Ethereum Data Breach Exposes 35,000 To Crypto Drainers

On July 2, 2024, Ethereum disclosed that a threat actor compromised Ethereum's mailing list provider and sent to over 35,000 addresses a phishing email with a link to a malicious site running a crypto drainer.

Ethereum Data Breach Exposes 35,000 To Crypto Drainers

Summarizing the attack, Ethereum noted:

  • The threat actor imported a large email list into the mailing list platform to use for the phishing campaign.
  • The threat actor exported the blog mailing list email addresses, which comprised 35,759 email addresses.
  • When we compared the emails in the email list that the threat actor had imported, we saw that the blog mailing list contained 81 email addresses that the threat actor did not previously know about, and the rest were duplicate addresses.
  • Analyzing on-chain transactions made to the threat actor between the time they sent out the email campaign and the time the malicious domain got blocked appears to show that no victims lost funds during this specific campaign sent by the threat actor.

And in summarizing their response to the attack, the following measures were taken:

  • Prevented the threat actor from sending additional emails.
  • Sent out notifications via Twitter and email to not click the link in question.
  • Closed down the malicious access path the threat actor had used to obtain access to the mailing list provider.
  • Submitted the malicious link to various blacklists, which was then blocked by the majority of web3 wallet providers and Cloudflare.

Ethereum's actions as a response to a security breach are commendable, and many Fortune 500 companies could learn from how they handled the incident. While the incident was handled well, it does highlight the threat crypto drainers pose to those using wallets to store their chosen cryptocurrency.

Crypto drainers can be defined as a type of malware specifically designed to transfer cryptocurrencies from an individual's wallet to an attacker's wallet without the owner's consent. Crypto drainers often exploit security vulnerabilities or use social engineering tactics to carry out their attacks, targeting both individuals and businesses alike.

At PC Risk, we recently detected a fake airdrop deploying a crypto drainer to steal cryptocurrency. An airdrop marketing strategy involves sending coins or tokens to wallet addresses.

Small amounts of the new virtual currency are sent to the wallets of active blockchain community members for free or in return for a small service, such as retweeting a post sent. This exemplifies how social engineering tactics are leveraged to deploy crypto drainers.

In another instance, thousands of WordPress websites were compromised to push malware onto unsuspecting visitors. The malware dubbed Angel Drainer, the threat actor, executes scripts that inject malicious code into compromised websites.

The malicious code then forces visitors' browsers to brute-force passwords by entering thousands of password username combinations for other sites to gain access to online-based crypto wallets.

Automated Theft

Drainers effectively automate the theft process. First, they can help find the approximate value of crypto assets in a wallet and identify the most valuable ones without spending hours investigating specific blockchains.

Second, they can create transactions and smart contracts to siphon off assets quickly and efficiently, often using several nasty tricks to get the victim to sign the smart contract.

Lastly, they obfuscate fraudulent transactions, making them as vague as possible. This is done to make it incredibly difficult for the victim to understand what exactly happens once the transaction is authorized.

As to the danger posed by such attacks, in an article published by Kaspersky, it was stated,

According to a recent study on crypto drainer scams, more than 320,000 users were affected in 2023, with total damage of just under $300 million. The fraudulent transactions recorded by the researchers included around a dozen — worth more than a million dollars each. The largest value of loot taken in a single transaction amounted to a little over $24 million…Curiously, experienced cryptocurrency users fall prey to scams like this just like newbies. For example, the founder of the startup behind Nest Wallet was recently robbed of $125,000 worth of stETH by scammers who used a fake website promising an airdrop.

Targeting the cryptocurrency infrastructure and its enthusiasts has long been a staple of modern threat actors. Recent research shows that the problem is getting worse, not better. The amount of cryptocurrency stolen in hacks globally more than doubled in the first six months of 2024 from a year earlier, driven by some large attacks and rising crypto prices, according to TRM Labs.

Further, threat actors had stolen more than 1.38 billion USD worth of crypto by June 24, 2024, compared with 657 million USD in the same period in 2023. It is now more critical than ever for those trading and investing in cryptocurrencies to adopt stringent security practices based on best practices.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal