According to the latest update on yesterday's Ledger Connect Kit exploit by the cybersecurity team SlowMist, the attack that led to a loss of at least $600,000 was orchestrated by the phishing group Angel Drainer. SlowMist adds in its post on X, "Angel Drainer utilized smart contracts to manage the access domains of malicious JavaScript files."
Read also: Zapper, SushiSwap, and Balancer Affected by Attack on Ledger Connect Kit
How does Angel Drainer work?
Earlier in October, SlowMist provided the crypto community with detailed insights into Angel Drainer’s tactics. Initially recognized as a low-profile phishing gang in the Web3 space, Angel Drainer later shifted its focus to larger projects, launching attacks on the DeFi protocol Balancer on September 19 and the Web3 community platform Galxe.
"Upon analysis, we found that the gang’s primary method of attack is social engineering targeted at domain service providers," explained SlowMist in its report, noting that once the malicious actors obtain relevant domain account permissions, they manipulate DNS resolution and redirect users to fake websites. The report referenced data from cybersecurity firm ScamSniffer, estimating that over 3,000 domains were involved in Angel Drainer's phishing attacks.
According to SlowMist's analysis, these domains were registered as early as January 2023. One of the sites impersonated the "Fight Out" Web3 game project, associated with an address linked to 107 phishing sites. These sites covered a broad spectrum, including NFT projects, authorization management tools like RevokeCash, exchanges like Gemini, and cross-chain bridges such as Stargate Finance. The earliest transaction from this address occurred in May.
The October report by SlowMist also highlighted numerous phishing sites targeting public chain Arbitrum, the NFT project Pollen, the Blur NFT marketplace, the Uniswap exchange, and more.
How much do Angel Drainer’s services cost?
In the Angel Drainer service offer outlined by SlowMist, the phishing team demands a $40,000 deposit along with a 20% fee, boasting extensive features such as an automated site cloner with a linked drainer, a "great log system," full customizability, draining strategy logs, and more.
The Angel Drainer team promotes its services in Russian, too. The X account operating under the Angel Drainer name, whether it is the authentic profile associated with the scam vendor or not, states, '"For us first is the name and of course when our community is happy," prioritizing reputation over financial gains.
If this account is indeed linked to the phishing team, it means Angel Drainer also incentivizes its clients by rewarding those who earn the most with Angel Drainer with expensive NFTs like BAYCs and MAYCs.
As of October, preliminary estimates from SlowMist indicate that Angel Drainer had accumulated at least $2 million in fees. A portion of the profits was transferred to platforms such as Binance, eXch, Bybit, OKX, Tornado Cash, and others.
Read also: Loch Debunks Rumors about Blast’s Connection with Inferno Drainer
Particularly notable exploits orchestrated by Angel Drainer include the Balancer and Galxe DNS hijacking attacks.
In the Balancer incident, the website's interface was compromised by injecting malicious JavaScript code into the front-end interface of app.balancer.fi. This led users to unwittingly approve malicious transactions, resulting in over $350,000 being transferred to attackers through phishing attacks.
In the Galxe case, malicious actors impersonated Dynadot, the domain service provider, gaining unauthorized access to the domain account's DNS. Subsequently, nearly 1,120 users interacting with the fraudulent site lost nearly $270,000.
Ledger, a renowned manufacturer of hardware and cold crypto wallets, became the latest target of Angel Drainer. The phishing team exploited the Ledger Connect Kit, impacting the front-end interfaces of connected applications including Balancer, which has already suffered from Angel Drainer, as well as SushiSwap, Revoke.cash, and Zapper, stealing from users at least $600,000.
In collaboration with the Scam Sniffer team, SlowMist utilized characteristics associated with Angel Drainer to identify thousands of phishing websites reported to the eth-phishing-detect (a utility supporting the detection of phishing domains targeting Web3 users). This collaborative effort aims to minimize the risk of Web3 users falling victim to phishing attacks and experiencing asset losses. To collect phishing domains, SlowMist utilized the Urlscan tool.
On-chain researchers have already added contract addresses used by the Angel Drainer group to manage the access domain of malicious JS files. These addresses are available on the dedicated Dune dashboard and GitHub.