There’s a trendy new way to con cryptocurrency investors out of the contents of their wallets, no blockchain know-how required.
Threat actors are selling ready-made, spoofed crypto webpages to be served up as phishing lures, loaded with “crypto drainer” scripts that crack wallets and steal the balances in a snap.
In one instance, on a “top-tier Dark Web forum,” according to researchers at Recorded Future, cybercrime group iSeeYou was offering a ready-to-use phishing page that when made live, purports to mint nonfungible tokens (NFTs). Instead, it deploys a crypto drainer that empties an unsuspecting victim’s connected virtual currency wallet. And adding insult to injury, “once crypto wallets are compromised, no safeguards exist to prevent the theft of crypto assets,” the researchers warned.
The gambit is easy to fall for: The phishing lures are certainly convincing, according to the researchers, who added that they convincingly spoof a range of entities, including cryptocurrency exchanges and NFT outlets. The lures often boost their credibility, as was the case in the the iSeeYou campaign, by including access to commonly used third-party services and extensions in the cryptocurrency space, the team said, such as MetaMask.
“The use of legitimate services on crypto drainer phishing pages may increase the likelihood that the phishing page will pass an otherwise savvy user’s ‘scam litmus test,'” according to the report.
The crypto drainer scams were observed in 2022, and Recorded Future raised the alarm in a report this week that they are becoming increasingly popular — so popular, in fact, that Recorded Future recently found 100 phishing pages lurking in the wild, loaded with crypto drainer malware.
“We have observed that Dark Web threat actors are highly interested in this tool,” Ilya Volovik, threat intelligence analyst at Recorded Future, tells Dark Reading.
The interest is largely because the scripts are easy to deploy and cheap to acquire (the firm said crypto drainers can cost anywhere from $300 to $500). Sometimes they’re even free, as was the case with iSeeYou — but there was a double-crossing catch in that case.
“Remarkably, the threat actor who posted this crypto drainer phishing template did not charge other threat actors who wished to make use of their tool,” Volovik explains. “Unremarkably, this was no act of charity — the crypto drainer was likely designed to defraud other cybercriminals of a portion of their illicit earnings.”
In the right social engineering hands, crypto drainers are a potent threat, according to Volovik, who adds that they’re helping to usher in a new business model for phishers.
“Designing crypto drainers requires coding skills that phishing specialists may lack,” Volovik says. “As a result, many cybercriminals develop crypto drainers to sell or rent out as components in ready-to-go phishing packages; this is likely part of a greater trend toward phishing-as-a-service (PhaaS).” And that, he warns, means that advanced phishing campaigns can scale very quickly.
As cryptocurrency markets mature, it’s up to individual services and platforms to keep crypto investors aware of the latest phishing expeditions.
“Exchange platforms/crypto markets should probably provide education to their users about these crypto drainers and how cybercriminals use them,” Volovik adds. “We want to educate the general populace to never send payments to unknown entities (a Nigerian prince or otherwise).”
Cryptocurrency Cybercrime Is Booming
Cryptocurrency investors continue to be a prime source of revenue for cybercriminals, with a record-breaking $3.8 billion stolen from crypto businesses in 2022 alone, according to new research from Chainalysis.
During the month of October, the biggest month ever for crypto cyberattacks according to the research firm, there were 32 separate cryptocurrency attacks, with losses totaling $775.7 million.
Much of the crypto cybercrime boom can be attributed to cyberattacks from North Korean state-backed actors, and the targets include crypto wallets, token protocols, decentralized finance (DeFi) protocols, and other centralized cryptocurrency services.
DeFi platforms are the loss leader, the report found, experiencing 82% of cryptocurrency theft for the year. These are platforms that allow cryptocurrency and government-backed fiat currency investors to make trades. Critically, DeFi platforms support a number of different cryptocurrencies like Bitcoin, Ethereum, Solana, and others, and operate outside of a traditional banking structure. Because DeFi platforms are built on the blockchain, an open source protocol, they present a unique opportunity for cybercriminals to get their hands on vast sums of money that would otherwise be protected by those traditional financial institutions.
The now-notorious FTX claimed it was the victim of a cyberattack in November, just hours after filing bankruptcy, which cost the DeFi platform $370 million on top of its already mounting losses. In September, DeFi platform Wintermute lost $160 million to a cyberattack it said was the result of a partner’s bad code. And cybercrime group TA4563 was found using an Evilnum backdoor last July that allowed it to drain cryptocurrency out of DeFi platforms automatically.
Cybersecurity for Cryptocurrency
Erin Plante, Chainalysis’ vice president of investigations, agrees with Volovik that defending cryptocurrency infrastructure, and investors, against cybercrime will require a commitment to user training, but she adds that the DeFi platforms and other crypto services need better in-house cybersecurity too.
“Cryptocurrency services should invest in security measures and training,” Plante says. “For example, with North Korean-linked hackers in particular, sophisticated social engineering tactics that take advantage of the trusting and carelessness of human nature to gain access to corporate networks has long been a favored attack vector.”
Moving forward, DeFi platforms should model cybersecurity efforts off the traditional finance system, the Chainalysis report advised, adding that robust code auditing practices, simulated attacks, monitoring for suspicious activity, and building in transaction fail-safes to slow down contract execution if suspicious activity is observed.
