Overview
In the past month, Scam Sniffer has continued to track a lot of phishing websites targeting Solana users. Through data analysis, two main wallet drainers have consistently stolen nearly $4.17 million in assets from about 3947 victims.
Rainbow Drainer
Scam Sniffer first became aware of them when a victim reported an airdrop phishing incident to @evilcos. The victim, a holder of ZERO tokens, opened a phishing website linked to an NFT that was airdropped, which led to the theft of assets after signing a malicious transaction.
In a message on the 29th, they referenced our analysis tweet regarding the address where the stolen funds were gathered.
Airdrop Phishing
To target ZERO token holders. the phishing NFTs were used, placing the phishing site in the Name and External Link.
The targeted users, holders of ZERO tokens, were airdropped the phishing NFTs.
Curiosity led users to open the phishing website, and even when faced with a message indicating that the simulation failed, they confirmed the transaction. However, the details of the transaction were hidden, and signing it resulted in the theft of assets.
Theft Statistics
So far, about $2.14 million has been lost, with approximately 2189 victims. The stolen assets include Bonk, ZERO, ANALOS, and others.
Read more: https://dune.com/scam-sniffer/solana-rainbow-drainer
Switching to a New Phishing Campaign
In our most recent review, we also discovered that the name and link for CDUDxighKA88nx1wRmWidvJ4h8MmKZih9PbFuWghqZDx
have been updated for a phishing campaign targeting MEMEDROP.
This means that they can continue phishing campaigns without deploying new NFTs, perhaps because the Solana ecosystem currently does not have a blacklist for displaying such NFTs, eliminating the need for new deployments!
Self Hosted Matomo
We have also noticed they self-hosted a Matomo instance and tracked each step. they are trying to track data to improve conversion rates.
Node Drainer
This also appeared in the Christmas phishing campaign targeting Bonk holders, through the transaction ID issued in their channel. We linked this to the associated on-chain data.
Mandiant’s Twitter Hacked
Node drainer also appeared in a phishing link that was used in Mandiant’s Twitter hacking event.
Theft Statistics
They were active for less than two weeks, and so far, about $2.02 million has been lost, with approximately 1759 victims. The main stolen assets include ANALOS, Bonk, SILLY, MOBILE, and others.
Read more: https://dune.com/scam-sniffer/solana-node-drainer
Main Profiteer
One of the main profiteers has already profited over $1 million, mainly using AllBridge to cross-chain to Ethereum.
0x409fea77e184add514d0c49406b239115d2100cf
– The USDC has been exchanged for ETH and transferred.
Phishing Signatures
Unlike most thefts on Ethereum, which are due to malicious approval issues, the majority of phishing signatures on Solana involve initiating direct transfers. Although Solana supports transaction simulation, we also see methods that exploit anti-simulation and fake simulation results to confuse users and increase the likelihood of malicious signatures.
Is there any other way besides direct transfer? Token approval is also included in the SPL 2022 standards. Learn more: A Very Necessary Guide to Protection against Phishing on Solana
Conclusion
As you can see, the phenomenon of wallet drainers is continually expanding, and the blockchain is like a dark forest. With just one signature confirmation, you could lose everything, as these scammers are constantly perfecting their methods of contacting and deceiving victims at every step.
You must stay alert to ensure that you do not become the next victim.
Finally, thanks to @andrewhong5297 and @hildobby_ for their support. Because this is the first time we’ve used Dune to analyze stolen data on Solana.