“Crypto Drainer” Template Facilitates Tens of Millions of Dollars in Theft

Our previous blog provided an overview of Web3 phishing techniques and tactics, all of which continue to be relevant despite a recent economic downturn in the crypto markets. Today, we offer a deeper dive into a specific category of Web3 phishing pages called “Crypto Drainers” and one of the more prolific actors behind them. We will see how one Crypto Drainer template was responsible for over 2,000 ETH in losses in a short period of time.

Crypto Drainers are phishing pages that lure victims into signing malicious transactions that allow the attacker to siphon their crypto and NFTs. Typically these websites piggyback off of well known or emerging NFT projects. The websites themselves are primarily promoted via spam campaigns on social networks and Discord.

The way most crypto drainers work is relatively straight forward:

• Fake NFT minting pages with an artificial countdown to create urgency.
• Victim connects their wallet to “mint”.
• Check if the victim address owns any valuable NFTs.
• Victim signs transaction(s) to transfer ownership of NFTs.
• Victim sends a transaction to the attacker for the cost of the fake “mint”, but this transaction is not a contract interaction.
• Rinse & repeat.

Let’s dig into a real example:

Here’s the real website for comparison:

When we look at the code under the hood of the malicious site, we find that the whole thing is templated and includes deployment instructions, but more on that later. For now, let’s take a peak at how this thing works.

First we have settings.js which acts as a config file. The comments are not ours, but part of the Crypto Drainer template.

And then we have index.js which includes the code responsible for the actual draining:

We won’t go over the code line by line, but it’s worth highlighting two sections in particular. First, there is this snippet from the spurious mint function, which just sends ETH from the victim to the attacker:

web3.eth.sendTransaction({
            from: walletAddress,
            to: address,
            value: web3.utils.toWei(amount, "ether"),
        })

Remember, minting an NFT is almost always a smart contract interaction, and requires invoking at least one function call. It typically requires additional orchestration beyond transfer of value to invoke a smart contract method, which is completely absent from the code above.

The second snippet we want to highlight is the askNfts() function in the code above:

Looks fishy doesn’t it? We can see how the attackers leverage the Moralis API in order to pull a record of the victim’s NFT ownership and cycle through them one at a time to siphon them off to a smart contract. Not to mention that pretty damning comment:

//this is a SMART CONTRACT address, don't replace or NFTs won't come :)

The role of the smart contract address here is not entirely clear as the source code is not verified and the bytecode analysis is outside of the scope of this post, furthermore this particular page hasn’t claimed any victims so there are no transactions to trace, but it’s noteworthy nonetheless seeing as we have examples of the same exact template moving NFTs to the attacker’s address directly and not an intermediate proxy contract.

In a few moments, we’ll see that we can’t take everything at face value in the world of Crypto Drainers, but for now we continue our investigation by trying out some OSINT searches to see what comes up. It’s clear as day that this is a recycled template that is likely being circulated around, so maybe we can find additional instances of it with a search on GitHub.

We do a search for askMint and come up with a treasure trove of hits:

We see that the same codebase has been employed by several dozen GitHub users and hosted on GitHub Pages:

Each instance targets a different NFT project as well. For example, the GitHub Page above is a fake METAKAMI mint:

Things start heating up as we continue digging through the search results and land on what looks to be the original repo:

Eureka!

But remember when we said that everything is not as it seems in the world of Crypto Drainers? Here’s where things get interesting:

Looks like the old adage “There’s no honor among thieves” holds true especially for cybercrime as we find a GitHub user calling out the first author we found above as a thief that sells backdoored Crypto Drainers!

We follow the link to a Crypto Drainers group on Telegram:

Here we find vendors selling these Crypto Drainer templates as a full service, with full support in English and French:

There’s a demo on YouTube by the way:

And an e-commerce link where you can buy these hosted templates with white-glove service:

Now anyone can be an NFT & crypto thief for the low cost of €1499.99!

Impact & Scope

So how prevalent and how effective are these Crypto Drainers really? Well it depends, as it’s up to the attackers to promote these malicious websites effectively, but considering that this is the template we see used the most in these phishing attacks, it’s safe to say these folks generally do quite well.

While we have many examples of Crypto Drainer websites that appear to have never robbed a single victim, we also have plenty that have resulted in very lucrative hauls for the perpetrators.

For example, we can look at the ETH address associated with mint-moonlanders[.]com which as of this writing has produced over $85k in revenue for the attacker in a 10 day span:

While it’s quite difficult to grasp the full impact of these attacks due to the way stolen ETH and NFT tokens are passed around, we can begin to formulate an educated guess by adding up all the inbound transactions coming into the attackers’ addresses.

For our analysis, we looked at 227 addresses that we collected over the course of the last few weeks.

Here’s what we found:

• The average Crypto Drainer sees 33 inbound transactions between ETH & NFTs.
• Total observable inbound ETH value transferred to these attacker addresses is 695 ETH or approximately $12.5MM at the time of this writing.
• 29.5% of all Crypto Drainers have not claimed a single victim.

And with regards to drained NFTs:

• The average Crypto Drainer has stolen 9 NFTs, but the top 10 most prolific drainers are responsible for 69% of all NFT thefts.
• 61% of Crypto Drainer wallets have not had a single inbound NFT transfer.
• Based on current floor prices, we estimate the value of the stolen NFTs to be 1517 ETH or approximately $27.5MM at the time of this writing.
• The most commonly stolen NFTs are ENS names, which makes sense given that most folks in the NFT space use ENS.
• Among the stolen NFTs we have tracked, 8 are Bored Ape Yacht Club NFTs.

Caveats & Considerations

We want to be explicitly clear that due to the large number of IOCs to sort through for this research, our findings in the section above should be treated as estimates.

Our methodology begins with the detection of this specific template and we parse out the ETH address specified as the payment address by the attacker only at the time of discovery. Because of this, there are a few thoughts worthy of careful consideration:

• It’s possible that the ETH address is a place holder if observed when the template is first deployed.
• Some attackers rotate the ETH address frequently during the course of their spam campaigns to promote these websites, so our view into any particular drainer’s success might be partial.

Furthermore, the addresses we have observed have participated in thousands of blockchain transactions, which required us to develop automation to parse out the data to calculate our estimates. Due to the broad scope, it’s impossible to reconcile all of these transactions manually and in some cases transactions that are unrelated to theft might have been a part of the mix. While it’s unlikely that most seasoned criminals will use the same address for personal transactions and for collecting the proceeds of a Crypto Drainer, we have observed that some of the perpetrators do exactly that. However, we are not able to explicitly exclude this type of activity.

Finally, seeing as this template is largely open source, we can’t in good faith suggest that all of these instances were deployed by the actor behind the Crypto Drainer marketplace that we mentioned above.

Appendix A — Malicious Domains

Appendix B — Ethereum Addresses