image

Hackers Stole $59 Million Via Malicious Google and X Ads

Wallet or cryptocurrency drainers have been a significant threat to users. These malicious programs illegally transfer cryptocurrency from victims’ wallets using various techniques, including campaign launches, deceptive websites, wallet connections, smart contract interaction, asset transfer, and obscuration.

For your information, a crypto drainer or cryptocurrency stealer is a type of malicious program designed to steal cryptocurrency from your wallet. They work by tricking you into approving transactions that allow the attacker to transfer your funds away, often without your knowledge or consent.

Anti-scam solutions provider Scam Sniffer has discovered a series of crypto drainer malware attacks stealing approximately $59 million from 63,210 victims by embedding a wallet drainer dubbed MS Drainer in Google search and X (formally Twitter) ads. The attack campaign leverages malicious ads on Google and X to redirect users to phishing pages.

Unsuspecting users click on the ads linked to common keywords from the DeFi world. These ads can bypass ad audits and use redirect deception, targeting specific regions. Thousands of phishing sites were found using drainers between March 2023 and today, with spikes in activity in May, June, and November.

These sites were promoted in Google Search by exploiting Google’s tracking template. Ads on X were more prevalent, promoting NFT airdrops and new token launches on sites with drainers that steal funds from users’ wallets. 

Researchers monitored 10,072 phishing websites and found that 60% of ads on X directed users to malware designed to steal cryptocurrency. MS Drainer is available on a Dark Web forum, and unlike other malware where developers charge a 20% fee, its source code is sold directly to customers.

On December 22, Check Point Research (CPR) published research highlighting an alarming increase in sophisticated phishing attacks targeting various blockchain networks using crypto wallet-draining techniques, targeting Ethereum, Binance Smart Chain, Polygon, Avalanche, and almost 20 other networks.

CPR linked the attacks to Angel Drainer, a group known for its involvement in cyberattacks in the cryptocurrency space. Despite the shutdown of similar groups like Inferno Drainer, which helped steal over $80 million in cryptocurrency, Angel Drainer continues to operate. Attackers create fake airdrops or phishing campaigns, offering free tokens to lure users. They redirect users to a fraudulent website, requiring wallet connections.

Users are lured into interacting with smart contracts designed to steal tokens. Unknowingly, users grant attackers access to their funds, enabling token theft. Attackers use methods like mixers or multiple transfers to liquidate stolen assets. Permit in ERC-20 tokens allows token holders to approve spenders to transfer tokens without conducting on-chain transactions. However, if a user is tricked, the attacker can transfer funds without logging a trace to the blockchain.

CPR and Scam Sniffer recommend that the advertising industry prevent malicious ads from reaching innocent users and urge consumers and users to exercise caution when opening links in online ads.

“Ad platforms need to enhance their verification processes to prevent malicious actors from exploiting their services,” Scam Sniffer noted.