Cybersecurity researchers have been making the public for several years what they call “industrial scale global cryptocurrency phishing operations,” designed to steal digital assets from cryptocurrency wallets.
The campaign was codenamed Freedrain by threat intelligence companies Sentinelon and Valin.
“Freedrain targets cryptocurrency wallets using SEO operations, free tier web services (such as gitbook.io, webflow.io, github.io, etc.), and layered redirect techniques.
“The victim searches for wallet-related queries, clicks on top malicious results, lands on the lure page, and is redirected to a phishing page that steals seed phrases.”
The size of the campaign is reflected in the fact that over 38,000 different Freedrain subdomain hosting lure pages have been identified. These pages are hosted on cloud infrastructures such as Amazon S3 and Azure web apps, mimicking the legal cryptocurrency wallet interface.
This activity is attributed to a high degree of confidence to individuals based on Indian Standard Time (IST) time zone, and cites GitHub commit patterns related to standard weekday times, lure pages.
The attack is known to target users searching for wallet-related queries such as “Trezor Wallet Balance” on search engines such as Google, Bing, and Duckduckgo, and redirect them to fake landing pages hosted on gitbook.io, webflow.io, and github.io.
Unsuspecting users who landed on these pages will provide static screenshots of the legitimate wallet interface.
Redirect users to a legitimate website and redirect users to other intermediary sites. Users effectively drain their wallets towards visually-like phishing pages that encourage them to enter seed phrases
“The whole flow is frictionless by combining design, SEO manipulation, familiar visual elements, and platform trust, suppressing the victim to a false sense of legitimacy,” the researchers said. “And once the seed phrase is submitted, the attacker’s automated infrastructure will drain the money within minutes.”
The text content used in these decoy pages is thought to be generated using large-scale language models such as OpenAI GPT-4O. This shows how threat actors abuse generative artificial intelligence (GENAI) tools to manufacture content.
Freedrain has been observed to resort to flooding unmaintained websites with thousands of spam comments to increase visibility of lure pages through search engine indexing.
It is worth pointing out that some aspects of the campaign have been documented by Netskope Threat Labs since August 2022, and recently, in October 2024, we found that we had used Webflow to spin up phishing sites decorated as Coinbase, Metamask, Phantom, Trezor and Bitbuy.
“Freedrain’s dependence on the Freedrain platform is not unique, and without better protection, these services will continue to be weaponized on a large scale,” the researchers said.
“The Freedrain network represents the latest blueprint for scalable phishing operations that thrive on free layer platforms, avoid traditional abuse detection methods, and adapt quickly to infrastructure takedowns.
The disclosure says it discovered a sophisticated phishing campaign that abuses discrepancies and singles cryptocurrency users to steal funds using a service as a drainer (DAAS) tool known as Inferno Drainer.
The attack seduces the victim and hijacks the expired Vanity Invite Links to join the malicious Discord server, while also leveraging the Discord OAuth2 authentication flow to avoid auto-detection of malicious websites.
Decomposition of total domain into questionable URLs confirmed URLs by amount.
Between September 2024 and March 2025, over 30,000 unique wallets were estimated to have been damaged by Inferno drainers, resulting in losses of at least $9 million.
Inferno Drainer claimed it had halted operations in November 2023. However, the latest findings reveal that cryptographic drainers remain active and employ single-use smart contracts and on-chain encrypted configurations to make detection even more difficult.
“Attackers will redirect users from legitimate Web3 websites to fake collaborations and phishing sites and ensure that they sign malicious transactions,” the company said. “The drain scripts deployed on that site were directly linked to Inferno’s drains.”
“Inferno Drainer employs advanced detection prevention tactics, including single-use and short-lived smart contracts, on-chain encrypted configurations, and proxy-based communications.
The findings continue to discover fraud campaigns that utilize Facebook ads that lead users to scrambled websites that impersonate trustworthy cryptocurrency exchanges and trading platforms such as Binance, Bybit, and TradingView, and direct users to download desktop clients.
“Query parameters related to Facebook ads are used to detect legitimate victims, but suspicious or automated analysis environments receive benign content,” Bitdefender said in a report they share with the publication.
“If a site detects suspicious conditions (for example, missing environments typical of AD-Tracking parameters or automated security analyses), it will instead display harmless and irrelevant content.”
Once released, the installer will maintain the ruse by displaying the impersonated entity login page via msedge_proxy.exe. On the other hand, additional payloads run quietly to harvest system information, and run “hundreds of hours” sleep commands if the extracted data indicates a sandbox environment.
The Romanian cybersecurity company said hundreds of Facebook accounts are promoting pages determining these malware that have been targeting men for more than 18 years, primarily in Bulgaria and Slovakia.
“This campaign combines front-end deception with localhost-based malware services to showcase a hybrid approach,” he added. “By dynamically adjusting the victim’s environment and continuing to update the payload, threat actors maintain resilient and highly evasive operations.”
Source link
