‘MS Drainer’ Fraudsters Used Google Ads To Skim $59M In Crypto: Report
Fraudsters have used a wallet draining service called “MS Drainer” to extort nearly $59 million from victims over the past nine months, according to a Dec. 21 report by X (formerly Twitter), a blockchain security platform fraud sniffer. The scammers used Google Ads to target victims of popular crypto websites including Zapper, Lido, Stargate, Defilama, Orbiter Financial and Radiant.
1/ Alert: ‘Wallet Drainer' linked to phishing campaigns on Google Search and X Ads, costing more than 63,000 victims $58M in 9 months. pic.twitter.com/ye3ob2uTtz
– Fraud Fraudster | Web3 Anti-Scam (@realScamSniffer) December 21, 2023
Wallet leaks are blockchain protocols that allow fraudsters to transfer crypto from victim to attacker without their consent, usually by using a token approval process. Developers often charge a percentage of their profits for using their plumbing software, and this fee is enforced by smart contracts, making it impossible to avoid.
Related: Rose, PC, Venom, Inferno – Coming drains for a crypto wallet near you
Scam Sniffer first became aware of MS Drainer in March. At the time, the SlowMist security platform team assisted with the investigation. In June, on-chain sleuth ZachXBT provided further evidence, exposing a phishing scam called “Ordinal Bubbles” linked to the drain. The investigators found 9 different phishing ads on Google, 60% of which used malware.
Under normal circumstances, Google uses auditing systems to prevent the posting of phishing ads. However, Scam Sniffer said the fraudsters used “regional targeting and page redirection tactics” to bypass ad audits, complicate the review process, and get their ads through Google's quality control systems.
The fraudsters used web redirection to trick Google users into linking to official websites. For example, the spoof site cbridge.ceiler.network that contains a misspelling of the word “Celer” is changed to the correct URL: cbridge.celer.network. Although the correct spelling appeared in the ad, the link redirected the user to the misspelled scam site.
Scam Sniffer reported finding 10,072 fake sites that used MS Drainer. The drainage activity reached a peak in November and did not approach zero thereafter. According to Dunn's Analytics dashboard, which is designed to track crypto withdrawals worth $58.98 million to more than 63,000 victims during its operation.
Further investigation revealed that the developer of MS Drenor used an unusual marketing strategy. While most wallet drains charge a percentage of the cheater's profits, this one was sold on the forums for a reasonable fee of $1,499.99. If the cheater wanted more features, the developer offered them additional “modules” for $699.99, $999.99, or similar sums.
Wallet leaks have become a major problem in the Web3 ecosystem. In the year On November 26, the developer of the “Inferno” leak said he was retiring after successfully stealing more than $80 million from victims over the software's lifetime. In March, a similar retirement announcement by the “Monkey Drainer” developer successfully stole up to $13 million.