Cracking the Code: Unveiling the Deceptive ‘Angel Drainer’ Phishing Gang

SlowMist
10 min readOct 17, 2023

--

Event Background

Since 2022, various phishing gangs with the “Drainer” moniker have been emerging. For example, Pink Drainer obtained Discord Tokens through social engineering techniques for phishing purposes. Venom Drainer, a phishing service provider, tricked users into giving permissions or approvals to steal their assets. Monkey Drainer is a cyber phishing organization that lures victims through fake KOL Twitter accounts and Discord channels, releasing counterfeit NFT-related sites with malicious Mint functions, robbing tens of millions of dollars, check out our states here: Monkey Drainer statistics. Then there’s Inferno Drainer, which specializes in multi-chain scams.

As time progressed, some Drainers have stepped away from the cryptocurrency spotlight. However, two recent incidents have brought a previously low-profile phishing gang — Angel Drainer — to the forefront of public attention.

Event One: Balancer DNS Hijacking Attack

On September 19, 2023, Balancer issued an urgent warning asking users to stop accessing its official website, as its DNS had been hijacked, leading to its interface being compromised by malicious actors. Upon accessing the website’s link, wallets would be subjected to a phishing attack. According to MistTrack analysis, the funding behind the attackers came from the cyber phishing organization Angel Drainer. The current stolen amount from victims stands at a minimum of $350,000.

In other words, the attacker (Angel Drainer) lured users to “Approve” after compromising the Balancer website, and then used “transferFrom” to transfer funds to themselves (Angel Drainer). Based on the intelligence we have gathered, the attacker might have ties with Russian hackers. After analysis, it was discovered that the front-end of app.balancer.fi contained malicious JavaScript code.

Upon users connecting their wallets to the app.balancer.fi site, the malicious script would automatically assess the connected user’s balance and execute a phishing attack.

Event Two: Galxe DNS Hijacking Attack

On October 6, 2023, several community members reported that their assets were stolen after signing and authorizing Web3 credential data on the Galxe platform using their wallets. Subsequently, Galxe’s official team announced that their website was shut down and they were addressing the issue. According to MistTrack’s analysis, there were multiple interactions between the Galxe Hacker’s address and the Angel Drainer’s address, suggesting they might be the same hacker or group.

On October 7, Galxe released a statement indicating that their website had been fully restored. The detailed sequence of the event is as follows: On October 6, an unidentified individual contacted the domain service provider, Dynadot, pretending to be an authorized Galxe member. Using forged documents, this impersonator bypassed security procedures. Subsequently, the imposter gained unauthorized access to the domain account’s DNS. They used this access to redirect users to a fraudulent website where transactions were signed to siphon off their funds. Approximately 1,120 users who interacted with this malicious site were affected, with an estimated theft amounting to $270,000.

Below is an analysis specifically focused on some of the phishing materials and wallet addresses associated with this gang:

Phishing Website and Tactics:

Upon analysis, we found that the gang’s primary method of attack is social engineering targeted at domain service providers. Once they obtain relevant domain account permissions, they modify the DNS resolution direction and redirect users to fake websites. Data provided by SlowMist’s partner, ScamSniffer, indicates that this gang’s phishing attacks targeting the crypto industry involve over 3,000 domains.

By examining the related information of these domains, it was found that the earliest registration dates trace back to January 2023:

The website impersonated a Web3 game project called “Fight Out,” which is currently inaccessible. Interestingly, under Fight Out’s official social media platforms, multiple users reported that the project itself seemed to be a scam.

Upon inspecting the phishing website’s related address 0x00002644e79602F056B03235106A9963826d0000 through MistTrack, it was shown that the first transaction from this address took place on May 7.

We discovered that this address is associated with 107 phishing sites, encompassing not only NFT projects, authorization management tools like RevokeCash, and exchanges like Gemini, but also cross-chain bridges such as Stargate Finance, among others.

Tracing back further from this address to March 16, 2023, we identified an address labeled as Fake_Phishing76598: 0xe995269255777303Ea6800bA0351C055C0C264b8. This address is associated with 17 phishing sites, primarily focusing on the NFT project Pollen and the public chain Arbitrum. All of these phishing websites are currently inaccessible.

Reviewing one of the gang’s recently deployed phishing websites, blur[.]app-io.com.co:

By investigating the Access Key, we linked to another phishing website: unsiwap[.]app.se.net. The correct spelling is “Uniswap,” but the attacker confused users by swapping the positions of the letters ‘s’ and ‘i’.

This website also exists in our dataset and began its operation in August.

Below are screenshots of a series of websites linked to this domain:

A global search using ZoomEye revealed that 73 phishing sites are concurrently running and deployed under this domain.

Further tracking showed that Angel Drainer conducts sales in both English and Russian. The offerings include 24/7 support, a deposit of $40,000, a 20% fee, support for multiple chains and NFTs, and an automatic site cloning tool.

Here’s an overview of the seller:

Following the contact details provided on the page, we found a Bot. The addresses involved in the image below currently have no transaction records, leading us to speculate that it might be a bot impersonating Angel Drainer.

