Jump to content
  • Crypto drainer steals $59 million from 63k people in Twitter ad push

    Karlston

    • 1 comment
    • 539 views
    • 3 minutes
     Share


    • 1 comment
    • 539 views
    • 3 minutes

    Google and Twitter ads are promoting sites containing a cryptocurrency drainer named 'MS Drainer' that has already stolen $59 million from 63,210 victims over the past nine months.

     

    According to blockchain threat analysts at ScamSniffer, they discovered over ten thousand phishing websites using the drainer from March 2023 to today, with spikes in the activity observed in May, June, and November.

     

    A drainer is a malicious smart contract or, in this case, a complete phishing suite designed to drain funds from a user's cryptocurrency wallet without their consent.

     

    Users are taken to a legitimate-appearing phishing website and tricked into approving malicious contracts, allowing the drainer to automatically perform unauthorized transactions and transfer the victim's money to the attacker's wallet address.

     

    The source code for MS Drainer is sold to cybercriminals for $1,500 by a user named 'Pakulichev' or 'PhishLab,' who also charges a 20% fee on any funds stolen with the toolkit. Additionally, PhishLab sells additional modules that add new features to the malware, costing between $500 and $1,000.

     

    MS-drainer.png

    Post promoting MS Drainer to cybercriminals (ScamSniffer)

     

    According to blockchain data on MS Drainer's activity, one of its Ethereum-chain victims lost $24 million worth of cryptocurrency, while other notable cases involve victims losing between $440,000 and $1.2 million.

    Fraudulent ads on Google and X

    In Google Search, MS Drainer is promoted via malicious ads that are shown for keywords related to DeFi platforms like Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant.

     

    Many of those ads exploit Google Ads' tracking template loophole to make the URL appear as belonging to the spoofed project's official domain. A redirection, though, takes those who click to a phishing site.

     

    Google-ads.png

    Example of the malicious ads on Google Search (ScamSniffer)

     

    On X, better known as Twitter, advertisements for MS Drainer are so abundant that ScamSniffer reports they account for six out of nine phishing ads on their feed.

     

    Notably, many of the scam ads on X are posted from legitimate "verified" accounts that carried the blue tick badge when the ad was shown.

     

    Security researcher MalwareHunterTeam, who has been tracking similar ads, told BleepingComputer they believe the Twitter account holders may have been infected with malware that stole their authentication cookies or passwords, allowing the threat actors to create advertisements from the hacked accounts.

     

    Strangely, the researcher spoke to an X account advertising a cryptocurrency scam and was told that there was no trace of the ads in their advertising accounts.

     

    On X, the cybercriminals used multiple themes for their ads, including one called "Ordinals Bubbles," which promoted a supposedly limited-edition NFT (non-fungible token) collection featuring various characters encased in bubbles.

     

    bubbles.png

    'Ordinals Bubbles' ads on X (ScamSniffer)

     

    The ads also promoted NFT airdrops and new token launches on sites that contain the drainer.

     

    other-ads.png

    Other ads promoting MS Drainer on X (ScamSniffer)

     

    ScamSniffer says one detection bypass method employed by these ads is geofencing, which only targets users from pre-defined regions and redirects the rest to legitimate/innocuous websites.

     

    geofence.png

    Landing page changes depending on the visitor's location (ScamSniffer)

     

    Cryptocurrency scams have always performed well on X, but with trustworthy, hacked accounts now displaying advertisements promoting malicious sites, we should expect to see these types of attacks become even more successful.

     

    Users should be very cautious when seeing cryptocurrency-related ads and perform due diligence before signing up to new platforms, let alone connecting their wallets.

     

    Source

    • Haha 1

    User Feedback

    Recommended Comments



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...