How can a hardware wallet still get drained?

A hardware wallet protects the private key. It does not protect you from approving a malicious transaction. The most common ways hardware wallets get drained:

• Blind signing: a complex transaction the device can't parse shows up as raw hex, and the user approves it.
• Address poisoning: the user copies a familiar-looking address from their own transaction history that was inserted by the attacker.
• Compromised companion app or browser extension asking for an innocent-looking signature that actually grants token approvals.
• Physical compromise + weak PIN.

Mitigations: enable blind-signing only when strictly necessary, verify the receive address on the device screen (not the computer screen), and use a separate hardware wallet for DeFi interactions vs long-term holdings. For larger holdings, set up a 2-of-3 multisig — a single compromised device can't move funds alone.