Selecting a site at random for inspection, when users click on “Claim”, the website evaluates whether the user has a balance. Depending on the tokens and balance held by each victim’s address, it employs a combination of attacks: Approve — Permit/Permit2 signature — transferFrom.

For users with a lower sense of security awareness, they might inadvertently grant the attacker unlimited permission to their addresses. If new funds are transferred to the user’s address, the attacker will immediately transfer those funds away.

Due to space constraints, we won’t delve further into the analysis here.

MistTrack Analysis

By analyzing the aforementioned 3,000+ phishing URLs and correlating them with the SlowMist AML malicious address database, we identified a total of 36 malicious addresses (on the ETH blockchain) associated with the Angel Drainer phishing gang. Of these, there are two hot wallet addresses belonging to Angel Drainer, spanning multiple chains, with the ETH and ARB chains involving significant amounts of funds.

Based on the 36 malicious addresses linked and set as our on-chain analysis dataset, we derived the following conclusions about this phishing group on the Ethereum (ETH) chain:

  • The earliest activity time of the on-chain address set dates back to April 14, 2023. (Transaction ID: 0x664b157727af2ea75201a5842df3b055332cb69fe70f257ab88b7c980d96da3)
  • Stolen funds: According to preliminary estimates, the gang has profited approximately 2 million USD via phishing. This includes a profit of 708.8495 ETH, equivalent to approximately 1,093,520.8976 USD. They are also involved with 303 ERC20 Tokens, valued at around 1 million USD, primarily consisting of LINK, STETH, DYDX, RNDR, VRA, WETH, WNXM, APE, and BAL. (Note: Prices are based on the rates as of October 13, 2023, with data sourced from CoinMarketCap.)
  • Analyzing the related malicious addresses’ Ethereum data post-April 14, 2023, for the first two layers, we observed that out of the profit funds, a total of 1652.67 ETH was transferred to Binance, 389.29 ETH to eXch, 116.57 ETH to Bybit, 25.839 ETH to OKX, and 21 ETH to Tornado Cash. The remaining funds were transferred to other individual addresses.
We would like to extend our gratitude to ScamSniffer for helping us gather this data

Conclusion

This article, pivoting on the Balancer Hack and Galxe Hack incidents, delves into the phishing group Angel Drainer, extrapolating several characteristic features of this organization. As Web3 continues to innovate, the methodologies targeting Web3 phishing are also diversifying, catching many off-guard.

For users, it’s imperative to be informed about the risk profile of the target address before making on-chain transactions. Platforms like MistTrack can be used to input the target address and check its risk score and malicious labels. This can significantly reduce the risk of financial losses.

For wallet project developers, a holistic security audit is paramount. Emphasis should be on enhancing the user interaction security segment, fortifying the ‘what you see is what you sign’ mechanism, thereby minimizing the users’ susceptibility to phishing. Here are some specific measures to consider:

  • Phishing Site Alerts: Harness the power of the ecosystem or community to compile various phishing sites. Prominently warn and alert users when they interact with these phishing sites.
  • Signature Recognition and Alerts: Identify and alert requests for signatures such as eth_sign, personal_sign, and signTypedData. Emphasize the risks associated with eth_sign blind signing.
  • What You See Is What You Sign: Implement an extensive parsing mechanism within the wallet for contract calls. This will prevent ‘Approve’ phishing and inform users of the detailed content constructed during DApp transactions.
  • Pre-execution Mechanism: By using a transaction pre-execution system, users can understand the effects after the transaction broadcast. This aids users in predicting the outcome of transaction executions.
  • Same Suffix Scam Alerts: When displaying addresses, prominently remind users to check the complete target address, preventing scams that utilize identical suffixes. Implement a whitelist address mechanism, allowing users to add frequently used addresses to a whitelist and avoid attacks that exploit identical suffixes.
  • AML Compliance Alerts: During transactions, utilize AML (Anti-Money Laundering) mechanisms to alert users if the target address for their transfers might trigger AML rules.

SlowMist, as a leading blockchain security company, has been deeply involved in threat intelligence for many years. We primarily serve our vast clientele through security audits and anti-money laundering tracing services, establishing a solid network for threat intelligence collaboration. Security audits not only reassure users but also serve as a means to reduce potential attacks. However, due to data silos among various institutions, it’s challenging to identify money laundering gangs that operate across different platforms, presenting a significant challenge for anti-money laundering efforts. For project owners, promptly blocking and preventing the transfer of funds from malicious addresses is of paramount importance.

Our MistTrack anti-money laundering tracing system has accumulated labels for more than 200 million addresses, capable of identifying various wallet addresses from major global trading platforms. This includes more than a thousand address entities, over 100,000 threat intelligence data sets, and over 90 million risk addresses. If needed, you can contact us to access our API. In conclusion, we hope that everyone can join hands to make the blockchain ecosystem safer and better.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Their goal is to make the blockchain ecosystem as secure as possible for everyone. They are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.