Pink Drainer steals $3M from multiple hack events including OpenAI CTO, Orbiter Finance


Recently, there have been a large number of Discord and Twitter hacked events, including Evomos, Pika Protocol, OpenAI CTO, and Orbiter Finance.

Hackers send phishing links through Discord accounts they’ve gained access to. Many users have opened malicious websites in error and signed malicious signatures, resulting in the loss of their assets.

ScamSniffer has discovered that all of these hacking incidents are related to a group called Pink Drainer. Through deeper analysis, we found that almost all of the Discord hacks in the past month have been linked to them.

Through the analysis of stolen data on Mainnet, Arbitrum, BNB, Polygon, Optimism, and other chains, we found that the gang has stolen about $3 million in assets and has almost 1,932 victims!

Related Hacks

By analyzing the malicious websites created by Pink Drainer in the past month, we found that many Discord hacks are related to them. For example, Evomos, Starknet ID, LiFi, Cherry Network, Pika Protocol, Orbiter Finance, Flare Network, OpenAI CTO, etc.

EvmosMay 8evmos-claim.orgView
Starknet IDMay 11starknet.pmView
LiFiMay 17lifi.pmView
eth_ben quote tweetMay 26a0k1verse.clubView
Cherry NetworkMay 26cherry.pmView
Pika ProtocolMay 31pikaprotocol.pmView
Orbiter FinanceJune 1orbiter.pmView
Flare NetworkJune 1flarenetwork.netView
OpenAI CTOJune 2chatgpt.buildView

Social Engineering Attacks

How did they manage to gain access to so many projects? Yes, it was through social engineering attacks. Based on interviews with some victims of Discord hacks, they were mostly caused by carefully crafted social engineering attacks that led to Discord token theft.

By impersonating journalists from well-known media outlets such as Decrypto and Cointelegraph and interviewing them. This process usually lasted for 1-3 days but ultimately required KYC authentication, which embedded phishing related to Discord in the final process.

For example, by guiding Discord administrators to open a malicious Carl verification bot and guiding them to add bookmarks containing malicious code.

“Drag Me” actually contains malicious JS code that can steal the user’s Discord Token.

If you follow these steps, the relevant Discord token will be stolen.

For more technical details, please refer to: How Scammer Used Malicious Bookmark to Gain Access to Discords of NFT Projects by SlowMist.

Lasting Longer

After successfully obtaining permissions, hackers will also take a series of measures to make the entire attack process last longer.

  • Remove other administrators
  • Set the malicious account as an administrator
  • The main account conducts violations that lead to being blocked by Discord

And those steps will make it hard to delete these phishing messages from Discord Server and bring a larger impact.

Stolen Stats

By analyzing related data on multiple chains, a total of $3 million has been stolen so far, with about 1,932 victims.

There are $2.43 million on the Mainnet and $350k on Arbitrum.

Learn More:

Pink Drainer

Pink Drainer was first discovered by Taylor Monahan in ScamSniffer’s on-chain monitor bot.

The victim 0xf529127107c91bbf6c141304718491a437fb2f5f lost nearly $320,000 in NFTs such as Otherside Koda x 8, BoredApeYachtClub x 1, MutantApeYachtClub x 1, and Otherdeed x 11.

The address that transferred the victim’s assets was resolved pink-drainer.eth a few hours later, which is why we called Pink Drainer

About Scam Sniffer

Scam Sniffer is an anti-scam platform that combined off-chain and on-chain monitoring data to provide real-time anti-scam protection for web3 users.

We’ve helped well-known platforms protect their users and are committed to making web3 secure for the next billion users.

Recent Articles

Related Stories