Etherscan Users Targeted in Sophisticated Phishing Scam

Quite a few advertisements on Etherscan have been identified as part of a major phishing campaign that is actively targeting Etherscan users.

A phishing scam targeting Etherscan users has been exposed on X, exploiting ads to direct victims to sites that drain their crypto wallets. This discovery has led to a wider investigation revealing the presence of more malicious ads across various platforms, including popular search engines. Hacks have also been an issue in the crypto space, but ParaSwap recently shared plans to compensate its hack victims using its treasury. Additionally, the crypto space is experiencing some legal and ethical challenges, including aggressive tactics by the IRS directed towards blockchain investigators.

Phishing Ads on Etherscan

A major phishing campaign targeting Etherscan users recently came to light. The issue was first spotted by an X community member known as McBiblets on Apr. 8, who discovered that certain advertisements displayed on the Ethereum blockchain explorer, Etherscan, were in fact part of a wallet drainer scam. These malicious ads, when clicked, would redirect users to phishing websites designed to steal their cryptocurrency.

The investigation, which expanded on McBiblets’ initial findings, revealed that these phishing ads were not only prevalent on Etherscan but also made their way onto other known phishing websites. The Web3 anti-scam platform Scam Sniffer also uncovered that these ads had breached the confines of the crypto space, appearing on popular search engines like Google, Bing, and DuckDuckGo, as well as on X. Scam Sniffer specifically pointed to the lack of rigorous oversight from advertising aggregators, like Coinzilla and Persona, which Etherscan uses, as a potential cause for this issue.

The mechanics of the wallet drainer scam are deceptively simple yet effective. Users are lured to fake websites through these ads and are persuaded to link their crypto wallets. The scammers can then drain the wallets’ funds without needing user authentication or permission. This method has proven to be alarmingly efficient, with almost $300 million reportedly stolen from more than 324,000 victims in 2023 alone through scams like these.

Warnings about the presence of these phishing ads on Etherscan have been issued by blockchain security experts, including SlowMist’s chief information security officer, known as 23pds. Although the exact identity of the scammers behind the campaign have not been pinpointed just yet, many suspect it could be the notorious phishing group Angel Drainer.

What is a Phishing Scam?

Phishing in the cryptocurrency sector is a sophisticated scamming technique where fraudsters impersonate trusted entities to deceive people into surrendering their sensitive data, including private keys and personal information. This scam is aimed at illicitly acquiring cryptocurrencies, and their frequency and complexity have surged, posing a major risk to wallets, exchanges, and participants in initial coin offerings (ICOs).

The essence of a phishing operation begins with the distribution of counterfeit communications that appear to originate from reputable sources, enticing victims with links that lead to meticulously crafted websites designed to mirror genuine platforms. Unwitting users who input their credentials on these bogus sites unknowingly grant attackers access to their digital funds.

There are many strategies employed in cryptocurrency phishing and they adapt to target various aspects of the digital finance ecosystem. Spear phishing focuses on individual or organizational targets, leveraging information specific to the victims to enhance the credibility of the attack. Whaling attacks escalate this concept by concentrating efforts on high-ranking officials within companies, potentially compromising entire organizational networks if successful. Clone phishing involves duplicating legitimate emails with altered links or attachments that harbor malicious intent, exploiting the recipient's familiarity and trust in the sender. Pharming is a more technically insidious approach, manipulating DNS entries to redirect users from legitimate sites to fraudulent replicas without their knowledge.

Meanwhile, other phishing scams include evil twin attacks that create counterfeit Wi-Fi networks to harvest credentials; voice phishing (vishing), which employs phone calls to extract sensitive information under false pretenses; and SMS phishing (smishing), which uses text messages to lure victims into clicking on malicious links.

DNS hijacking, another sophisticated tactic, involves altering DNS entries to mislead users into visiting impostor websites. The emergence of phishing bots has allowed cybercriminals to automate and scale these deceptive practices, spreading their reach across the digital domain. Additionally, the distribution of fake browser extensions poses a direct threat to user privacy and security, masquerading as legitimate tools while secretly filching data and redirecting users to scam sites.

Among the more novel phishing methods are ice phishing attacks, where attackers trick victims into signing transactions that unknowingly transfer control of their tokens, and crypto-malware, which encrypts user data for ransom, often propagated through malicious downloads or links.

ParaSwap Takes Action

Hacks are also becoming a nuisance in the crypto space, but ParaSwap, a leading DeFi aggregator, has decided to compensate the victims of a recent hack using its treasury funds. This decision came after the ParaSwap decentralized autonomous organization (DAO) proposed refunding victims of the AugustusV6 contract vulnerability. The proposal received overwhelming support from the community, with 96.81% of voters supporting the compensation plan.

