Description

Since January 2024, there has been a notable uptick in cyberattacks targeting Web3 and cryptocurrency assets through a newly identified form of website malware. This malicious software, detected across several campaigns, employs crypto drainers to illicitly acquire and redistribute assets from compromised wallets. The tactics encompass either directly injecting drainers into compromised websites or redirecting site visitors to Web3 phishing sites that host these drainers. This surge in malicious activity is exemplified by the utilization of crypto drainers such as Angel Drainer, which has been implicated in recent security breaches, including the December incident involving Ledger Connect Kit. Exploiting phishing techniques and malicious injections, these attacks capitalize on the Web3 ecosystem's reliance on direct wallet interactions, posing a substantial threat to website owners and the security of user assets. Analysis indicates that in 2023, malicious actors created over 20,000 unique Web3 phishing sites featuring various crypto drainers. Within the initial two months of 2024, at least three separate malware campaigns began employing crypto drainers in website infiltrations. Particularly noteworthy is the prevalence of the largest variant, utilizing Angel Drainer, identified on over 550 sites by our SiteCheck remote website scanner since February's onset. According to data from PublicWWW, this injection is currently evident on 432 sites, with Angel Drainer detected on 5,751 unique domains in the past four weeks. The evolution of crypto-related malware mirrors the growth of cryptocurrencies, encompassing server-side cryptominers, client-side cryptominers on compromised websites, and infostealers capable of breaching popular crypto wallets on user devices. The emergence of the Web3 ecosystem, featuring decentralized applications (Dapps) and decentralized finance (DeFi), has also drawn the attention of cybercriminals. Phishing sites masquerading as legitimate Dapps utilize drainer scripts to deceive visitors into linking their wallets, subsequently siphoning their assets to third-party wallets. This wave of attacks underscores the imperative for heightened vigilance and robust security measures within the Web3 ecosystem.