Thousands Of WordPress Sites Compromised With Crypto Drainer Malware

According to a recently published article on Bleeping Computer, threat actors have compromised at least 2000 WordPress sites to push crypto malware onto unsuspecting visitors to the compromised sites.

The crypto-related malware, often called a crypto drainer, is a type of malware that tricks the user into approving a cryptocurrency transaction, automatically draining their associated cryptocurrency wallets.

Thousands Of WordPress Sites Compromised With Crypto Drainer Malware

The initial campaign to drain victim's crypto wallets was discovered by security firm Sucuri, who subsequently published a report detailing the attack campaign and the malware used.

Security researchers have dubbed the malware Angel Drainer. The attack's core is the threat actor executing scripts that inject malicious code into compromised websites. The malicious code then forces visitors' browsers to brute force passwords by entering thousands of password username combinations for other sites.  

Once compromised, the scripts display misleading messages to convince users to connect their wallets to the site. The scripts steal all the contained assets if the user is convinced to link their crypto wallet.

List of crypto-draining scam websites includes BITCOIN BSC, DappRadar Airdrops, $BCKR PRE-SALE, Nim Rolldrop and many other.

Since the middle of 2023, the distribution of these malicious scripts has steadily increased. Typically, threat actors with threat actors create fake Web3 sites with wallet drainers.

They then hack X accounts, create YouTube videos, or abuse Google and X advertisements to promote the sites and ultimately steal visitors' cryptocurrency.

Results of such an approach appear to be mixed, and some threat actors have since pivoted to turn visitors' web browsers into tools for brute-forcing the admin passwords at other sites via compromised WordPress sites, as has been seen in the most recent campaign.

Bleeping Computer noted,

These attacks involved a cluster of approximately 1,700 brute-forcing sites, including prominent examples like Ecuador's Association of Private Banks website. The goal was to build a large enough pool of sites that they could eventually monetize in a more extensive campaign…According to cybersecurity researcher MalwareHunterTeam, the threat actors have now begun monetizing the pool of sites to display pop-ups promoting fake NFT offers and crypto discounts…While it is unknown how many compromised sites are currently displaying these crypto drainers, an Urlscan search shows that over 2,000 compromised websites have been loading the malicious scripts over the past seven days.

Pop-Ups Lead to Financial Misery

In the latest campaign, the threat actors use pop-ups masquerading as legitimate services to trick users into linking their wallets. This process begins with loading the malicious scripts from the domain dynamic-linx[.]com, the same URL Sucuri saw and documented in their report.

Once loaded, the malicious script will check for a specific cookie called "haw," and if it does not exist, the script injects the malicious code.

The malicious code will then randomly pick created display ads as pop-ups, often urging victims to connect their wallets to mint a promising NFT or to receive a discount on the website.

Bleeping Computer noted that the malicious code contained native support for linking the following popular web-based crypto wallets: the scripts will initially display native support for the MetaMask, Safe Wallet, Coinbase, Ledger, and Trust Wallet wallets.

Threat actors have since included the Wallet Connect service, which greatly broadens the scope of wallets that can be drained of all their contents.

Security researchers warned that the use of Web3-powered malware is increasingly becoming a problem, stating,

From 2022 to 2023, the use of drainers was mainly reserved for phishing and other types of scams targeted directly at people interested in cryptocurrencies and NFTs. The hundreds of fake Web3 sites created every day prove that it’s a profitable niche for cybercriminals…However, the injection of cryptocurrency drainers into random compromised websites signifies the next level of adoption of Web3 technologies. Now hackers consider it worthwhile to attack unsuspecting site visitors completely unrelated to cryptocurrencies and blockchain technologies and expect that they may find victims that can be tricked into connecting their wallets to such websites.

Seeing that threat actors using these techniques have begun to target and compromise WordPress websites, web admins should apply the following mitigation strategies to prevent such sites from being compromised:

  1. Regularly patch and update your website software and CMS, including extensible components like plugins and themes.
  2. Uninstall unused or deprecated plugins and other components.
  3. Use strong and unique passwords for all your accounts.
  4. Keep regular website backups stored in a secure, off-site location.
  5. Place your website behind a web application firewall to help block bad bots, virtually patch known vulnerabilities, and filter malicious traffic.

Security researchers noted that only a tiny piece of injected JavaScript code is malicious to compromise a website. This has been seen with the infamous use of Magecart attacks that targeted popular e-commerce packages, often hosted on WordPress sites. Such a compromise places all those visiting your site at risk and becoming unwilling participants in cybercrime.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal