It never Drains but it pours
Profiling and Burning a Drainer Campaign š„
Itās always DNS Drainers
Since discovering the malicious smart contracts scene (AKA āDrainersā), Iāve been fascinated by everything about it. It feels like a gigantic rig dedicated to every professional aspect of criminal engineering: Solidity and Rust backend programmers paired with skilled frontend developers, working side by side with UX and UI designers, malvertisers and mixers operators, all focused on creating their next counterfeit website to siphon millions from their next victims. Itās a cruel and unforgiving industry that pockets millions every month. But from time to time, we have a chance to bring one of them down.
SOLD
It all started after publishing my Malicious Fungible Tokens collection on OpenSea. This collection serves as a proof of concept for one of my talks and has a net worth of zero (and Iām also not willing to sell it at all). However, somehow, I received an email claiming I had just sold it, with a link to get the details of the purchase.
But the only thing this affiliate bought was a problem.
Lie to me
The first step in these operations is always phishing, regardless of the format: malicious advertisements, phony emails, you name it. Once you click on whatever link they shared with you, the next step is, wellā¦ more phishing: a website posing as a wallet, project, or even fake initiatives like a āgas fees refund fundāā¦ again, you name it. In this case, they aimed too high by trying to impersonate OpenSea.
It looked pretty convincing, leaving aside the horrible domain name chosen. The next step isā¦ wellā¦ even more phishing. Drainer operators will attempt to siphon your funds in two ways:
By asking you to sign a dangerous transaction, or
By asking you for your seed phrase (12 or 24 words) directly.
This case covers both of them. If you click any button on the website, a prompt asking to connect your wallet will appear.
Choosing Trezor or Ledger would trigger a prompt asking for your seed phrase directly:
While choosing Metamask would trigger a transaction on your wallet:
The text says, in Spanish, that this site wants the following permissions:
See your address (hey, thatās understandable).
See your account funds (well, I may oposse butā¦).
See your activity (well, that escalated quickly).
Conduct transactions (š).
I donāt think Iām signing that any time soon. But letās take a look at whatās going on behind the scenesā¦
Flame Thrower Love
ā¦And by taking a look I mean burn everything to the ground.
Analyzing the website interactions I found out two interesting parameters, one called āprojectIdā and another one called āauthā:
When decoded, it would show the following:
Itās a token for WalletConnect, a legitimate service that allows DApps to interact with your wallet in a safe way. But it doesnāt mean the DApp is safe or well-intended at allā¦ So we report this token along with the rest of the identifying information like the Project ID.
A quick lookup on WHOIS services shows up NameCheap as the host registrar, weāll let them know as wellā¦
Some days later, everything vanished: domains, integrations, and spam senders. But thatās easier said than done.
At the end of the day, itās the small victories that count.
Anyway, we can safely sayā¦ š¦ Connection declined.
IOCs
Email:graysonclarkfhf1997@outlook.de
URL:hxxps://mielassurance[.]com/lp/.wp-cli/?asd@gmail.com41666086003077862469750951344
Domain:mielassurance[.]com
IP:23.235.205.99
Domain:209-182-194-173.cprapid[.]com
URL:hxxps://209-182-194-173.cprapid[.]com/ids/