FreeDrain is a vast crypto phishing campaign abusing free publishing platforms and SEO manipulation to steal wallet seed phrases. It uses layered redirects, AI-generated content, and live operators primarily in the Indian Standard Time zone to drain victims’ funds. (Affected: Cryptocurrency users, free-tier web platforms)
Keypoints :
- FreeDrain operates an industrial-scale crypto phishing network targeting wallet seed phrases globally.
- The campaign exploits SEO techniques and comment spam (spamdexing) to rank malicious lure pages high on search engines.
- Over 38,000 unique subdomains host lure pages on free-tier platforms like gitbook.io, webflow.io, github.io, and more.
- Lure pages deceptively mimic legit wallet interfaces and redirect victims through multi-step chains to phishing pages.
- Phishing sites use cloud hosting infrastructure such as Amazon S3 and Azure Web Apps with simple, effective exfiltration code.
- FreeDrain operators appear to work weekdays in the UTC+05:30 (Indian Standard Time) timezone.
- The campaign leverages AI-generated content to scale lure page creation rapidly, sometimes including tool artifacts in the text.
- Redirector domains are algorithmically generated .com domains using GUID-like paths to manage redirections.
- Some phishing pages include live chat functions where human operators interact with victims to maintain engagement.
- Lack of effective abuse detection and reporting mechanisms on free-tier platforms enables the campaign’s persistence and growth.
MITRE Techniques :
- Phishing (T1566) – Targeting users with crafted search results leading to phishing pages to steal wallet seed phrases.
- Search Engine Optimization Abuse (T1190 variant) – Manipulating search results through spamdexing to increase lure page visibility.
- Use of Web Service (T1102) – Hosting phishing and lure pages on free-tier cloud platforms like gitbook.io, webflow.io, github.io, and Azure Web Apps.
- Data from Local System (T1005) – Stealing sensitive seed phrases inputted by victims via phishing forms.
- Automated Collection (T1119) – Using scripted AJAX POST requests to exfiltrate stolen credentials to attacker-controlled endpoints.
- Command and Control (T1071) – Utilizing persistent redirector domains and GUID-like session IDs to manage victim traffic flow.
- Impair Defenses (T1562) – Evading detection using clean, unobfuscated JavaScript and rotating domains to prevent takedown.
- Masquerading (T1036) – Phishing pages mimic legitimate wallet interfaces and domains for credibility.
- Account Manipulation (T1098) – Abuse of free-tier publishing accounts with programmatically created aliases for scale and anonymity.
Indicator of Compromise :
- The article includes thousands of URLs of lure pages hosted on free platforms like gitbook.io and webflow.io, which can be used to detect fraudulent domains.
- Lists of algorithmically generated redirector domains (.com TLDs) with GUID-like paths help identify traffic routing.
- Phishing URLs hosted on Azure Web Apps and Amazon S3 buckets, including examples like https://atomicwallet.azurewebsites.net/ and various AWS S3 endpoints.
- Unique hashes and patterns in JavaScript exfiltration code are indicators to detect phishing form submission behavior.
- Commit metadata (timestamps and emails) from GitHub repositories associated with lure pages can be leveraged as forensic data points.
Views: 27