Gone Phishing

Phishing is a year-round sport.

But crypto is providing especially bountiful waters lately.

From compromised front-ends to ‘pig butchering’ scams, an eight-figure on-chain blunder to hacked celebrities (both crypto and non-crypto), and even government agencies getting duped... the last few weeks have been filled with news of scammers hitting the jackpot via a number of common vectors.

Phishing for allowances, social engineering, sim-swapping, wallet drainers, disguised malware, and address poisoning are all strategies which have been running roughshod across the cryptosphere lately.

With all the normies having presumably abandoned crypto for the time being, many still fall into the traps laid by an endless succession of serial scammers.

You’d have thought those of us still around would know better by now…

But when it comes to the experts, it seems nobody is safe.

What lurks in the murky depths?

Going for big game

Phishing attacks can be executed using a variety of social engineering techniques, some more targeted than others.

The Lazarus Group’s never-ending crypto crime spree (most recently involving attacks on Atomic Wallet, AlphaPo, Stake and CoinEx, totalling over $250M) generally focuses on employees of custodial projects, where access to just a few private keys could reel in hundreds of millions.

These ‘spearphishing’ methods are often highly-sophisticated schemes lasting for extended periods, and some examples of attack vectors are discussed in our article from last year.

Harpooning the whales

Just yesterday, a user lost 4.5M USDT through what appears to be a ‘fake mining’ scam, which have so far netted over $300M according to Tayvano’s Dune dashboard.

This type of scam, known as ‘pig-butchering’, involves continued contact with the victim, often over long periods. Leverage may be gained via blackmail, romance, or simply building trust, in order to convince the mark to transfer funds, often dressed up as a lucrative investment opportunity.

But just as some scams take time, others are over in the blink of an eye…

Earlier this month, an experienced DeFi user lost $24M just minutes after signing increaseAllowance messages which allowed the hacker to transfer the user’s stETH (worth $15.6M) and rETH (worth $8.6M) directly to their own wallet.

The function, since deprecated, was criticised for its limited (legitimate) usefulness whilst simultaneously presenting risks in its (illegitimate) usefulness for phishing scammers.

It’s unknown how the payload was delivered to the above user, but distributing links via hacked, or falsified, Twitter accounts has been particularly successful under Elon Musk’s stewardship of the platform…

Casting a wide net

While extra effort may be worth it for high-net-worth individuals, large scale trawling still picks up plenty of small fry.

Less than two weeks ago, Vitalik Buterin’s Twitter was hacked to promote a link to a fake ‘commemorative NFT’ for an upcoming Ethereum upgrade.

In Buterin’s case, access was gained via a SIM-swap of his phone number, which Twitter requires for verification when signing up for Verified status, and allows an attacker to bypass 2FA, reset passwords, and take control of an account.

The ploy took in almost $700k for the hacker, plus a 33% cut for the developers of the drainer service used (in this case Pink Drainer).

Last month, ZachXBT’s tally stood at over $13M lost to recent SIM swap attacks on high-profile crypto accounts. Since then, similar attacks have also hit Gitcoin, Ordinals Wallet and Polymarket.

Wallet drainers are a Scam-as-a-Service, malware which can be used by those who carry out social engineering campaigns, without needing technical knowledge. Profits are then shared between scammers who broadcast the links via hacked Twitter or Discord accounts, and the drainer developers.

The tools, first developed for relieving NFT holders of their collections, have expanded to examine a potential victims wallet before cherry picking assets:

Pink's drainer script is sophisticated, and it will target you with any number of attacks depending on which would be the most profitable.

Pink Drainer (with almost $9M stolen so far) is the latest in a long line of ever-evolving, out-of-the-box malware used by crypto scammers. Previous iterations include the original Monkey Drainer ($16.5, now retired), Venom ($27M, which was recommended by its predecessor) and Inferno ($42M), among others.

Initilally focused on less tech-savvy, FOMO-driven NFT bros, drainers have adapted to target ETH and ERC20 tokens as JPEGs have fallen out of favour.

