Angel Drainer Strikes Again: $403K Pilfered through Malicious Safe Contract
The phishing group exploits Etherscan, disguising a nefarious Safe vault contract to steal funds.
In a cunning move, the notorious Angel Drainer phishing group has managed to abscond with over $400,000 from 128 cryptocurrency wallets, utilizing a new attack method that exploits Etherscan's verification tool to conceal the malicious nature of a smart contract.
The assault unfolded on February 12 at 6:40 am, as Angel Drainer deployed a malicious Safe (formerly Gnosis Safe) vault contract, as revealed in a February 13 disclosure by blockchain security firm Blockaid.
A total of 128 wallets fell victim to a "Permit2" transaction on the Safe vault contract, resulting in the theft of $403,000.
Blockaid highlighted that the scammers deliberately opted for a Safe vault contract to create a "false sense of security," capitalizing on Etherscan's automatic verification flag, which misleadingly confirms it as a legitimate contract.
Emphasizing that this incident wasn't a direct assault on Safe and that the user base hadn't suffered widespread impact, Blockaid promptly notified Safe of the attack and is actively working to curtail further damage.
"This is not an attack on Safe [...] rather they decided to use this Safe vault contract because Etherscan automatically adds a verification flag to Safe contracts, which can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious."
Despite being in operation for just 12 months, Angel Drainer has successfully drained over $25 million from nearly 35,000 wallets, according to Blockaid's February 5 disclosure.
The recent Ledger Connect Kit hack, amounting to $484,000, and the EigenLayer restake farming attack stand out as some of Angel Drainer's notable exploits in recent months.
In the restake farming attack, Angel Drainer implemented a deceptive queueWithdrawal function, which, once signed by users, would channel staking rewards to an address of the attackers' choosing. Blockaid explained, "Because this is a new kind of approval method, most security providers or internal security tooling does not parse and validate this approval type. So in most cases, it’s marked as a benign transaction."
January witnessed approximately 40,000 users on platforms like OpenSea, Optimism, zkSync, Manta Network, and SatoshiVM falling prey to phishing attacks, resulting in a combined loss of $55 million, as reported by Scam Sniffer, a Web3 scam tracker.
According to Scam Sniffer's 2023 Wallet Drainers Report, this figure is set to surpass the 2023 total of $295 million, signaling a concerning trend in cryptocurrency-related scams.
(Photo Source / Blockonome)
Comments