Notorious phishing group Angel Drainer has managed to siphon over $400,000 from over 128 crypto wallets by deploying a malicious Safe vault contract.
This latest attack vector exploited Etherscan’s verification tool, using it to hide the malicious nature of the contract.
Phishing Group Angel Drainer Targets Users
The attack was highlighted by blockchain security firm Blockaid, which shed light on the attack and revealed its nature and ramifications. The attack began on the 12th of February when Angel Drainer deployed a malicious Safe (formerly Gnosis Safe) vault contract. This allowed it to target 128 unsuspecting users who had signed a Permit2 transaction. This led to a total of $403,000 being stolen from these users.
“Today, our researchers discovered yet another emerging attack vector from the Angel Drainer group — this time phishing users and leading them to a single Safe Vault contract where 128 wallets have been drained of $403k+ so far. All Blockaid-protected users are safe.”
Attack Used Etherscan’s Verification Tool
Blockaid revealed that Angel Drainer used Etherscan’s verification tool to lend an air of legitimacy to the contract and give the victims a false sense of security. This helped them mask the malicious intent of the contract and present it as a legitimate contract. This was the main reason why the attack was so successful. However, Blockaid stated that this was not a direct attack on Safe, and its user base had not been broadly impacted. It added that Safe had already been notified about the developments and was working to mitigate any further fallout from the incident.
“This is not an attack on Safe […]. Rather, they decided to use this Safe vault contract because Etherscan automatically adds a verification flag to Safe contracts, which can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious.”
Who Is Behind Angel Drainer?
The notorious Angel Drainer phishing group began operations 12 months ago. In that short span, it has managed to drain over $25 million, targeting nearly 35,000 individual wallets, as revealed by Blockaid in a post on the 5th of February.
“Today, the Angel Drainer Group celebrated one year in operation. They’ve drained over $25M from nearly 35k wallets and are behind high-profile drains like last year’s Ledger Connect Kit and last week’s Restake Farming attack. We seek to protect every web3 user and put them out of business.”
Among the most notable attacks carried out by Angel Drainer are the $484,000 Ledger Connect Kit hack, and the Eigenlayer restake farming attack. The latter saw Angel Drainer implement a malicious queueWithdrawal function, which, once signed by unsuspecting users, allowed them to withdraw staking rewards to an address of their choosing.
“Because this is a new kind of approval method, most security providers or internal security tooling does not parse and validate this approval type. So in most cases, it’s marked as a benign transaction.”
Phishing Attacks On The Rise
Phishing attacks targeting crypto and web3 users have seen a steady increase. Over 40,000 users fell victim to phishing attacks in January alone. These users came from several platforms, including OpenSea, zkSync, Manta Network, Optimism, and SatoshiVM. According to data from Scam Sniffer, these attacks led to a combined loss of over $55 million.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.