Crypto Drainers are ready to raid investor wallets
It’s a trendy new way to scam cryptocurrency investors out of the contents of their wallets, no blockchain knowledge required.
Threat actors sell ready-made fake crypto websites to serve as phishing lures, loaded with “crypto drainer” scripts that crack wallets and steal balances in no time.
As an example, according to researchers at Recorded Future, a cybercrime group offers a ready-to-use phishing page on a “top-tier Dark Web forum” that, when published, purports to create non-fungible tokens ( NFT). But instead, it deploys a crypto-drainer that drains an unsuspecting victim’s connected virtual currency wallet. And adding insult to injury, “once crypto wallets are compromised, there are no safeguards in place to prevent the theft of crypto assets,” the researchers warned.
The gambit is easy to fall for: The phishing lures are certainly convincing, according to the researchers, who added that they convincingly spoof a variety of entities, including cryptocurrency exchanges and NFT outlets. The decoys often increase their credibility, as was the case in the aforementioned campaign, by including access to commonly used third-party services and extensions in the cryptocurrency space, the team said, such as MetaMask.
“Using legitimate services on phishing sites with crypto drains can increase the likelihood that the phishing site will pass an otherwise experienced user’s ‘fraud litmus test,'” according to the report.
Crypto drain scams were observed in 2022, and Recorded Future sounded the alarm in a report this week that they are becoming increasingly popular – so popular, in fact, that Recorded Future recently found 100 phishing sites lurking in the wild, loaded with crypto drains . malware.
“We have observed that Dark Web threat actors are very interested in this tool,” Ilya Volovik, threat intelligence analyst at Recorded Future, tells Dark Reading.
The interest is largely due to the fact that the scripts are easy to distribute and cheap to acquire (the company said crypto-loggers can cost anywhere from $300 to $500). Sometimes they’re even free, as was the case with the NFT-creating spoof discovered by Recorded Future — but it was a double-cross catch in that case.
“Remarkably, the threat actor who posted this phishing template for the crypto drainer did not charge other threat actors who wanted to use their tool,” explains Volovik. “Remarkably, this was no act of charity – the crypto drainer was likely designed to defraud other cybercriminals of a share of their illegal earnings.”
In the right social engineering hands, crypto drainers are a potent threat, according to Volovik, who adds that they help usher in a new business model for phishers.
“Designing crypto drains requires coding skills that phishing specialists may lack,” says Volovik. “As a result, many cybercriminals are developing crypto drainers to sell or rent as components of ready-made phishing packages; this is likely part of a larger trend towards phishing-as-a-service (PhaaS).” And that, he warns, means sophisticated phishing campaigns can scale very quickly.
As cryptocurrency markets mature, it is up to individual services and platforms to keep crypto investors aware of the latest phishing expeditions.
“Exchange platforms/cryptomarkets should probably educate their users about these crypto-loggers and how cybercriminals use them,” adds Volovik. “We want to educate the general population to never send payments to unknown entities (a Nigerian prince or otherwise).”
Cryptocurrency cybercrime is booming
Cryptocurrency investors continue to be a major source of income for cybercriminals, with a record $3.8 billion stolen from crypto businesses in 2022 alone, according to new research from Chainalysis.
During the month of October, the biggest month ever for crypto cyberattacks according to the research firm, there were 32 separate cryptocurrency attacks, with losses totaling $775.7 million.
Much of the crypto-cybercrime boom can be attributed to cyberattacks by North Korean state-sponsored actors, and targets include crypto wallets, token protocols, decentralized finance (DeFi) protocols and other centralized cryptocurrency services.
DeFi platforms are the loss leader, the report found, experiencing 82% of cryptocurrency theft for the year. These are platforms that allow cryptocurrency and government-backed fiat currency investors to make trades. Critically, DeFi platforms support a number of different cryptocurrencies such as Bitcoin, Ethereum, Solana and others, and operate outside of a traditional banking structure. Because DeFi platforms are built on the blockchain, an open source protocol, they provide a unique opportunity for cybercriminals to obtain vast sums of money that would otherwise be protected by traditional financial institutions.
The now-infamous FTX claimed it was the victim of a cyber attack in November, just hours after filing for bankruptcy, costing the DeFi platform $370 million on top of its already mounting losses. In September, DeFi platform Wintermute lost $160 million to a cyberattack it said was the result of a partner’s bad code. And cybercrime group TA4563 was found using an Evilnum backdoor last July that allowed it to drain cryptocurrency out of DeFi platforms automatically.
Cryptocurrency Cyber Security
Erin Plante, Chainalysis’ vice president of investigations, agrees with Volovik that defending cryptocurrency infrastructure and investors against cybercrime will require a commitment to user education, but she adds that the DeFi platforms and other crypto services also need better internal cybersecurity.
“Cryptocurrency services should invest in security measures and training,” says Plante. “For example, particularly with North Korean-affiliated hackers, sophisticated social engineering tactics that exploit the trust and carelessness of human nature to gain access to corporate networks have long been a favored attack vector.”
Going forward, DeFi platforms should model cybersecurity efforts from the traditional financial system, the Chainalysis report advised, adding that robust code auditing practices, simulated attacks, monitoring for suspicious activity, and embedding transaction failsafes to slow contract execution if suspicious activity is observed.