Private Drainer for MetaMask Crypto Wallets

Summary

We Discovered a Private drainer for Metamask which is capable of transferring cryptocurrency from the victim’s wallet to the attacker's wallet.
Category: Adversary Intelligence Industry: Finance & Banking Motivation: Financial Region: Global Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • Private drainer for Metamask which is capable of transferring cryptocurrency from the victim’s wallet to the attacker's wallet.
  • Loss of funds, tokens and cryptocurrency.
  • Loss of reputation and trust of the brand, MetaMask.
  • Do not share your secret recovery phrase.
  • Do not log in or connect your wallet on the website.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a private drainer for MetaMask, which can transfer the cryptocurrency from the victim’s wallet to the attacker's wallet.
  • The threat actor was offering the drainer service for USD 1,500.
  • The following services are offered on sale:
    • Drainer File
    • Software to write off tokens/NAT
    • Sending logs to Telegram
    • Installation support for drainer
  • The script checks the wallets of the following three networks:
    • Ethereum mainnet (ERC)
    • Binance smart chain mainnet (BSC)
    • Polygon mainnet (Polygon)
Threat actor’s advertisement
Threat actor’s advertisement

Information about MetaMask

  • MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain.
  • It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications.
  • MetaMask supports all kinds of tokens (regular, NFT or non-fungible token).
MetaMask Logo
MetaMask Logo

Information about the Drainer

  • The victim will be redirected to the fake phishing site where the victim would be asked to connect to the MetaMask wallet.
  • The script will check the cost of everything that is available on the wallet (money, tokens, NFT) in the three networks (ERC, BSC, Polygon).
  • The script suggests making an approval (or allowing access to tokens or NFT) or sending a coin. Once the person clicks to allow this, a separate software steals off what the approval was made for.
  • The private drainer transfers the cryptocurrency from the victim’s wallet to the attacker's wallet.
  • The drainer will send all the activity logs to the attacker via Telegram and notify about the tokens and approved transactions.
  • The drainer doesn't require an additional signature to authenticate the transaction which is usually required when sending tokens, NFTs, or coins.
Pictorial representation of the stealing process
Pictorial representation of the stealing process
 

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • The actor shared a video sample which demonstrated the process of transfer of a token from the victim’s wallet to the attacker’s wallet.
  • The video also disclosed the wallet addresses of both the actor and the victim.
  • It is possible that the associated wallet addresses were dummy wallets used by the threat actor.

Information from Cybercrime Forums

  • Several threat actors were observed offering similar scripting services to steal the tokens from wallets.
  • The following kinds of token drainers were advertised for MetaMask:
    • Drainer with one signature
    • Drainer with signature and auto transfer
    • Drainer to write off all crypt

Information from OSINT

  • CloudSEK researchers have observed various phishing campaigns targeting the customers and users of MetaMask under the guise of completing KYC or verification of wallet.
  • The threat actors take the help of emails to trap the victim to direct them to the fake phishing sites incorporated with scripts and drainers.
  • It was also observed that a Chinese-origin threat actor named “SeaFlower” was using the cloned website for MetaMask to lure the victims to download a trojanized version of MetaMask for stealing the wallet’s balance and tokens.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since September 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Dealing with private drainer for MetaMask
Rating C3 (C: Fairly reliable; 3: Possibly true)

Impact & Mitigation

Impact Mitigation
  • Loss of funds, tokens and cryptocurrency.
  • Loss of reputation and trust of the MetaMask brand.
  • Sensitive information like secret recovery phrases and wallet details can be used by threat actors to gain access to the wallet.
  • Do not share secret recovery phrases.
  • Do not log in or connect your wallet on the website.
  • Consider getting a hardware wallet.
  • Be vigilant about checking the website’s legitimacy.

References

Appendix

Multiple threat actors advertising MetaMask drainer services on cybercrime forums
Fake emails used by actors to lure the victim to MetaMask phishing pages
Transaction history of the actor’s wallet
Transaction history of the actor’s wallet
 
Sample images shared by threat actor
Sample images shared by threat actor
Sample images shared by threat actor
Sample images shared by threat actor
Sample images shared by threat actor
Sample images shared by threat actor
Sample image shared by threat actor showing log
Sample image shared by threat actor showing log
Sample image of script shared by threat actor
Sample image of script shared by threat actor
Sample image of a fake website shared by the threat actor
Sample image of a fake website shared by the threat actor
Transaction history of the threat actor’s wallet
Transaction history of the threat actor’s wallet

Table of Contents

Request an easy and customized demo for free