Written by: BlockSec
Drainer: Phishing methods have been upgraded, and five popular projects have become new targets of attack
Recently, more and more hackers have begun using the Drainer toolkit to conduct Web3 phishing. They use phishing websites to automatically prompt users to connect to their wallets, obtain valuable token information, and generate phishing transactions. At first, hackers would directly spread these phishing websites on social media platforms; but as Web3 users became more vigilant, hackers found it difficult to continue to make profits using traditional methods, so they began to use the traffic and trust of these platforms to promote phishing websites on a large scale, and by attacking popular projects such as Discord servers, Twitter accounts, official websites, software supply chains, and Email databases, many users suffered significant losses.
To increase understanding of the tactics used by hackers, we have summarized several Drainer-related hacking incidents in the table below:
Hackers attack Discord server
On May 31, 2023, Pika Protocol's Discord server was hacked. Pink Drainer spread a phishing website containing malicious JavaScript code snippets in its official Discord group, which induced Discord server administrators to click on the website and complete operations such as clicking buttons or adding bookmarks to execute the relevant code. At this time, the Discord token was also stolen. During the same period, several popular Web3 projects also experienced similar hacker attacks.
For case details, please see 🔗: https://www.secureblink.com/cyber-security-news/3-million-crypto-stolen-by-pink-drainer-exploiting-discord-and-twitter
Hackers hack Twitter accounts
On May 26, 2023, Steve Aoki's Twitter account was hacked, resulting in a loss of $170,000 for cryptocurrency investors. After investigating the transactions related to the phishing account, it was found that the losses incurred by the Twitter account hack were related to Pink Drainer and were caused by a SIM card swap attack. In a SIM card swap attack, hackers use social engineering methods (usually using the victim's personal information) to trick telecommunications companies into transferring the victim's phone number to the hacker's SIM card. Once successful, the hacker can control the victim's Twitter account. Similar hacking incidents have also occurred on the Twitter accounts of OpenAI CTO Slingshot and Vitalik Buterin, which are closely related to Pink Draineryou.
For case details, please see: https://www.bitdefender.com/blog/hotforsecurity/hacked-djs-twitter-account-costs-cryptocurrency-investors-170-000/
Hackers attack official website
On October 6, 2023, Galxe's official website was redirected to a phishing website, causing the victim to incur a loss of $270,000. The official explanation stated that an unidentified hacker posing as a Galxe agent reset the login credentials by providing false documents to the domain name service provider, successfully bypassed Galxe's security procedures, and accessed the domain name account without authorization. The transaction records of the victim's account show that the initiator of this incident was Angel Drainer. In addition, Balancer and Frax Finance have also been victimized by similar hacker attacks from Angel Drainer.
For case details, please see 🔗: https://www.secureblink.com/cyber-security-news/3-million-crypto-stolen-by-pink-drainer-exploiting-discord-and-twitter
- 4 -
Hackers attack software supply chains
On December 14, 2023, Ledger Connect Kit, a JavaScript library designed to facilitate connections between websites and wallets, was found to have a vulnerability. The vulnerability was created because a former Ledger employee was targeted by a phishing website, allowing hackers to upload malicious files to Ledger's NPMJS repository. After that, hackers were able to inject malicious scripts into these popular cryptocurrency websites, and users may also receive prompts that phishing transactions were signed using phishing accounts. Currently, users have lost more than $600,000 in funds on various cryptocurrency platforms, including SushiSwap and Revoke.cash. The transaction records of the phishing account show that the initiator of the incident is still Angel Drainer.
For case details, please see: https://www.ledger.com/blog/a-letter-from-ledger-chairman-ceo-pascal-gauthier-regarding-ledger-connect-kit-exploit
- 5 -
Hacker attacks Email database
On January 23, 2024, the email manager MailerLite was hacked in a social engineering attack, resulting in a large number of emails containing malicious links provided by Pink Drainer being sent from the official accounts of WalletConnect, Token Terminal, and De.Fi. The attack originated from a team member who accidentally clicked on an image linked to a fake Google login page, allowing the hacker to access MailerLite's internal management panel. The hacker then reset the password of a specific user through the management panel, causing their email database to be leaked and the phishing email to be widely spread.
For case details, please see:
🔗 https://cointelegraph.com/news/mailerlite-confirms-hack-crypto-phishing-email-3m-attacks
Summary: Deeply understand the Drainer hacker routine and effectively deal with Web3 related phishing risks
Drainer developers are constantly designing new ways to hack into well-known projects and spread phishing websites through their traffic. We will remain vigilant against these hacker routines and continue to monitor the phishing accounts and transactions related to them. At the same time, users must carefully check the relevant transaction details before performing any operations!
This article aims to help users understand how hackers attack projects, so as to effectively deal with Web3-related phishing risks and avoid being harmed by Drainer phishing transactions.
