A “wallet drainer” has been linked to extensive crypto theft, totaling $58 million stolen from over 63,210 victims over the past nine months. The phishing kit was first detected in March 2023 and has shown up repeatedly in phishing ads on Google search and X ads using clever tactics to bypass ad platform safeguards.
- Wallet drainer used in phishing ads on Google and X.
- Drainer has stolen $58 million from 63K+ victims since March.
- Tactics like regional targeting are used to bypass ad audits.
The wallet drainer was first spotted by the research team Scam Sniffer in Google search ads in March and then shared with them by blockchain security firm SlowMist Team in April. At the end of April, the drainer reappeared in fake “Radiant” Google search ads.
In late June, crypto investigator ZachXBT then shared details on a cluster of X phishing ads called “Ordinals Bubbles,” which were all utilizing the same wallet drainer code. Additionally, Scam Sniffer recently conducted a test of phishing ads in X advertisement feeds. The test found over 60% contained the wallet drainer.
The Drainer Used Advanced Tactics to Bypass Protections
According to Scam Sniffer’s analysis, the phishing ads used advanced tactics to bypass ad platform protections and vetting processes. Regional targeting ensured users in other locations would see a legitimate site, complicating security reviews.
The ads also utilized redirect deception to make it seem like the final phishing site was an official domain instead of a fake clone. Page-switching was also noted, where the page displayed from a normal link click differed from what the phishing victim saw.
Between March and December, Scam Sniffer tracked over 10,072 phishing websites linked to the wallet drainer addresses. Peaks in activity occurred in May, June, and November 2023.
A review of the drainer wallet addresses shows that around $58.98 million has been stolen from 63,210 victims so far. It makes it one of the most successful phishing campaigns targeting Web3 users uncovered to date.
The continued threat underscores the increasing sophistication of phishing kit developers in targeting crypto owners. Additionally, ad platforms and wallet developers need to continue improving safeguards and vetting to counter these malicious actors exploiting available channels.