Angel Drainer Targets Users With Malicious Secure Contracts: $403K Stolen
Infamous phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets in a new attack vector designed to mask the smart contract feature of Etherscan's authentication tool.
The attack began at 6:40 p.m. on February 12, when Angel Drenner deployed a malicious Safe (formerly Gnosis Safe) vault contract, blockchain security firm Blockchain wrote to X in a February 13 post.
A total of 128 wallets signed the “Permit2” transaction on the SafeVault contract, resulting in around $403,000 in funds being stolen.
Today, our researchers discovered another emerging attack vector from the Angel Drainer team – this time phishing users and leading them to a single Safe Vault contract where 128 wallets have been released with $403k+ so far. All users protected by Blockaid are safe. pic.twitter.com/niffQDlciG
— Blockaid (@blockaid_) February 13, 2024
Blockaid said the fraudsters specifically used the Safe Vault contract to deliver a “false sense of security” because EtherScan automatically adds a verification flag to verify it as a legitimate contract.
Blockaid said the incident was not a direct attack on Safe and that its user base was “not widely affected”. The security organization has informed security about the attack and is working to limit further damage, he said.
“This is not an attack on a safe. […] Instead, you decide to use this Safe Vault contract because EtherScan automatically adds a verification flag to Safe contracts that is not relevant to verifying whether the contract is malicious or not, which can give a false sense of security.
RELATED: ‘Haunts Me To This Day' – $4M Crypto Project Hacked In Hotel Lobby
Angel Drainer has only been active for 12 months, but it has managed to withdraw more than $25 million from 35,000 wallets, Blockaid said in a Feb. 5 post by X.
Today, the Angel Drainer team celebrated one year in operation.
They've spent over $25m from nearly 35k wallets and are behind high-profile projects like last year's Ledger Connect Kit and last week's Refarm Attack.
To protect every Web3 user and get them out… pic.twitter.com/U1Sg6sajd6
— Blockaid (@blockaid_) February 5, 2024
The $484,000 Ledger Connect Kit hack and Eigenlayer retake farming attack are among the most notable attacks by Angel Drenner in recent months.
The re-farming attack involves implementing a malicious queue-exiting function that withdraws rewards to an address of the attacker's choosing after Angel Drenner is signed by users, according to Blockaid.
“Since this is a new authentication method, most security vendors or internal security tools do not analyze and verify this type of authentication. So it is marked as good marketing in most cases.
Approximately 40,000 users on OpenSea, Optimism, zkSync, Manta Network and SatoshiVM were victims of phishing attacks in January.
According to Scam Sniffer's 2023 Wallet Drainers report, the figure is That's $295 million more than what was recorded in 2023.
Magazine: Diffie's Billion Dollar Secret: Insiders Responsible for Hacking
