Threat actors targeting crypto wallets for illicit transactions have been in practice for quite some time.
Threat actors have been using Wallet Drainers for such cybercrime activities, which have seen great success in recent years.Â
Several techniques were used for draining, which include phishing ads, supply chain attacks, Airdrop phishing, DNS attacks, and many others. These attacks result in much loss for victims due to crypto wallet stealing.Â
However, one wallet drainer has been used predominantly in over 60% of the phishing ads used by threat actors.
Google Search & Twitter (X) Ad Phishing
According to the reports shared with Cyber Security News, 10,072 phishing sites account for $58.98 million in crypto wallets draining from 63,210 victims. This particular wallet drainer was first detected in March and again at the end of April.
As for Google Ad phishing, many campaigns were spotted that were related to Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant. As of Twitter, the phishing ads were called “Ordinal Bubbles,” and all of them were using the same drainer.
Ad Audit Bypass
To bypass the ad audits of these campaigns, threat actors have been using many methods, such as targeting specific regions, which will display the phishing page only to people from a specific region.
The page that can be seen when opening the link directly will be different from the one that is opened from the ad link.
In addition, redirect deception was also used in which the ad appears to be from the official domain, but the final redirected site is the phishing site.
The biggest victim of these phishing campaigns was a wallet address 0x13e382dfe53207e9ce2eeeab330f69da2794179e, which lost $24 million in September.
Drainer Analysis
The drainer, used in 60% of the phishing campaigns, was sold in a forum and is fully managed with a charge fee of 20%.
The sellers of this drainer share the source code and additional value-added modules to the drainer.
Several features, such as adding a malicious signature for blur for phishing, will cost more and must be purchased from them. The developer of this drainer has been changed from pakulichev to Phishlab.
Furthermore, a complete report about these phishing campaigns and wallet drainers has been published, providing detailed information about the threat actors, the wallet drainers, and others.
It is recommended that users be extra cautious when viewing ads and be vigilant before entering their wallet details on a website.
