Crypto Phishing Scams Drain $300 Million from 320,000 Users

Author: Scam Sniffer

Introduction

Wallet Drainers, a type of malware related to cryptocurrency, has achieved significant “success” over the past year. These software are deployed on phishing websites to trick users into signing malicious transactions, thereby stealing assets from their cryptocurrency wallets. These phishing activities continue to attack ordinary users in various forms, leading to significant financial losses for many who unwittingly sign malicious transactions.

Theft Statistics

In the past year, Scam Sniffer has monitored these Wallet Drainers stealing nearly 295 million US dollars in assets from about 324,000 victims.

Theft Trends

It is worth mentioning that almost $7 million was stolen on March 11 alone. Most of it was due to fluctuations in USDC rates, as victims encountered phishing websites impersonating Circle. There were also significant thefts close to March 24, when Arbitrum’s Discord was hacked. and their airdrop date is also near that.

Each peak in theft is associated with group-related events. These could be airdrops or hacking incidents.

Notable Wallet Drainers

Following ZachXBT’s exposure of Monkey Drainer, they announced their departure after being active for 6 months. Venom then took over most of their clientele. Subsequently, MS, Inferno, Angel, and Pink all appeared around March. As Venom stopped services around April, most phishing gangs turned to using other services.

The scale and speed have escalated alarmingly. For instance, Monkey drained $16 million over a span of 6 months, while Inferno Drainer outpaced this significantly, looting $81 million in just 9 months.

Based on a 20% Drainer fee, they profited at least $47 million from selling wallet drainer services.

Wallet Drainers Trends

Analyzing the trends, it is evident that phishing activities have been continuously growing. Moreover, whenever a Drainer exits, a new one replaces them, such as Angel seems to be the new replacement after Inferno announced their exit.

How do they initiate phishing activities?

These phishing sites mainly get traffic through several methods:

• Hacking Attacks

  • Official project Discord and Twitter accounts hacked

  • Attacks on official project frontends or libraries used

• Organic Traffic

  • Airdrops of NFTs or Tokens

  • Expired Discord links being taken over

  • Spam mentions and comments on Twitter

• Paid Traffic

  • Google search ads

  • Twitter ads

Although hacking attacks have a broad impact, the community often reacts promptly, typically within 10-50 minutes. However, airdrops, organic traffic, paid advertising, and taken-over Discord links are much less noticeable.

In addition, there are more targeted personal private message phishing.

Common Phishing Signatures

Different types of assets are targeted with different phishing signature methods. Here are some common phishing signature methods. The type of assets owned by the victim’s wallet will determine the kind of malicious phishing signature initiated.

From the case of stealing Reward LP tokens using GMX’s signalTransfer,  it is clear that they have a very refined approach to exploiting specific assets.

The 13 Most Severe Theft Victims

The above are the victims who have suffered the most from theft, with cumulative losses of $50 million. It can be seen that the main reasons are due to phishing signatures such as signing Permit, Permit2, Approve, Increase Allowance, etc.

More Use of Smart Contracts

Multicall

Starting with Inferno, they also started to make more use of smart contracts. For example, splitting fees needed two transactions. This might not be fast enough, leading to the possibility that the victim revokes the authorization before the second transfer. To increase efficiency, they use multicall for a more efficient asset transfer.

CREATE2 & CREATE

Similarly, to bypass some wallet security checks, they also try to use create2 or create functions to dynamically generate temporary addresses. This will cause the wallet’s blacklist to lose its effect, and it will also cause more trouble for phishing research because the asset transfer destination is unknown until you sign, and temporary addresses do not carry analytical significance.

This is a significant change from last year.

Phishing Websites

By analyzing the trend in the number of phishing websites, it is evident that phishing activities are gradually increasing every month. This is closely related to the profitable and stable Wallet Drainer services.

The above are the main domain registrars used by these phishing websites. By analyzing the server addresses, it can also be found that most of them utilize services like Cloudflare to hide their actual server addresses.

What Has Scam Sniffer Done?

In the past year, Scam Sniffer has scanned nearly 12 million URLs and discovered almost 145,000 malicious URLs. Scam Sniffer’s open-source blacklist currently contains nearly 100,000 malicious domains, and we continue to push these malicious website domains to platforms like Chainabuse.

Scam Sniffer has also continuously reported on multiple well-known Wallet Drainers and has consistently shared information about significant theft cases on social media platforms to raise awareness and enhance the public’s understanding of phishing threats.

Currently, Scam Sniffer has assisted some well-known platforms in protecting their users and is committed to making web3 secure for the next billion users.

As you can see, crypto phishing involves multiple parties, crypto, and non-crypto platforms. Security requires a collective effort. If you wish to enhance your product’s capabilities in this area, please contact us at b2b@scamsniffer.io.

Finally, thanks to all the supporters of Scam Sniffer! Your support is the motivation that keeps us going.