIP-7702) allows wallets to delegate their behavior to a smart contract. This enables powerful features — but also a dangerous new attack vector.

An attacker tricks you into delegating your wallet to a malicious contract. Once delegated, every transaction you make passes through attacker-controlled logic that can redirect funds without your knowledge.

1Phishing site gets you to sign a delegation. Looks like a normal "connect wallet."
2Your wallet is now delegated to a malicious contract — 0xef0100 prefix appears in your bytecode.
3Every future transaction passes through attacker logic that silently redirects funds.
⚠️
Emerging threat: EIP-7702 activated on Ethereum mainnet with the Pectra upgrade in May 2025. Drain exploits using this vector are actively being developed and deployed in the wild.
How Intentra detects it

Before every native ETH transfer, Intentra checks the destination address's bytecode via eth_getCode. If it starts with 0xef0100 — the EIP-7702 delegation prefix — the transaction is flagged immediately and routed to mandatory review before you can sign.

Full SET_CODE transaction interception — blocking the delegation at the moment it's created — is in active development for V2.

Flagged for review
Delegated account detected → REVIEW

Intentra is one of the few wallet protection tools with active EIP-7702 detection. This attack vector is new and growing — coverage is built in from day one.

Protection that runs
before you can make a mistake.

Intentra sits between every transaction and your wallet — invisible when everything is fine, active when it matters.

⬇ Install Free Extension ← Back to Overview
$494M Stolen via EVM Phishing in 2024
$494M
Lost on EVM chains
Scam Sniffer tracked $494M stolen via wallet drainer phishing across EVM-compatible chains in 2024 — a 67% increase over 2023. Over 332,000 wallet addresses were affected. 85.3% of large-case losses occurred on Ethereum Mainnet.

This figure covers phishing-based wallet drains only — not exchange hacks or protocol exploits. Both stats on this page come from EVM-only data, matching Intentra's coverage scope.
Sources
→ Scam Sniffer Crypto Phishing Report 2024 → Scam Sniffer 2025 Annual Report
Permit Signatures — #1 Drain Vector, 2 Years Running
56.7%
2024 drains via Permit (EVM)
In 2024, 56.7% of all EVM wallet drains used a Permit-type signature (EIP-2612 / EIP-712), which authorizes token spending without an on-chain approve() transaction.

In 2025, Permit and Permit2 remained the dominant vector, accounting for 38% of losses in cases exceeding $1M. The largest single theft of 2025 ($6.5M, September) was executed via Permit signature.

Intentra intercepts and decodes Permit signatures before the signing prompt, evaluating them against your active policy before the request reaches your wallet.
Emerging vector: EIP-7702 malicious signatures appeared after Ethereum's Pectra upgrade (2025). Intentra V2 roadmap includes EIP-7702 SET_CODE transaction interception.
Sources
→ Scam Sniffer Crypto Phishing Report 2024 → Scam Sniffer 2025 Annual Report