Cybersecurity researchers have uncovered a large-scale, global cryptocurrency phishing campaign called FreeDrain that uses SEO manipulation and legitimate-looking platforms to steal usersβ seed phrases and drain digital wallets. The operation targets users searching for wallet information and employs advanced techniques such as AI-generated content and infrastructure abuse to evade detection. (Affected: Cryptocurrency wallet users and related online platforms)
Keypoints :
- The FreeDrain campaign has identified over 38,000 sub-domains hosting lure pages that imitate legitimate crypto wallet interfaces.
- Threat actors use SEO manipulation, layered redirection, and free-tier hosting services like GitBook, Webflow, and GitHub Pages to distribute phishing pages.
- Victims searching for wallet-related queries are redirected to fake sites that either redirect to legitimate websites or prompt users to enter seed phrases for theft.
- Cybercriminals exploit generative AI tools such as GPT-4 to produce decoy content at scale and employ spamdexing to boost lure page visibility.
- The attack infrastructure is resilient, utilizing cloud hosting, frequently changing URLs, and abuse of legitimate services to evade takedowns.
- Between September 2024 and March 2025, over 30,000 wallets were targeted, resulting in losses exceeding $9 million through the Inferno Drainer tool.
- Other campaigns include sophisticated phishing via Facebook ads impersonating exchanges and trading platforms, which deploy malware and evade detection using environmental checks.
Read More: https://thehackernews.com/2025/05/38000-freedrain-subdomains-found.html