Earlier this month, the Web3 security team CertiK warned the cryptocurrency community about the growing popularity of wallet drainers designed to exploit Solana users. Wallet drainers are a specialized form of malware crafted to deceive cryptocurrency users visiting phishing websites, tricking them into signing malicious transactions that ultimately result in asset theft.
Read also: Turbulent Start of 2024: Gamma Strategies, Radiant Capital Hacks and Solana Drainers
In its recent post, CertiK highlighted some advertisements by scam vendors from last December, promoting the use of their "unique products that stand unmatched in the market."
Since then, these scam kits have continued to evolve. On-chain analytics firm Scam Sniffer conducted a comprehensive study of these products, identifying two highly active Solana scam vendors: Rainbow Drainer and Node Drainer. According to Scam Sniffer, these kits alone "have consistently stolen nearly $4.17 million in assets from about 3,947 victims."
The Scam Sniffer team emphasizes a notable distinction between typical thefts on the Ethereum and Solana blockchains. Ethereum is mainly susceptible to exploits arising from malicious approvals that grant unauthorized access, enabling attackers to initiate transactions without the owner's consent. In the case of Solana, most thefts are empowered by phishing signatures playing a central role, while attackers focus on direct transfers rather than on exploiting approval vulnerabilities.
One protective measure in Solana wallets is transaction simulation, allowing users to test transactions before confirmation. However, attackers deploy anti-simulation methods, such as faking simulation results, to confuse cryptocurrency users.
Rainbow Drainer
Scam Sniffer reports a theft of approximately $2.14 million conducted by Rainbow Drainer, affecting around 2,189 victims. Assets like ZERO, Bonk, and ANALOS were among those stolen.
One specific exploit highlighted by Scam Sniffer involves malicious airdrop campaigns distributing phishing NFTs to ZERO token holders. Scammers use deceptive links and names in the Name and External Links fields, tricking potential victims into opening the phishing website linked to the NFT, who expect redirection to a legitimate airdrop site.
Interacting with malicious NFTs results in a transaction that drains the victim’s wallet. Despite receiving a warning message before transaction confirmation, many users proceed.
Read also: Loch Debunks Rumors about Blast’s Connection with Inferno Drainer
Scam Sniffer emphasizes that scammers can "continue phishing campaigns without deploying new NFTs," suspecting that this possibility is likely enabled by the fact that "the Solana ecosystem currently does not have a blacklist for displaying such NFTs." Consequently, criminals can enjoy a hassle-free performance of wallet-draining malware without the need for new NFT deployment.
Additionally, it seems that the deployers of Rainbow Drainer are actively interested in enhancing their "conversion rates." Scam Sniffer has identified the implementation of a self-hosted Matomo instance to track each step of their phishing campaigns. Matomo is one of the most popular open-source web analytics applications designed to monitor and report online visits to websites.
Node Drainer
Scam Sniffer underscores the exceptional performance of Node Drainer, claiming that it managed to steal over $2 million from nearly 1,759 victims in less than two weeks. Holders of the ANALOS and Bonk tokens suffered significant losses, with the theft of the first asset surpassing a total of $638,000, while the total loss of Bonk is valued at $325,432, according to Scam Sniffer.
"This also appeared in the Christmas phishing campaign targeting Bonk holders, through the transaction ID issued in their channel. We linked this to the associated on-chain data," Scam Sniffer explains, adding that Node Drainer "also appeared in a phishing link that was used in Mandiant’s Twitter hacking event."
According to blockchain analytics, a primary beneficiary has already gained profits exceeding $1 million, mainly by leveraging AllBridge for cross-chain transactions to Ethereum.
Wallet drainers: severity of the issue
Earlier this month, Scam Sniffer published a report on crypto phishing scam statistics, revealing that the total theft facilitated by wallet drainers surpassed $295 million, affecting approximately 320,000 victims.
Scam Sniffer identified the most severe victims of crypto thefts conducted by wallet drainers, citing the exploit of victim 0x13e382dfe53207e9ce2eeeab330f69da2794179e as the largest incident, resulting in a loss of $24.05 million. This exploit involved the smart contract function "increase allowance," which determines the amount of funds that can be spent by another entity on behalf of the asset owner. Other popular phishing methods include "Increase Approval," "ERC20 Permit," and "Approve."
Altogether, Scam Sniffer detected at least thirteen thefts by wallet drainers of over $1 million last year.
Furthermore, Scam Sniffer notes a noteworthy theft of almost $7 million on March 11, occurring in a single day. This particular heist was attributed to fluctuations in USDC rates and phishing websites impersonating Circle. As a rule, peaks in theft incidents are linked to group-related events, such as airdrops or hacking incidents.
Phishing malware such as MS Drainer, Angel Drainer, Monkey Drainer, Venom Drainer, Pink Drainer, Pussy Drainer, and now inactive Inferno Drainer were commonly deployed in phishing campaigns. These campaigns also implemented methods like hacking attacks on official project Discord and Twitter accounts, organic traffic from airdrops, expired Discord links, spam on social media, paid traffic through Google search ads and Twitter ads, as well as targeted personal private message phishing.
"Although hacking attacks have a broad impact, the community often reacts promptly, typically within 10-50 minutes," states Scam Sniffer in the report, stressing that "airdrops, organic traffic, paid advertising, and taken-over Discord links are much less noticeable."
Common Solana-centered phishing techniques and protective measures
Due to the rapid increase in the number of exploits affecting Solana users, the GoPlus Security on-chain security team has posted an overview of popular phishing attack methods and provided the crypto community with suggestions to enhance their protection.
While the phishing tactics mentioned by the GoPlus experts correspond with those cited by Scam Sniffer, the former team mentions numerous transfer attack methods deployed by scammers targeting Solana users. These include the transfer of native tokens ($SOL), multiple tokens in a single transaction, Phantom transaction simulation, backpack transaction simulation, and inducing the transfer of token account ownership.
Read also: Inferno Drainer Is Dead, but Angel Drainer Thrives
While attacks enabled by such techniques as inducing the transfer of Solana's native tokens SOL, inducing the transfer of multiple tokens, and inducing the transfer of token account membership often can be prevented by the official Solana JSON RPC interface equipped with the transaction simulation feature mentioned earlier, other deceptive practices, such as token authorization deception, durable nonce transaction signature deception, and contract upgrades aiming to evade transaction simulation deception, pose significant challenges.
The durable nonce method allows hackers to broadcast transactions disguised as legitimate operations, stealing users' assets at a later time. Contract upgradability makes it possible to upgrade a contract, initially featuring normal functionality, into a malicious version capable of enabling asset transfers.
GoPlus emphasizes that many phishing attacks on Solana occur due to the unique functionality of this blockchain. Unlike typical direct asset transfers, attackers often exploit "the authority to control the user’s assets."
Moreover, some Solana-targeting attacks mentioned above allow criminals to postpone asset transfers, making fast detection challenging.
To protect yourself against emerging phishing techniques on Solana, GoPlus recommends, in addition to common advice on safeguarding private keys and important information, the following measures:
- Always simulate transactions before confirming funds and carefully review the simulation results. However, GoPlus warns about the possibility of simulation failure;
- Pay attention to operations that change the token balance after a transaction;
- Watch for authorization changes, especially on unfamiliar websites or apps;
- Regularly revoke unnecessary authorizations with the help of Solana's Revoke tool;
- Keep your software updated.
Staying up-to-date with popular attack techniques is also critical for enhancing your protection against evolving phishing threats.