An analysis of two Web3 phishing kits by Bernhard Mueller

I came across this article via BlockThreat - Week 14, 2024 (by Peter Kacherginsky), which is by far still the best blockchain security newsletter out there (go subscribe, now!)

Bernhard de-obfuscates and examines two popular crypto wallet drainers (both are, unsurprisingly, Javascript malware):

• A peek inside Inferno Drainer
• A brief analysis of Angel Drainer

Both are well crafted pieces of malware, capable of some clever tricks, for example:

• "Receiver addresses for regular and seaport transactions. Low-value assets are drained to these addresses, while high-value assets are drained to previously unused addresses.
• It is able to intelligently sort tokens and NFTs based on value, prioritizing the most lucrative assets for extraction.
• In most cases, Angel drainer asks the user to send an approval transaction or sign an ERC-2612 permit. If successful, the drainer then notifies its backend to withdraw the victim’s assets. A variety of methods are supported, including:
  • Unstaking and stealing stakes from popular projects like Apes, MAYC, BAYC, Potatoz, and Creepz
  • Trading NFTs on Blur and OpenSea on behalf of the victim, allowing the attackers to liquidate valuable assets
  • Stealing LP position NFTs from decentralized exchanges like PancakeSwap, Sushiswap, TraderJoe, and QuickSwap
  • Withdrawing liquidity from Curve and Aave positions
  • Generically stealing ERC20 tokens and NFTs sorted by value (including looking up valuations on DEXes/NFT exchanges). "

Photo by Simon Hurry on Unsplash