{"id":22356,"date":"2024-02-06T19:53:53","date_gmt":"2024-02-06T15:53:53","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=22356"},"modified":"2024-02-06T19:53:53","modified_gmt":"2024-02-06T15:53:53","slug":"what-is-a-crypto-wallet-drainer","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/what-is-a-crypto-wallet-drainer\/22356\/","title":{"rendered":"What crypto drainers are, and how to fend them off"},"content":{"rendered":"

A new category of malicious tools has been gaining popularity with crypto scammers lately: crypto wallet drainers. This post will explain what crypto drainers are, how they work, what makes them dangerous\u00a0\u2014 even for experienced users\u00a0\u2014 and how to defend against them.<\/p>\n

What a crypto (wallet) drainer is<\/h2>\n

A crypto drainer \u2014 or crypto wallet drainer \u2014 is a type of malware that\u2019s been targeting crypto owners since it first appeared just over a year ago. A crypto drainer is designed to (quickly) empty crypto wallets automatically by siphoning off either all or just the most valuable assets they contain, and placing them into the drainer operators\u2019 wallets.<\/p>\n

As an example of this kind of theft, let us review the theft of 14 Bored Ape NFTs with a total value of over $1 million<\/a>, which occurred on December 17, 2022. The scammers set up a fake website for the real Los Angeles-based movie studio Forte Pictures, and contacted a certain NFT collector on behalf of the company. They told the collector that they were making a film about NFT. Next, they asked the collector if they wanted to license the intellectual property (IP) rights to one of their Bored Ape NFTs so it could be used in the movie.<\/p>\n

According to the scammers, this required signing a contract on \u201cUnemployd\u201d, ostensibly a blockchain platform for licensing NFT-related intellectual property. However, after the victim approved the transaction, it turned out that all 14 Bored Ape NFTs belonging to them were sent<\/a> to the malicious actor for a paltry 0.00000001 ETH (about US\u00a20.001 at the time).<\/p>\n

\"The<\/a>

What the request to sign the \u201ccontract\u201d looked like (left), and what actually happened after the transaction was approved (right). Source<\/a><\/p><\/div>\n

The scheme relied to a large extent on social engineering: the scammers courted the victim for more than a month with email messages, calls, fake legal documents, and so on. However, the centerpiece of this theft was the transaction that transferred the crypto assets into the scammers\u2019 ownership, which they undertook at an opportune time. Such a transaction is what drainers rely on.<\/p>\n

How crypto drainers work<\/h2>\n

Today\u2019s drainers can automate most of the work of emptying victims\u2019 crypto wallets. First, they can help to find out the approximate value of crypto assets in a wallet and identify the most valuable ones. Second, they can create transactions and smart contracts to siphon off assets quickly and efficiently. And finally, they obfuscate fraudulent transactions, making them as vague as possible, so that it\u2019s difficult to understand what exactly happens once the transaction is authorized.<\/p>\n

Armed with a drainer, malicious actors create fake web pages posing as websites for cryptocurrency projects of some sort. They often register lookalike domain names, taking advantage of the fact that these projects tend to use currently popular domain extensions that resemble one another.<\/p>\n

Then the scammers use a technique to lure the victim to these sites. Frequent pretexts are an airdrop or NFT minting: these models of rewarding user activity are popular in the crypto world, and scammers don\u2019t hesitate to take advantage of that.<\/p>\n

\"These<\/a>

These X (Twitter) ads promoted NFT airdrops and new token launches on sites that contain the drainer. Source<\/a><\/p><\/div>\n

Also commonplace are some totally unlikely schemes: to draw users to a fake website, malicious actors recently used<\/a> a hacked Twitter account that belonged to a\u2026 blockchain security company!<\/p>\n

\"X<\/a>

X (Twitter) ads for a supposedly limited-edition NFT collection on scam websites. Source<\/a><\/p><\/div>\n

Scammers have also been known to place ads on social media and search engines<\/a> to lure victims to their forged websites. In the latter case, it helps them intercept customers of real crypto projects as they search for a link to a website they\u2019re interested in. Without looking too closely, users click on the \u201csponsored\u201d scam link, which is always displayed above organic search results, and end up on the fake website.<\/p>\n

\"Scam<\/a>

Google search ads with links to scam websites containing crypto drainers. Source<\/a><\/p><\/div>\n

Then, the unsuspecting crypto owners are handed a transaction generated by the crypto drainer to sign. This can result in a direct transfer of funds to the scammers\u2019 wallets, or more sophisticated scenarios such as transferring the rights to manage assets in the victim\u2019s wallet to a smart contract. One way or another, once the malicious transaction is approved, all the valuable assets get siphoned off to the scammers\u2019 wallets as quickly as possible.<\/p>\n

How dangerous crypto drainers are<\/h2>\n

The popularity of drainers among crypto scammers is growing rapidly. According to a recent study<\/a> on crypto drainer scams, more than 320,000 users were affected in 2023, with total damage of just under $300 million. The fraudulent transactions recorded by the researchers included around a dozen \u2014 worth more than a million dollars each. The largest value of loot taken in a single transaction amounted to a little over $24 million!<\/p>\n

Curiously, experienced cryptocurrency users fall prey to scams like this just like newbies. For example, the founder of the startup behind Nest Wallet was recently robbed<\/a> of $125,000 worth of stETH by scammers who used a fake website promising an airdrop.<\/p>\n

How to protect against crypto drainers<\/h2>\n