An Analysis Of Two Web3 Phishing Kits by Bernhard Mueller
I came across this article via BlockThreat - Week 14, 2024 (by Peter Kacherginsky), which is by far still the best blockchain security newsletter out there (go subscribe, now!)
Bernhard de-obfuscates and examines two popular crypto wallet drainers (both are, unsurprisingly, Javascript malware):
Both are well crafted pieces of malware, capable of some clever tricks, for example:
- "Receiver addresses for regular and seaport transactions. Low-value assets are drained to these addresses, while high-value assets are drained to previously unused addresses.
- It is able to intelligently sort tokens and NFTs based on value, prioritizing the most lucrative assets for extraction.
- In most cases, Angel drainer asks the user to send an approval transaction or sign an ERC-2612 permit. If successful, the drainer then notifies its backend to withdraw the victim’s assets. A variety of methods are supported, including:
- Unstaking and stealing stakes from popular projects like Apes, MAYC, BAYC, Potatoz, and Creepz
- Trading NFTs on Blur and OpenSea on behalf of the victim, allowing the attackers to liquidate valuable assets
- Stealing LP position NFTs from decentralized exchanges like PancakeSwap, Sushiswap, TraderJoe, and QuickSwap
- Withdrawing liquidity from Curve and Aave positions
- Generically stealing ERC20 tokens and NFTs sorted by value (including looking up valuations on DEXes/NFT exchanges). "
Photo by Simon Hurry on Unsplash