Private Drainer for MetaMask Crypto Wallets

We Discovered a Private drainer for Metamask which is capable of transferring cryptocurrency from the victim’s wallet to the attacker's wallet.
Updated on
April 19, 2023
Published on
September 30, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Finance & Banking Motivation: Financial Region: Global Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • Private drainer for Metamask which is capable of transferring cryptocurrency from the victim’s wallet to the attacker's wallet.
  • Loss of funds, tokens and cryptocurrency.
  • Loss of reputation and trust of the brand, MetaMask.
  • Do not share your secret recovery phrase.
  • Do not log in or connect your wallet on the website.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a private drainer for MetaMask, which can transfer the cryptocurrency from the victim’s wallet to the attacker's wallet.
  • The threat actor was offering the drainer service for USD 1,500.
  • The following services are offered on sale:
    • Drainer File
    • Software to write off tokens/NAT
    • Sending logs to Telegram
    • Installation support for drainer
  • The script checks the wallets of the following three networks:
    • Ethereum mainnet (ERC)
    • Binance smart chain mainnet (BSC)
    • Polygon mainnet (Polygon)
[caption id="attachment_20907" align="alignnone" width="1065"]Threat actor’s advertisement Threat actor’s advertisement[/caption]

Information about MetaMask

  • MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain.
  • It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications.
  • MetaMask supports all kinds of tokens (regular, NFT or non-fungible token).
[caption id="attachment_20908" align="alignnone" width="600"]MetaMask Logo MetaMask Logo[/caption]

Information about the Drainer

  • The victim will be redirected to the fake phishing site where the victim would be asked to connect to the MetaMask wallet.
  • The script will check the cost of everything that is available on the wallet (money, tokens, NFT) in the three networks (ERC, BSC, Polygon).
  • The script suggests making an approval (or allowing access to tokens or NFT) or sending a coin. Once the person clicks to allow this, a separate software steals off what the approval was made for.
  • The private drainer transfers the cryptocurrency from the victim’s wallet to the attacker's wallet.
  • The drainer will send all the activity logs to the attacker via Telegram and notify about the tokens and approved transactions.
  • The drainer doesn't require an additional signature to authenticate the transaction which is usually required when sending tokens, NFTs, or coins.
[caption id="attachment_20909" align="alignnone" width="1200"]Pictorial representation of the stealing process Pictorial representation of the stealing process[/caption]  

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • The actor shared a video sample which demonstrated the process of transfer of a token from the victim’s wallet to the attacker’s wallet.
  • The video also disclosed the wallet addresses of both the actor and the victim.
  • It is possible that the associated wallet addresses were dummy wallets used by the threat actor.

Information from Cybercrime Forums

  • Several threat actors were observed offering similar scripting services to steal the tokens from wallets.
  • The following kinds of token drainers were advertised for MetaMask:
    • Drainer with one signature
    • Drainer with signature and auto transfer
    • Drainer to write off all crypt

Information from OSINT

  • CloudSEK researchers have observed various phishing campaigns targeting the customers and users of MetaMask under the guise of completing KYC or verification of wallet.
  • The threat actors take the help of emails to trap the victim to direct them to the fake phishing sites incorporated with scripts and drainers.
  • It was also observed that a Chinese-origin threat actor named “SeaFlower” was using the cloned website for MetaMask to lure the victims to download a trojanized version of MetaMask for stealing the wallet’s balance and tokens.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since September 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Dealing with private drainer for MetaMask
Rating C3 (C: Fairly reliable; 3: Possibly true)

Impact & Mitigation

Impact Mitigation
  • Loss of funds, tokens and cryptocurrency.
  • Loss of reputation and trust of the MetaMask brand.
  • Sensitive information like secret recovery phrases and wallet details can be used by threat actors to gain access to the wallet.
  • Do not share secret recovery phrases.
  • Do not log in or connect your wallet on the website.
  • Consider getting a hardware wallet.
  • Be vigilant about checking the website’s legitimacy.

References

Appendix

Multiple threat actors advertising MetaMask drainer services on cybercrime forums
Fake emails used by actors to lure the victim to MetaMask phishing pages [caption id="attachment_20916" align="alignnone" width="896"]Transaction history of the actor’s wallet Transaction history of the actor’s wallet[/caption]   [caption id="attachment_20917" align="alignnone" width="1056"]Sample images shared by threat actor Sample images shared by threat actor[/caption] [caption id="attachment_20918" align="alignnone" width="1176"]Sample images shared by threat actor Sample images shared by threat actor[/caption] [caption id="attachment_20919" align="alignnone" width="1045"]Sample images shared by threat actor Sample images shared by threat actor[/caption] [caption id="attachment_20920" align="alignnone" width="469"]Sample image shared by threat actor showing log Sample image shared by threat actor showing log[/caption] [caption id="attachment_20921" align="alignnone" width="1152"]Sample image of script shared by threat actor Sample image of script shared by threat actor[/caption] [caption id="attachment_20922" align="alignnone" width="1280"]Sample image of a fake website shared by the threat actor Sample image of a fake website shared by the threat actor[/caption] [caption id="attachment_20923" align="alignnone" width="1821"]Transaction history of the threat actor’s wallet Transaction history of the threat actor’s wallet[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations