Scam Sniffer 2023: Crypto Phishing Scams Drain $300 Million from 320,000 Users

Over the past year, phishing activities have steadily increased each month with phishing scammers employing more sophisticated tactics to evade security measures. Scam Sniffer has made findings on “Wallet Drainers” that warrant the industry’s full attention.

Introduction

Wallet Drainers, a type of malware related to cryptocurrency, has achieved significant “success” over the past year. These software are deployed on phishing websites to trick users into signing malicious transactions, thereby stealing assets from their cryptocurrency wallets. These phishing activities continue to attack ordinary users in various forms, leading to significant financial losses for many who unwittingly sign malicious transactions.

Theft Statistics

In the past year, Scam Sniffer has monitored these Wallet Drainers stealing nearly 295 million US dollars in assets from about 324,000 victims.

Theft Trends

It is worth mentioning that almost $7 million was stolen on March 11 alone. Most of it was due to fluctuations in USDC rates, as victims encountered phishing websites impersonating Circle. There were also significant thefts close to March 24, when Arbitrum’s Discord was hacked. and their airdrop date is also near that.

Each peak in theft is associated with group-related events. These could be airdrops or hacking incidents.

Notable Wallet Drainers

DrainerTotal StolenVictimsStart Date
Inferno Drainer$81 million134kMarch, 2023
MS Drainer$59 million63kMarch, 2023
Angel Drainer$20 million30kMarch, 2023
Monkey Drainer$16 million18kAugust, 2022
Venom Drainer$27 million15kJanuary, 2023
Pink Drainer$18 million9kMarch, 2023
Pussy Drainer$15 million4kJanuary, 2023

Following ZachXBT’s exposure of Monkey Drainer, they announced their departure after being active for 6 months. Venom then took over most of their clientele. Subsequently, MS, Inferno, Angel, and Pink all appeared around March. As Venom stopped services around April, most phishing gangs turned to using other services.

The scale and speed have escalated alarmingly. For instance, Monkey drained $16 million over a span of 6 months, while Inferno Drainer outpaced this significantly, looting $81 million in just 9 months.

Based on a 20% Drainer fee, they profited at least $47 million from selling wallet drainer services.

Wallet Drainers Trends

Analyzing the trends, it is evident that phishing activities have been continuously growing. Moreover, whenever a Drainer exits, a new one replaces them, such as Angel seems to be the new replacement after Inferno announced their exit.

How do they initiate phishing activities?

These phishing sites mainly get traffic through several methods:

  • Hacking Attacks
    • Official project Discord and Twitter accounts hacked
    • Attacks on official project frontends or libraries used
  • Organic Traffic
    • Airdrops of NFTs or Tokens
    • Expired Discord links being taken over
    • Spam mentions and comments on Twitter
  • Paid Traffic
    • Google search ads
    • Twitter ads

Although hacking attacks have a broad impact, the community often reacts promptly, typically within 10-50 minutes. However, airdrops, organic traffic, paid advertising, and taken-over Discord links are much less noticeable.

In addition, there are more targeted personal private message phishing.

Common Phishing Signatures

Different types of assets are targeted with different phishing signature methods. Here are some common phishing signature methods. The type of assets owned by the victim’s wallet will determine the kind of malicious phishing signature initiated.

From the case of stealing Reward LP tokens using GMX’s signalTransfer,  it is clear that they have a very refined approach to exploiting specific assets.

The 13 Most Severe Theft Victims

VictimTotal StolenPhishing Signature
0x13e382dfe53207e9ce2eeeab330f69da2794179e$24.05mIncrease Allowance
0xea69653e6dd19789ac15ce5752547a94da8dd4cf$4.47mIncrease Approval
0x82287cdda3d1b5d26d49ce03280d07b86d54fe54$4.08mERC20 Permit
0xf6b6f07862a02c85628b3a9688beae07fea9c863$3.83mApprove
0x1963ad313f41044a9a48397f31d21bc6a3b4c643$3.22mApprove
0x36b793f774aa4657109e11a2b47f758dabee7b42$2.29mERC20 Permit
0xfab576ff46bd27b095a4eee4a293ecb0c41d5a85$2.25mApprove
0xdbecdbd53ff10183a0f9ddfb4eab1e52e806a4b3$1.49mERC20 Permit, Approve
0xc0819e1e01204bcb9cb5a0a3be826afedad6edef$1.28mUniswap Permit2
0xc53f38ae0b009bea9c96fd32767f4e4cbf10ffb6$1.24mERC20 Permit
0x5197da90fb01040a1896a92616ecdfb5765b1134$1.19mApprove
0x5242dc2114bb40ed7482adcfab07384d069408cc$1.04mERC20 Permit
0x0e7a6b3b5ee4a1228a0334fa8170347a31538c49$1.03mClaimRewards

The above are the victims who have suffered the most from theft, with cumulative losses of $50 million. It can be seen that the main reasons are due to phishing signatures such as signing Permit, Permit2, Approve, Increase Allowance, etc.

More Use of Smart Contracts

Multicall

Starting with Inferno, they also started to make more use of smart contracts. For example, splitting fees needed two transactions. This might not be fast enough, leading to the possibility that the victim revokes the authorization before the second transfer. To increase efficiency, they use multicall for a more efficient asset transfer.

CREATE2 & CREATE

Similarly, to bypass some wallet security checks, they also try to use create2 or create functions to dynamically generate temporary addresses. This will cause the wallet’s blacklist to lose its effect, and it will also cause more trouble for phishing research because the asset transfer destination is unknown until you sign, and temporary addresses do not carry analytical significance.

This is a significant change from last year.

Read More: Wallet Drainers Starts Using Create2 Bypass Wallet Security Alert

Phishing Websites

By analyzing the trend in the number of phishing websites, it is evident that phishing activities are gradually increasing every month. This is closely related to the profitable and stable Wallet Drainer services.

The above are the main domain registrars used by these phishing websites. By analyzing the server addresses, it can also be found that most of them utilize services like Cloudflare to hide their actual server addresses.

What Has Scam Sniffer Done?

In the past year, Scam Sniffer has scanned nearly 12 million URLs and discovered almost 145,000 malicious URLs. Scam Sniffer’s open-source blacklist currently contains nearly 100,000 malicious domains, and we continue to push these malicious website domains to platforms like Chainabuse.

Scam Sniffer has also continuously reported on multiple well-known Wallet Drainers and has consistently shared information about significant theft cases on social media platforms to raise awareness and enhance the public’s understanding of phishing threats.

Currently, Scam Sniffer has assisted some well-known platforms in protecting their users and is committed to making web3 secure for the next billion users.

Join the Fight Against Phishing

As you can see, crypto phishing involves multiple parties, crypto, and non-crypto platforms. Security requires a collective effort. If you wish to enhance your product’s capabilities in this area, please contact us at [email protected].

Finally, thanks to all the supporters of Scam Sniffer! Your support is the motivation that keeps us going.

Recent Articles

Related Stories