Threat Research

WalletConnect Scam: Analyzing Crypto Drainer Tactics

Checkpoint

Check Point Research found a malicious WalletConnect-based crypto drainer app on Google Play that targeted mobile users and used advanced evasion to avoid detection, leading to over $70,000 stolen from more than 150 victims. The operation leveraged WalletConnect, the MS Drainer toolkit, and deceptive branding to appear legitimate, then executed funds theft via deep links and smart contracts.

Keypoints

  • Malicious App Discovery: CPR found a crypto drainer app on Google Play targeting mobile users.
  • Exploitation of WalletConnect: The app used the WalletConnect protocol to appear legitimate and facilitate unauthorized transactions.
  • Social Engineering: Fake reviews and branding helped the app achieve over 10,000 downloads.
  • Financial Losses: Victims lost more than $70,000 in cryptocurrency.
  • Advanced Evasion: The app employed evasion techniques to avoid detection for nearly five months.
  • Mobile Targeting: This is the first documented case of crypto drainers exclusively targeting mobile devices.
  • MS Drainer Toolkit: The attacker toolkit supported broad asset theft and automated withdrawal across networks.

MITRE Techniques

  • [T1036] Masquerading – The malicious app masqueraded as a legitimate WalletConnect tool. “the app masqueraded as a legitimate WalletConnect tool.”
  • [T1566] Phishing – Attackers used social engineering to trick users into downloading the malicious app. “Attackers used social engineering to trick users into downloading the malicious app.”
  • [T1132] Data Encoding – Embedded script encoded in BASE64 to load additional code. “embedded script encoded in BASE64.”
  • [T1027] Data Encrypted – The malware used encryption to obfuscate its communication with the C&C server. “The malware used encryption to obfuscate its communication with the C&C server.”
  • [T1071.001] Application Layer Protocol – The app used HTTP/HTTPS for its communication with the C&C server. “The app used HTTP/HTTPS for its communication with the C&C server.”
  • [T1210] Exploitation of Remote Services – The app exploited the WalletConnect protocol to facilitate unauthorized transactions. “The app exploited the WalletConnect protocol to facilitate unauthorized transactions.”
  • [T1562.001] Impair Defenses – Anti-debug techniques implemented in the obfuscator. “Anti-debug techniques implemented in the obfuscator.”

Indicators of Compromise

  • [Domain] context – mestoxcalculator[.]com, web3protocol[.]online, connectprotocol[.]app, cakeserver[.]online
  • [SHA256] context – ea526792150e71402f896ddaf1f04aedcb1356aea3bfebbcaf6c90bcdde7aa0c, bf557e975733c113acc38daa18ca1849a1022b4c30b118899f68210cd3c7f990, and 1 more hash

Read more: https://research.checkpoint.com/2024/walletconnect-scam-a-case-study-in-crypto-drainer-tactics/