A large-scale global phishing campaign targeting cryptocurrency wallets, dubbed FreeDrain, has been exposed by cybersecurity researchers. The operation has been stealing digital assets for years, using various tactics such as SEO manipulation and free-tier web services. Researchers found over 38,000 sub-domains hosting malicious lure pages that mimic legitimate cryptocurrency wallet interfaces. These pages, hosted on platforms like Amazon S3 and Azure Web Apps, trick users into entering their wallet seed phrases, leading to funds being drained within minutes.
FreeDrain’s attackers take advantage of search engine results by manipulating wallet-related queries to direct users to phishing pages. Once users click on malicious ads or results, they are either redirected to fake websites or phishing pages that request seed phrases. The use of familiar visual elements and platform trust on the decoy pages deceives victims into believing they are interacting with legitimate sites.
The attack process is frictionless, combining SEO manipulation with automated infrastructure to quickly drain stolen funds after users submit their seed phrases.
Additionally, FreeDrain’s campaign relies on generative AI tools like OpenAI GPT-4 to produce textual content for its phishing pages. These tactics demonstrate how threat actors have evolved and adapted their strategies by utilizing advanced technology like spamdexing to increase the visibility of their lure pages. The reliance on free-tier platforms for hosting phishing sites makes it challenging to track and dismantle the operation. Despite takedowns, FreeDrain’s infrastructure can quickly rebuild, making it a highly resilient and scalable phishing operation.
In a related development, another phishing operation known as Inferno Drainer has been targeting cryptocurrency users on Discord.
This operation uses Drainer-as-a-Service tools to lure victims into malicious servers and steal funds. Researchers have also uncovered a malvertising campaign on Facebook that impersonates trusted cryptocurrency exchanges, like Binance and Bybit. These multifaceted campaigns reflect a growing trend in cybercrime, where attackers employ increasingly sophisticated and evasive techniques to target cryptocurrency investors.
Reference:
