PIVOTcon, joint research by Validin and SentinelLABS has exposed FreeDrain, an industrial-scale cryptocurrency phishing operation that has been stealthily siphoning digital assets for years.
This sophisticated campaign leverages search engine optimization (SEO) manipulation, free-tier web services, and intricate redirection techniques to target unsuspecting users of cryptocurrency wallets such as Trezor, MetaMask, and Ledger.
Sophisticated Cryptocurrency Phishing Exposed
By exploiting the trust associated with platforms like gitbook.io, webflow.io, and github.io, FreeDrain orchestrates a sprawling network of over 38,000 subdomains hosting lure pages that funnel victims into phishing sites designed to steal sensitive seed phrases.
.png
)
These phishing pages, often hosted on robust cloud infrastructures like Amazon S3 and Azure Web Apps, mimic legitimate wallet interfaces with alarming precision, making it nearly impossible for users to discern the fraud until their funds are irreversibly drained.
The operational workflow of FreeDrain is deceptively simple yet brutally effective.
Victims typically begin by searching for wallet-related queries on major search engines like Google, Bing, or DuckDuckGo, where malicious results, boosted through SEO tactics like spamdexing and AI-generated content, appear prominently.
Persistent Threat Landscape
Upon clicking these results, users land on lure pages featuring static screenshots of legitimate wallet interfaces, often hosted on trusted free platforms.
These pages redirect victims through a chain of intermediary domains-sometimes up to five hops-before arriving at a phishing site that prompts the entry of seed phrases.
The stolen data is then transmitted via unobfuscated JavaScript POST requests to attacker-controlled endpoints, with funds siphoned off and laundered through cryptocurrency mixers within minutes.
Intriguingly, metadata from GitHub repositories and Webflow publish timestamps strongly indicate that FreeDrain operators are based in the UTC+05:30 timezone (likely India), adhering to a standard 9-to-5 weekday schedule.
Despite documented activity since 2022 and an acceleration in 2024, systemic weaknesses in abuse detection and reporting mechanisms across free-tier platforms have allowed FreeDrain to persist.
According to SentinelOne Report, this operation underscores a critical need for enhanced platform-level defenses, proactive monitoring, and user education to combat such financially motivated cyber threats.
The abuse of legitimate services not only facilitates fraud but also erodes trust, posing reputational and operational risks to these platforms.
Indicators of Compromise (IOCs)
| Category | Sample URLs/Domains |
|---|---|
| Lure Pages | https://metamaskchromextan.gitbook\.io/us, https://auth-ledger-com-cdn.webflow\.io/ |
| Redirect Domains | affanytougees[.]com, causesconighty[.]com |
| Phishing URLs | https://atomicwallet.azurewebsites[.]net/, https://ledger-start-api.azurewebsites[.]net/ |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
