The infamous cybercriminal organization, Angel Drainer Group, has successfully stolen over $400,000 from 128 crypto wallets, employing a new tactic that exploits Etherscan’s verification tool to mask the malicious nature of a smart contract.
The Angel Drainer group is a notorious phishing group involved in cyberattacks, particularly in the cryptocurrency space. The group has been linked to various malicious activities, including the draining of cryptocurrency wallets through sophisticated phishing schemes. Notable attacks include the Ledger Connect Kit hack and the EigenLayer restake farming attack.
Angel Drainer has exploited vulnerabilities in Web3 projects, such as DeFi protocols and domain service providers, to orchestrate attacks and steal funds. The group charges a percentage of the stolen amount from hackers in exchange for providing wallet-draining scripts and other services.
Angel Drainer, active for only a year, has caused substantial financial losses, reportedly stealing millions from crypto wallets. Using tactics like social engineering, manipulation of DNS resolution, and creating fake websites, they’ve targeted over 35,000 wallets, draining over $25 million.
According to BlockAid, the assault unfolded at 6:40 am on February 12th, when Angel Drainer deployed a nefarious Safe (formerly Gnosis Safe) vault contract. Victims unknowingly signed a “Permit2” transaction on the Safe Vault contract, resulting in a loss of $403,000 in funds.
Blockaid added that the incident was not a direct assault on the Safe platform as it had very little effect on the general Safe community. It revealed that Angel Drainer chose to manipulate a Safe Vault contract synced with notifications from Etherscan to deceive users.
BlockAid promptly notified Safe of the attack and has been actively collaborating with users and other Web3 platforms to mitigate its impact.
In anticipation of a bull run, 2024 has seen an increase in attacks on crypto users. In January alone, platforms such as OpenSea, Optimism, zkSync, Manta Network, and SatoshiVM were targeted, affecting over 40,000 users and resulting in a staggering loss of $55 million.
