Last updated:
The crypto ecosystem has always been vulnerable to malicious actors looking to steal user funds.
According to a Crystal Intelligence report, nearly $19 billion worth of digital assets have been stolen over the last 13 years since June 19, 2024.
Findings also show that the cryptocurrency industry suffered 785 reported hacks and exploits during this same time period.
Crypto Drainers Target New Blockchain Networks
Unfortunately, bad actors continue to target crypto ecosystems. Yet recently, these criminals have become focused on less mature blockchain networks.
On August 31, Blockchain security firm Blockaid reported that an upgraded version of the notorious crypto phishing toolkit Angel Drainer had been released. According to Blockaid, the upgraded version of the Angel Drainer is called “AngelX.”
In February, the original Angel Drainer stole over $400,000 from 128 crypto wallets after deploying a malicious vault contract. Angel Drainer was also used in the Ledger Connect Kit Attack, where malicious code was injected into a Ledger package to target Ledger wallet users.
Oz Tamir, Blockaid’s researcher, told Cryptonews that AngelX is currently one of the most malicious wallet drainers due to its lucrative features.
“AngelX supports a multitude of new chains, like TON and TRON,” Tamir said. “There are also multiple user interface enhancements to make setting up scams easier. New attack flows, including seed phase theft is present, along with new cloaking features meant to mitigate security solutions and avoid detection.”
Why Crypto Drainers Are Targeting Newer Blockchains
Tamir added that AngelX’s support for newer blockchains like TON and TRON signifies a shift in focus by drainers.
“We believe that the security improvements made by Blockaid and by the rest of the Web3 security community have pushed malicious actors to look for new venues where they can run scams,” he said. “Because many new chains have lesser security measurements in place, attackers view them as an opportunity to make a quick buck and target their users.”
To put this in perspective, Tamir explained that Blockaid did an analysis of how network growth can be directly mimicked by drainer activity.
“Using TON network as an example, you can see that the number of scams on TON was relatively small while the network was small, but when TON growth exploded, the drainers were quick to follow suit,” he pointed out.
How Crypto Drainers Work
Brian Carter, Senior Intelligence Analyst at Chainalysis, further told Cryptonews that scammers are starting to target new blockchain networks for crypto drainers because these wallets have fewer security protections.
“There are fewer people monitoring transactions on these wallets,” he said.
As Carter explained, this is a critical point: a crypto drainer is a phishing tool that entices victims into connecting their wallets directly to the drainer.
“Instead of stealing victims’ usernames and passwords, drainer operators often masquerade as Web3 projects to entice victims into connecting their crypto wallets to the drainer,” Carter mentioned. “Once the threat actor has wallet access, they can approve transaction proposals that grant the operator control of the wallet fund.”
According to Carter, drainers can instantly steal users’ funds if these attacks are successful.
While it’s difficult to track the total amount of crypto stolen by drainers, findings from Chainalysis have found that the quarterly growth rate in value stolen by crypto drainers from Q1 2023 to Q1 2024 has exceeded the value stolen by ransomware.
Chainalysis’ report also notes that after stealing digital assets from a victim’s wallet, cybercriminals operating drainers typically use various crypto services to launder the funds or potentially convert them into cash.
Malicious DApps Double This Year
It’s also important to note that crypto drainers like AngelX promote fake Web3 sites on popular platforms like Discord and Telegram. These sites appear to be legitimate, prompting crypto users to click on them and then connect their wallets.
According to Tamir, the new AngelX system has already deployed 300 malicious decentralized applications (DApps) designed to steal digital assets from unsuspecting crypto users.
“The running weekly average of malicious DApps across all different threat actors has almost doubled from the start of 2024, increasing from an average of 180,000 weekly malicious scam results to almost 350,000 by August,” Tamir said.
Tamir further believes that this trend is tied directly to the recent crypto bull market.
“As more users and money are entering the ecosystem, attackers are increasingly motivated to invest in new, novel attacks,” he said.
Crypto Drainer Attacks Will Continue, But Users Can Protect Themselves
Unfortunately, both Tamir and Carter are certain that harmful phishing attacks will continue to impact the crypto ecosystem.
“Web3 users will continue to encounter both malicious DApps and simple phishing attacks that might ask for recovery phrases,” Carter said. “When interest in a particular Web3 project develops, and the value increases, criminals will begin innovating approaches to steal assets from users who aren’t prepared.”
While this may be true, Carter noted that there are several ways users can protect themselves against wallet drainers.
“One effective method is using Web3 security extensions to identify phishing sites and assess the security of cryptocurrency wallets,” he said.
Tamir added that Blockaid’s threat intel team detects these attacks daily.
“We employ a dedicated team of cybersecurity experts, with a background in catching nation-state attackers, that’s focused on tracking the different drainer developers,” Tamir said. “This allows us to create heuristics that identify malicious patterns in DApps, transactions, and on-chain contracts.”
Tamir explained that the data found is then fed into Blockaid’s detection systems, which proactively scan the internet for newly deployed DApps. This enables Blockaid to catch threats and flag them hours or days before a user ever sees them.
Yet not all crypto drainers are detected and caught before they impact users. Given this, Carter explained that crypto users should also store valuable assets in offline wallets and only transfer funds to a hot wallet when necessary.
“This can also reduce exposure to attacks,” he remarked. “Another precaution is using a temporary wallet with no assets when connecting to unfamiliar Web3 sites. This limits the potential risk if the site turns out to be malicious. Additionally, users should be cautious of links shared in chat rooms or on social media, as they may not be from official project accounts.”