The AugustusV6 contract was briefly introduced on Mar. 18 with the intention of enhancing swapping efficiency and reducing gas fees for users. Unfortunately, it contained a big flaw that allowed hackers to steal funds from users who approved the upgrade. Although a prompt rollback of the contract prevented a potential loss of $3.4 million in assets, about $864,000 was still lost.

ParaSwap took immediate action by collaborating with blockchain analytics and security companies Chainalysis and TRM Labs. This was mainly to try and identify the hackers' addresses and tracking the stolen funds. The initiative has been partly successful as approximately $500,000 worth of assets has been recovered. The remaining losses and expenses related to addressing the vulnerability, like refunds, security analysis, contract re-audits, and communications with authorities, will be covered by the ParaSwap Foundation.

This move to fully refund affected users comes in the wake of March's hacks in the blockchain domain, where almost $100 million in digital assets were stolen across various platforms. Luckily, according to blockchain security firm PeckShield, 52.8% of these stolen funds have been recovered.

The Fine Line

Crypto crimes have grown to a level where even those who are looking to help are being overwhelmed by the scale of the problem. Blockchain investigator ZachXBT recently voiced concerns over what he calls aggressive tactics by the Criminal Investigation Unit (CIU) of the U.S. Internal Revenue Service (IRS) to solicit his expertise in blockchain investigations. In a detailed post on X, ZachXBT shared several instances where the IRS seemingly overstepped personal boundaries, including showing up unannounced at former residences, using private email addresses for contact, and mailing requests despite public contact methods being available.

These allegations surfaced as ZachXBT acknowledged his willingness to help victims and law enforcement in tackling blockchain-related crimes. However, the investigator's discomfort with the IRS's approach was worsened by an email from an IRS special agent, which was shared in the post. The agent praised ZachXBT's proficiency in using blockchain tracing tools and expressed a desire to learn from him to enhance the impact of law enforcement efforts in the crypto and cyber sectors. Despite the commendation, ZachXBT criticized the IRS's methods of contact as a blatant disregard for professionalism.

ZachXBT did, however, recently refuse to assist holders of the Complex (SIMPLE) memecoin after its abrupt discontinuation by developers on Apr. 4. ZachXBT justified his decision by expressing his reluctance to put time into people who, in his view, recklessly invest in unreliable meme coins rather than genuine victims.

Although the IRS is showing some interest in making blockchain technology more safe, ZachXBT's experiences raise questions about the balance between law enforcement's need for knowledge in navigating the complex world of cryptocurrency and respecting the personal boundaries and professional ethics of those whose assistance they seek.

Digital Rights at Stake

On the other hand, some believe that those who are looking to help might actually cause damage to the digital asset sector instead. Representatives from three prominent United States-based cryptocurrency advocacy organizations have stepped forward in support of Roman Storm, co-founder of Tornado Cash, as he is grappling with serious legal battles. On Apr. 5, filings were submitted to the U.S. District Court for the Southern District of New York by the Blockchain Association, Coin Center, and DeFi Education Fund. These organizations presented arguments in favor of dismissing the charges against Storm, challenging the notion that Tornado Cash, a crypto mixer, controlled the funds or messages its users transmitted through the platform.

The advocacy groups pointed out several key issues in their separate filings. They specifically mentioned that the felony counts faced by Storm not only misconstrue the operations of Tornado Cash but also raise critical First Amendment concerns. Specifically, they argue that the allegations of sanction violations and money laundering misunderstand the fundamental dynamics between smart contract protocols and their developers.

Marisa Coppel, the Head of Legal at the Blockchain Association, also shared concerns over the broader implications of adopting the government's legal stance. She believes that such a perspective threatens not just the digital asset industry but the fintech sector at large. The associations have called on the court to recognize the government's burden of proof and to dismiss the charges, which they deem unfounded, to protect the rights of the defendants and the integrity of the digital asset sector.

This legal challenge comes in the wake of the U.S. Justice Department's August 2023 announcement of charges against Storm and co-developer Roman Semenov, with Storm pleading not guilty and currently on a $2 million bond with restricted travel. Semenov's location is still unknown, and Storm's trial is scheduled for September.

The case against Tornado Cash extends beyond U.S. borders, with developer Alexey Pertsev arrested in the Netherlands in August of 2022 under allegations of aiding North Korean hacking groups in laundering approximately $1 billion through the crypto mixer. Pertsev was released after roughly nine months in custody.

The controversy surrounding Tornado Cash escalated after the U.S. Treasury's Office of Foreign Asset Control's decision to list crypto addresses associated with Tornado Cash as Specially Designated Nationals, a move that led to lawsuits against the U.S. Treasury by crypto advocates. These legal battles are ongoing, with both cases awaiting the outcome of appeal processes after initial losses in summary judgment motions.