Navigating the Perilous Waters of Crypto Phishing Attacks

By Oded Vanunu, Dikla Barda, Roman Zaikin

Key Highlights:

· Check Point Research Unveils Rise in Sophisticated Crypto Phishing: An investigation reveals an alarming increase in advanced phishing schemes targeting a variety of blockchain networks, employing wallet-draining techniques.

· Persistence of Threat Groups: Despite the takedown of groups like Inferno Drainer, groups like Angel Drainer continue their activities, offering scam-as-a-service for wallet draining.

· Critical Importance of User Vigilance and Security Measures: The report emphasizes the need for robust security protocols and user awareness to prevent wallet thefts in the crypto space.

The Rising Threat of Phishing Attacks with Crypto Drainers

In a detailed report by Check Point Research, the cryptocurrency community is warned about a growing trend in sophisticated phishing attacks. These attacks are not confined to a single blockchain network; they are prevalent across numerous platforms including Ethereum, Binance Smart Chain, Polygon, and Avalanche.

Unmasking the Angel Drainer: The investigation uncovers a recurring address linked to the notorious “Angel Drainer” group. Despite the shutdown of similar groups, Angel Drainer continues to thrive, providing tools and services for cryptocurrency theft.

The Mechanics of Crypto Drainers: These drainers operate through deceptive tactics like fake airdrop campaigns, directing victims to counterfeit websites that mimic genuine platforms. Once users connect their wallets, they unknowingly grant access to their funds, leading to theft without further interaction.

The mechanics of crypto drainers, as detailed in the Check Point Research report, involve a sophisticated and multi-layered approach to illicitly transfer cryptocurrency from victims’ wallets.

Here’s a more in-depth explanation:

1. Deceptive Campaigns and Fake Websites: The process often begins with malicious actors creating fake airdrop campaigns or phishing schemes. These are usually promoted on social media or via email, offering free tokens or other incentives to lure users. The attackers design these campaigns to appear legitimate and convincing.

2. Mimicking Legitimate Websites: Users who respond to these campaigns are directed to fraudulent websites. These websites are carefully crafted to mimic genuine token distribution platforms or wallet interfaces, making it difficult for users to distinguish them from the real ones.

3. Wallet Connection Requests: Once on these deceptive sites, users are prompted to connect their digital wallets. This step is crucial for the attackers, as it lays the groundwork for the subsequent theft. The connection request appears harmless, often under the guise of verifying the user’s identity or account to proceed with the token claim.

6. Interaction with Malicious Smart Contracts: The most critical phase involves the user being induced to interact with a malicious smart contract. This interaction is often disguised as part of the process to claim the promised airdrop or benefit. The smart contract contains hidden functions that, when executed, alter the security settings of the user’s wallet or directly initiate unauthorized transactions.
7. Exploiting the ‘Permit’ Function in ERC-20 Tokens: A specific method used by these drainers is the manipulation of the ‘Permit’ function in ERC-20 tokens. This function allows token holders to approve a spender (like a smart contract) to transfer tokens on their behalf. The attackers trick users into signing a message off-chain with their private key, setting up the allowance for the attacker’s address. This technique is insidious because it doesn’t require an on-chain transaction for each approval, making the malicious activity less noticeable.
8. Stealthy Asset Transfer and Obfuscation: After gaining access, the attackers then transfer assets out of the user’s wallet. They employ techniques like using cryptocurrency mixers or initiating multiple transfers to obscure the trail of the stolen assets, making it challenging to trace and recover them.

7. No Blockchain Trace in Some Cases: In the case of off-chain signing, like with the ‘Permit’ function, there is no direct trace left on the blockchain, as the approval and transaction initiation happens off-chain. This makes it even more challenging to detect and trace the fraudulent activities.

Understanding these mechanics is crucial for users and platforms in the cryptocurrency space to develop and implement effective security measures. It highlights the importance of being cautious with wallet connections, verifying smart contract details, and being skeptical of too-good-to-be-true offers, especially those requiring wallet interactions or approvals.

Safeguarding Your Assets: The report stresses the importance of user vigilance and technological safeguards. It advises skepticism towards unsolicited airdrop claims, understanding the implications of approving transactions, verifying smart contracts, and employing hardware wallets for enhanced security.

Conclusion: The threat of phishing attacks in the cryptocurrency domain is significant and ever-evolving. The report urges the community to stay informed and cautious, emphasizing the need for collective efforts towards building a secure environment for digital assets.

The Threat Intel Blockchain system, developed by Check Point, continues to accumulate valuable information on emerging threats, and this intelligence will be shared in the future. In this collaborative effort, we aim to empower investors with the knowledge needed to navigate the crypto space securely and protect themselves from potential pitfalls. For more information contact us at: blockchain@checkpoint.com

Read the full research at the CP<R> blog