Scammers continue to find new ways to attack the cryptocurrency ecosystem
A wallet-draining service called “MS Drainer” was recently used by scammers over the past nine months to steal about $59 million in crypto from victims, according to blockchain security firm Scam Sniffer in a December 21 report on X (formerly Twitter). The criminals used Google Ads to scam victims with bogus versions of several prevalent crypto sites, including DefiLlama, Lido, Orbiter Finance, Stargate, Radiant and Zapper, says the report.
Wallet-draining software is a blockchain protocol that lets scammers transfer crypto from the victim without their permission by manipulating the token approval procedure. Designers usually demand a percentage of the profits in return for using their software, enforcing the fee via smart contracts, which are impossible to bypass.
🚨1/ Alert: A 'Wallet Drainer' has been linked to phishing campaigns on Google search and X ads, draining approximately $58M from over 63K victims in 9 months. pic.twitter.com/ye3ob2uTtz
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 21, 2023
Scam Sniffer became familiar with MS Drainer for the first time in March, with the SlowMist security platform team assisting them in their investigation. On-chain investigator ZachXBT provided further evidence in June after discovering a phishing scam called “Ordinal Bubbles” that was connected to MS Drainer. ZachXBT exposed nine separate phishing ads on Google, with 60% using the MS Drainer program.
Google typically uses auditing techniques to prevent phishing scam ads. Nevertheless, Scam Sniffer found that the criminals used “regional targeting and page-switching tactics to bypass ad audits, complicating the review process” and permitting their ads to bypass Google’s quality control. They also utilized web redirects to mislead Google users into believing links guided them to official websites.
Scam Sniffer reported 10,072 fake websites using MS Drainer, which has siphoned $58.98 million in crypto from more than 63,000 victims, according to a tracking dashboard set up by Dune Analytics.
