An analysis of two Web3 phishing kits by Bernhard Mueller

(c) Simon Hurry / Unsplash

I came across this article via BlockThreat - Week 14, 2024 (by Peter Kacherginsky), which is by far still the best blockchain security newsletter out there (go subscribe, now!)

Bernhard de-obfuscates and examines two popular crypto wallet drainers (both are, unsurprisingly, Javascript malware):

Both are well crafted pieces of malware, capable of some clever tricks, for example:

  • "Receiver addresses for regular and seaport transactions. Low-value assets are drained to these addresses, while high-value assets are drained to previously unused addresses.
  • It is able to intelligently sort tokens and NFTs based on value, prioritizing the most lucrative assets for extraction.
  • In most cases, Angel drainer asks the user to send an approval transaction or sign an ERC-2612 permit. If successful, the drainer then notifies its backend to withdraw the victim’s assets. A variety of methods are supported, including:
    • Unstaking and stealing stakes from popular projects like Apes, MAYC, BAYC, Potatoz, and Creepz
    • Trading NFTs on Blur and OpenSea on behalf of the victim, allowing the attackers to liquidate valuable assets
    • Stealing LP position NFTs from decentralized exchanges like PancakeSwap, Sushiswap, TraderJoe, and QuickSwap
    • Withdrawing liquidity from Curve and Aave positions
    • Generically stealing ERC20 tokens and NFTs sorted by value (including looking up valuations on DEXes/NFT exchanges). "

Photo by Simon Hurry on Unsplash