It looks to have been a shrewd move, too. Given the SEC’s latest move, PFP collections might be on the way out

Shooting phish in a barrel

Crypto Twitter is not the only place to cast a lure, going straight to the source can also be a profitable strategy…

On Wednesday, Balancer published a warning to users (the second time in a month) that the protocol’s front-end had been compromised, leading to at least $238k lost.

These attacks, which rely on users’ trust in the transactions served by a project’s official website, also affected Curve last year and Badger DAO (whose users, including Celsius, lost a total of $120M) in 2021.

Hackers use social engineering strategies on domain registrars in order to take control of the protocol’s official UI, inserting code which presents their own (malicious) contracts for users’ approval.

Approvals may be harvested over extended periods (nearly two weeks in Badger’s case) and allow hackers drain funds directly from users’ wallets.

Specialised tackle

Rather than serving drainers to users directly, be it via Twitter or a project’s front-end, disguising malware as genuine crypto apps can lead to a good catch.

A Metamask clone in an app store might be enough to fool non-crypto-natives, which is what Mark Cuban claims happened to him last weekend.

The loss of almost $900k was not Cuban’s first rodeo in DeFi, however (he got rekt LPing Iron Finance’s ill-fated stablecoin in 2021), and further losses on Polygon were avoided.

There’s no honour amongst degens, either.

SlowMist warns of malicious open-source MEV bot code which funnels funds directly to the hacker’s address when used by wannabe MEVoors. The ploy already looks to have accrued almost 50k in just a couple of days.

Convincing lures

Finally, an on-chain dragnet approach known as address poisoning uses spoofed addresses to snare potential victims.

This one even had the DEA on the hook for over $50k.

The scam relies on using a vanity address tool, such as Profanity (ideally not the original version, which led to a $160M loss for ‘sophisticated actor’ Wintermute last year) to create an address with a beginning and end which matches that of a recent transfer.

Then, this address is inserted into a victim’s transaction log via a spoofed transfer of a fake token, a zero-value token transfer (now hidden by Etherscan) or even, if deemed worth it, a real transfer of small amounts of a genuine token.

The hope is that, when setting up a future transfer, victims will copy-paste the similar looking address from their transaction history, given that usually only the first and last characters are shown.

Much of the above techniques ultimately relates to the crypto world’s relationship to existing web2 infrastructure.

As well as the innovation, tenacity and sheer manpower of organised scammers, of course.

Botted accounts with thousands of followers, now with added blue checkmarks, appear as top replies under every crypto-related tweet, however jarringly irrelevant.

While these bots may have always been there, previously buried by genuine interactions, the added visibility of (the now laughably named) ‘Verified’ status, makes them all but impossible to ignore, and more difficult to remove when reported.

The ease of SIM swapping, which is all but impossible to prevent even when aware it is happening, threatens the areas of the crypto industry which must still rely on the legacy web’s way of doing things.

And it sounds like there’s plenty more to come

This is T-Mobile's 8th breach since 2018

This is the 3rd breach this year

If regulators truly want to protect the public from the risks associated with crypto, tightening up accountability for providers would be an easy win, surely welcomed by crypto-natives and crypto-sceptics alike.

However, the problem doesn’t stop with social media accounts…

Registrars handing over control of front-ends, Google ads disguising phishing links as official URLs, and endless customer data leaks - especially recent examples from the likes of Nansen and (FTX’s bankruptcy claims agent) Kroll, providing a pre-filtered list of individuals which can be targeted in crypto scams.

Each of these errors provide scammers with the tools they need to ensure a good haul.

Crypto is a stormy sea.

Although many retail users have left the market, ruthless organised scamfarms (as well as bored teens on summer break) are doubling down on extracting value, even in a bear market.

The dream of getting rich quick, which has gradually drifted away since the days of bull market euphoria, has given way to paranoia.

Reading stories of intricate spear-phishing campaigns designed for a specific individual over an extended period, we may begin to wonder if we would even notice it happening to us…

But, more dangerous for most are the various wider-net approaches which take advantage of users’ greed, FOMO, lack of technical knowledge, or simple human error.

Will you get reeled in, anon?

Or will you stay off the hook?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.