How Crypto Drainers Work
Brian Carter, Senior Intelligence Analyst at Chainalysis, further told Cryptonews that scammers are starting to target new blockchain networks for crypto drainers because these wallets have fewer security protections.
“There are fewer people monitoring transactions on these wallets,” he said.
As Carter explained, this is a critical point: a crypto drainer is a phishing tool that entices victims into connecting their wallets directly to the drainer.
“Instead of stealing victims’ usernames and passwords, drainer operators often masquerade as Web3 projects to entice victims into connecting their crypto wallets to the drainer,” Carter mentioned. “Once the threat actor has wallet access, they can approve transaction proposals that grant the operator control of the wallet fund.”
According to Carter, drainers can instantly steal users’ funds if these attacks are successful.
While it’s difficult to track the total amount of crypto stolen by drainers, findings from Chainalysis have found that the quarterly growth rate in value stolen by crypto drainers from Q1 2023 to Q1 2024 has exceeded the value stolen by ransomware.
Chainalysis’ report also notes that after stealing digital assets from a victim’s wallet, cybercriminals operating drainers typically use various crypto services to launder the funds or potentially convert them into cash.
Malicious DApps Double This Year
It’s also important to note that crypto drainers like AngelX promote fake Web3 sites on popular platforms like Discord and Telegram. These sites appear to be legitimate, prompting crypto users to click on them and then connect their wallets.
According to Tamir, the new AngelX system has already deployed 300 malicious decentralized applications (DApps) designed to steal digital assets from unsuspecting crypto users.
“The running weekly average of malicious DApps across all different threat actors has almost doubled from the start of 2024, increasing from an average of 180,000 weekly malicious scam results to almost 350,000 by August,” Tamir said.
Tamir further believes that this trend is tied directly to the recent crypto bull market.
“As more users and money are entering the ecosystem, attackers are increasingly motivated to invest in new, novel attacks,” he said.
Crypto Drainer Attacks Will Continue, But Users Can Protect Themselves
Unfortunately, both Tamir and Carter are certain that harmful phishing attacks will continue to impact the crypto ecosystem.
“Web3 users will continue to encounter both malicious DApps and simple phishing attacks that might ask for recovery phrases,” Carter said. “When interest in a particular Web3 project develops, and the value increases, criminals will begin innovating approaches to steal assets from users who aren’t prepared.”
While this may be true, Carter noted that there are several ways users can protect themselves against wallet drainers.
“One effective method is using Web3 security extensions to identify phishing sites and assess the security of cryptocurrency wallets,” he said.
Tamir added that Blockaid’s threat intel team detects these attacks daily.
“We employ a dedicated team of cybersecurity experts, with a background in catching nation-state attackers, that’s focused on tracking the different drainer developers,” Tamir said. “This allows us to create heuristics that identify malicious patterns in DApps, transactions, and on-chain contracts.”
Tamir explained that the data found is then fed into Blockaid’s detection systems, which proactively scan the internet for newly deployed DApps. This enables Blockaid to catch threats and flag them hours or days before a user ever sees them.
Yet not all crypto drainers are detected and caught before they impact users. Given this, Carter explained that crypto users should also store valuable assets in offline wallets and only transfer funds to a hot wallet when necessary.
“This can also reduce exposure to attacks,” he remarked. “Another precaution is using a temporary wallet with no assets when connecting to unfamiliar Web3 sites. This limits the potential risk if the site turns out to be malicious. Additionally, users should be cautious of links shared in chat rooms or on social media, as they may not be from official project accounts.”