Threat Research

The Rising Threat of Phishing Attacks with Crypto Drainers – Check Point Research

Checkpoint

Check Point Research documents a rise in phishing campaigns using crypto-drainer kits that trick users into signing off-chain ERC‑20 permit messages, enabling attackers to obtain unlimited token allowances and drain wallets across many chains. The report highlights Angel Drainer’s workflow—deploying or reusing contracts, executing a multicall that issues a Permit and then transferFrom calls against tokens like stETH. #AngelDrainer #stETH

Keypoints

  • Check Point Research observed a surge in phishing attacks using “crypto drainer” kits targeting almost 20 blockchain networks, including Ethereum, BSC, Polygon, and Avalanche.
  • Angel Drainer is named as an active service that provides wallet‑draining scripts and infrastructure, continuing despite takedowns of similar operations like Inferno Drainer.
  • Attack flow: malicious airdrop/phishing lure → deceptive website → wallet connect → victim signs an off‑chain ERC‑20 permit → attacker uses permit + transferFrom to steal tokens.
  • Technical sequence analyzed includes a transaction (0xb60c32fb…) invoking a contract function with selector 0x095838d2 that deploys or interacts with a scammer contract and then calls multicall.
  • The multicall executes a Permit (0xd505accf) followed by two transferFrom (0x23b872dd) actions targeting the stETH token contract, effectively allowing large or unlimited token transfers.
  • Attackers use fresh/deployed contracts with no history to bypass wallet security alerts and then obfuscate proceeds through mixers and chained transfers.

MITRE Techniques

  • [T1566] Phishing – The article describes attackers creating fake airdrop or phishing campaigns, often promoted on social media or via email, offering free tokens to lure users. [‘Attackers create fake airdrop or phishing campaigns, often promoted on social media or via email, offering free tokens to lure users.’]
  • [T1204] User Execution – The user is induced to sign an off-chain ERC-20 permit, enabling the attacker to transfer tokens. [‘victim signs an off‑chain ERC‑20 permit’]
  • [T1036] Masquerading – Attackers deploy fresh/deployed contracts with no history to bypass wallet security alerts and obfuscate proceeds. [‘fresh/deployed contracts with no history to bypass wallet security alerts’]

Indicators of Compromise

  • [Ethereum addresses] scammer and actor addresses observed – 0x412f10aad96fd78da6736387e2c84931ac20313f (angel_drainer_wallet), 0x0000d38a234679F88dd6343d34E26DCB50C30000 (Angel Drainer reference)
  • [Smart contract addresses] contracts used in the attack – 0x47cbbfee58e6a134d00ea3a8f1ddfff60a8d94d6 (scammer_contract_2), 0xc55b8ebf5ec4c76fb9182e86cb2a29eb363d919c (scammer_contract_1)
  • [Transaction hash] analyzed transaction – 0xb60c32fb28aa6160df6f472f494f162b997aa49fb06776dce250aff80602a8a3 (example of the multicall/permit sequence)
  • [Function selectors / signatures] on‑chain call identifiers – 0x095838d2 (function executed by scammer_contract_2), 0xd505accf (Permit), 0x23b872dd (transferFrom)
  • [Domain / source] research post used as source – research.checkpoint.com (Original Post URL)

Read more: https://research.checkpoint.com/2023/the-rising-threat-of-phishing-attacks-with-crypto-drainers/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint