Check Point Email Security | Blog

The Rise of Phishing Attacks with Crypto Drainers

Written by Jeremy Fuchs | January 3, 2024

A new report by Check Point Research illustrates a concerning rise in advanced phishing attacks that target blockchain networks by using wallet-draining techniques. 

The cryptocurrency community has been alerted to a concerning rise in advanced phishing attacks, as highlighted in a comprehensive report by Check Point Research. These attacks are not limited to a specific blockchain network; instead, they are widespread across various platforms such as Ethereum, Binance Smart Chain, Polygon, and Avalanche.

Unmasking the Angel Drainer: During the investigation, a persistent address associated with the infamous "Angel Drainer" group was revealed. Despite the dismantling of similar groups, Angel Drainer continues in its operations, offering a range of tools and services for illicitly acquiring cryptocurrencies.

The Mechanics of Crypto Drainers: These crypto drainers employ deceptive tactics such as luring victims with fake airdrop campaigns and redirecting them to fraudulent websites that closely resemble legitimate platforms. When users connect their wallets, they inadvertently provide access to their funds, resulting in theft without any further interaction required.

Here’s a more in-depth explanation:

  1. Deceptive Campaigns and Fake Websites: The malicious actors kickstart their tactics by orchestrating fake airdrop campaigns or phishing schemes, cleverly disseminated through social media platforms or email. These campaigns entice unsuspecting users with the promise of free tokens or enticing incentives, crafted to appear authentic and compelling.
  1. Mimicking Legitimate Websites: Once users fall for these campaigns, they are led to deceitful websites that have been expertly designed to resemble authentic platforms for token distribution or wallet interfaces. This clever manipulation makes it incredibly challenging for users to discern fake websites from genuine ones.
  1. Wallet Connection Requests: Upon reaching these deceitful websites, users are enticed to establish a connection with their digital wallets. This seemingly innocuous action becomes the foundation for the ensuing theft orchestrated by the attackers. Disguised as identity verification or account authentication to proceed with the token claim, the connection request cleverly conceals its malicious intent.
  1. Interaction with Malicious Smart Contracts: The pivotal moment arises when users are enticed to engage with a deceitful smart contract, cunningly masquerading as a necessary step to claim the promised airdrop or reward. Within this deceptive code lies concealed functionalities that, upon execution, surreptitiously manipulate the security settings of the user's wallet or even instigate unauthorized transactions.
  2. Exploiting the ‘Permit’ Function in ERC-20 Tokens: These crypto drainers employ a cunning technique known as the manipulation of the ‘Permit’ function in ERC-20 tokens. This function grants token holders the ability to authorize a spender, such as a smart contract, to transfer tokens on their behalf. However, the attackers employ a deceptive tactic to trick users into signing an off-chain message using their private key, unknowingly granting permission for the attacker’s address to access their tokens. What makes this technique particularly insidious is that it operates without the need for an on-chain transaction for each approval, making the malicious activity less detectable.
  3. Stealthy Asset Transfer and Obfuscation: Upon successfully infiltrating the user's wallet, the attackers swiftly execute asset transfers, employing sophisticated tactics such as leveraging cryptocurrency mixers or orchestrating a series of multiple transfers. These cunning maneuvers serve to obfuscate the stolen assets' trail, presenting a formidable challenge in terms of tracking and recovering them.
  1. No Blockchain Trace in Some Cases: In situations where off-chain signing is involved, such as with the 'Permit' function, the absence of a direct trace on the blockchain creates an additional layer of complexity in detecting and tracing fraudulent activities. This further complicates the task of identifying and uncovering malicious actions.

 

Conclusion: The threat of phishing attacks in the cryptocurrency domain is significant and ever-evolving. The report urges the community to stay informed and cautious, emphasizing the need for collective efforts towards building a secure environment for digital assets.