Fake MetaMask / Phantom / Coinbase Wallet / Rainbow / Trust Wallet signature-drainer lure — "pending transaction / airdrop claim / approve permit, connect wallet to sign within 24 hours" targeting self-custody Web3 wallet users; malicious setApprovalForAll or permit signature = complete + IRREVERSIBLE wallet drain (Chainalysis 2024: $500M+ lost to drainers, typical victim $5-50K, NFT whales $1-10M)
fake-web3-wallet-drainer-signature-lure
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Fake "your MetaMask / Coinbase Wallet / Phantom / Rainbow / Trust Wallet received a pending transaction — connect to review and sign within 24 hours" email targeting Web3 wallet users. Distinct from the centralized-exchange phish class (`fake-coinbase-exchange-alert-lure`) because this targets **self-custody wallets where a malicious signature is immediate, irreversible, and un-recoverable**. Attack shape: email urges user to connect wallet at a fake dApp; user signs what looks like a benign "review pending transaction"; the actual signed call is `setApprovalForAll` or `permit` giving the attacker unlimited allowance on ALL the user's tokens/NFTs; attacker drains wallet within minutes. Post-compromise: full ERC-20 token balance drained via permit/approve; all NFTs transferred via setApprovalForAll; wallet-connected dApp positions (DEX, staking, etc.) compromised. No recourse — signatures on immutable blockchains cannot be reversed, no insurance, no chargeback. 2024 Chainalysis data: wallet-drainer attacks cost users $500M+ in 2024 alone; typical victim loses $5-50K; high-NFT whales lose $1-10M. The lure converts because Web3 users ARE expected to sign transactions frequently, real wallet notifications look nearly identical, and fear of missing an airdrop or NFT claim overrides caution. Fires when body references MetaMask / Phantom / Coinbase Wallet / Rainbow / Trust Wallet / WalletConnect / self-custody / seed phrase / setApprovalForAll / permit / signature request / Web3 wallet AND contains connect-wallet / sign-transaction / pending-approval / airdrop-claim / approve-permit urgency. Excludes metamask.io, consensys.io, coinbase.com, phantom.app, rainbow.me, trustwallet.com, walletconnect.com, ledger.com, trezor.io. Auto-classified as danger via the `-lure` suffix.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started