From Google to X Ads: Tracing the Crypto Wallet Drainer’s $58 Million Trail

Overview

Wallet Drainers have seen tremendous success over the past year. Phishing scammers have used these Drainers through various means such as phishing ads, supply chain attacks, Discord phishing, Twitter spam comments and mentions, Airdrop Phishing, SimSwap attacks, DNS attacks, email phishing, etc., to continuously target ordinary users with phishing attacks, causing a significant loss of assets.

MS Drainer, in particular, has been extensively used in phishing ads, and Scam Sniffer first discovered them in Google search ad phishing. Later, they were found in a set of X phishing ads shared by ZachXBT.

In a recent sampling test of ads in X’s feeds, nearly 60% of the phishing ads were found to be using them.

From March to now, Scam Sniffer has monitored about 10,072 phishing websites using them. By analyzing the on-chain data associated with their phishing addresses, they have stolen nearly $58.98 million from about 63,210 victims over the past nine months.

Google Search Ad Phishing

Scam Sniffer first detected them in March, and the SlowMist team shared their trails with us in early April. Then at the end of April, we spotted them again in Google search ad phishing:

After several friends around us clicked on search ads by mistake and were phished, Scam Sniffer analyzed the situation of malicious Google search ads and found that a fake Radiant ad was using them.

Read more: $4 Million Stolen Due to Google Search Ad Phishing

X Ads

At the end of June, ZachXBT shared with us a group of X phishing ads called “Ordinals Bubbles.”

After analysis, they were all found to be using the same Drainer.

Still There

Recently, Scam Sniffer conducted a simple sampling test of the ads in X’s feeds.

In the test, we found that almost all the ads in our feed were phishing ads.

Out of nine phishing ads, six were found to use the Drainer, accounting for over 60%.

Bypassing Ad Audits

By analyzing these malicious ads, we found that they also used a series of methods to bypass ad audits.

They targeted specific regions, and people from other regions might see a normal website when opening the link.

For example, the page you see when opening the link normally and through the ad link could be different.

All these make the ad audit process much more difficult!

Redirect Deception

At the same time, these phishing ads also used redirect deception techniques to make the phishing ads more credible. For example, making the ad appear to be from an official domain, but in reality, the final destination is a phishing site.

For example: You might think you clicked on an ad for the official StarkNet website, but you actually entered a phishing site.

Phishing Sites

In the past 9 months, Scam Sniffer has monitored a total of 10,072 phishing sites related to this Drainer.

Looking at the trend, there were several significant peaks in May, June, and November.

Theft Overview

By analyzing the on-chain data of addresses associated with the Drainer, they have stolen approximately $58.98 million from 63,210 victims over the past 9 months.

View more

Top victims:

VictimChainTotal Stolen
0x13e382dfe53207e9ce2eeeab330f69da2794179eethereum$24,055,508
0x5197da90fb01040a1896a92616ecdfb5765b1134ethereum$1,192,307
0x856cb5c3cbbe9e2e21293a644aa1f9363cee11e8arbitrum$644,720
0x704f59ccb0b9399b600b462f974aa5cff76ca3edethereum$549,056
0xb32659fe74a4ceabadeee1b58ef334d499b8ba26ethereum$444,966

The Biggest Victim

This includes the victim 0x13e382dfe53207e9ce2eeeab330f69da2794179e who lost $24 million in September, as Scam Sniffer reported.

About the Drainer

Scam Sniffer found their sales information in a forum, unlike other Wallet Drainers that are fully managed and charge a 20% fee. They sell the source code and additional value-added modules. For example, if you want to add malicious signatures using Blur for phishing, you need to pay extra to purchase them.

Recently, Scam Sniffer noticed that the developer’s name has changed from pakulichev to Phishlab.

Conclusion

As can be seen, advertising has become an important means for phishing scammers to reach their victims. By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost.

Combined with the utilization of domain spoofing and bypassing ad reviews, users are facing continuous phishing threats. Ad platforms need to enhance their verification processes to prevent malicious actors from exploiting their services.

As users, we should be extra cautious when seeing advertisements, always be skeptical before signing anything, and always verify whether we might be in the middle of a phishing attempt. Stay safe!

About Scam Sniffer

Scam Sniffer is an anti-scam platform that combines off-chain and on-chain monitoring data to provide real-time anti-scam protection for web3 users.

We’ve helped well-known platforms protect their users and are committed to making web3 secure for the next billion users.

Recent Articles

Related Stories