|Category: Adversary Intelligence||Industry: Finance & Banking||Motivation: Financial||Region: Global||Source*: C3|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a private drainer for MetaMask, which can transfer the cryptocurrency from the victim’s wallet to the attacker's wallet.
- The threat actor was offering the drainer service for USD 1,500.
- The following services are offered on sale:
- Drainer File
- Software to write off tokens/NAT
- Sending logs to Telegram
- Installation support for drainer
- The script checks the wallets of the following three networks:
- Ethereum mainnet (ERC)
- Binance smart chain mainnet (BSC)
- Polygon mainnet (Polygon)
- MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain.
- It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications.
- MetaMask supports all kinds of tokens (regular, NFT or non-fungible token).
- The victim will be redirected to the fake phishing site where the victim would be asked to connect to the MetaMask wallet.
- The script will check the cost of everything that is available on the wallet (money, tokens, NFT) in the three networks (ERC, BSC, Polygon).
- The script suggests making an approval (or allowing access to tokens or NFT) or sending a coin. Once the person clicks to allow this, a separate software steals off what the approval was made for.
- The private drainer transfers the cryptocurrency from the victim’s wallet to the attacker's wallet.
- The drainer will send all the activity logs to the attacker via Telegram and notify about the tokens and approved transactions.
- The drainer doesn't require an additional signature to authenticate the transaction which is usually required when sending tokens, NFTs, or coins.
- The actor shared a video sample which demonstrated the process of transfer of a token from the victim’s wallet to the attacker’s wallet.
- The video also disclosed the wallet addresses of both the actor and the victim.
- It is possible that the associated wallet addresses were dummy wallets used by the threat actor.
- Several threat actors were observed offering similar scripting services to steal the tokens from wallets.
- The following kinds of token drainers were advertised for MetaMask:
- Drainer with one signature
- Drainer with signature and auto transfer
- Drainer to write off all crypt
- CloudSEK researchers have observed various phishing campaigns targeting the customers and users of MetaMask under the guise of completing KYC or verification of wallet.
- The threat actors take the help of emails to trap the victim to direct them to the fake phishing sites incorporated with scripts and drainers.
- It was also observed that a Chinese-origin threat actor named “SeaFlower” was using the cloned website for MetaMask to lure the victims to download a trojanized version of MetaMask for stealing the wallet’s balance and tokens.
|Threat Actor Profiling|
|Active since||September 2022|
|Reputation||Low (Multiple complaints and concerns on the forum)|
|History||Dealing with private drainer for MetaMask|
|Rating||C3 (C: Fairly reliable; 3: Possibly true)|
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- MetaMask - Wikipedia