Validin’s 2025 recap highlights major research, community growth, product updates, and collaborations that expanded platform capabilities and researcher access. The company’s research exposed campaigns such as the FreeDrain crypto-theft network and phishing infrastructure tied to Scattered Spider. #FreeDrain #ScatteredSpider
Keypoints
- Validin published 25+ blog posts in 2025, with roughly half authored by guest researchers and several investigations widely covered by major media outlets.
- Research highlights included unmasking the FreeDrain Network (an industrial-scale crypto theft network) and uncovering phishing domains linked to Scattered Spider targeting Troy Hunt.
- Collaborations and presentations at conferences (PIVOTcon, SLEUTHCON) showcased joint research with SentinelOne and SentinelLabs on FreeDrain and DPRK-aligned Contagious Interview activity.
- Validin’s platform usage grew tenfold year-over-year in query volume, and the researcher program was expanded to foster community contributions and intelligence sharing.
- Product enhancements in 2025 added tagging/notes on indicators, advanced virtual host response search, and a single-tier Enterprise offering with full feature access.
- Integrations and outreach included a Vertex Synapse integration by SentinelLabs and community features demonstrated in videos by John Hammond and Russian Panda.
MITRE Techniques
- [T1598.002 ] Search Engine Optimization (SEO) poisoning – Used to lure individuals via search results as part of the FreeDrain campaign (‘unmasked the FreeDrain Network, an industrial-scale crypto theft network targeting individuals through SEO poisoning.’)
- [T1566 ] Phishing – Employed to deliver credential-harvesting or deceptive content via a network of phishing domains observed in the successful phish attempt against Troy Hunt and related blogspot campaigns (‘investigation into a successful phish attempt against Troy Hunt, finding a network of phishing domains with links to Scattered Spider.’)
Indicators of Compromise
- [Domains ] Phishing and blog-hosted domains used for credential theft and campaigns – phishing domains linked to Scattered Spider, blogspot phishing domains tied to ApateWeb.
- [Infrastructure ] Network-level infrastructure and campaign hubs referenced in investigations – FreeDrain Network infrastructure, infrastructure connected to ApateWeb.
- [Software/Extension ] Targeted or compromised browser components referenced in reporting – Trust Wallet browser extension (reported hack).
- [Threat Actor Names ] Named groups/networks used as investigative identifiers – Scattered Spider, Contagious Interview (DPRK-aligned), FreeDrain Network.
- [Malware/Tool Names ] Named malicious tooling or campaigns mentioned in community research and videos – DMCA Malware.