Scammers, over the last nine months, managed to steal around $59 million in cryptocurrency using a tool called “MS Drainer.” As reported on December 21 by Scam Sniffer on X (formerly Twitter), a blockchain security platform, scammers utilized Google Ads to trick victims into accessing fake versions of well-known crypto websites like Zapper, Lido, Stargate, DefiLlama, Orbiter Finance, and Radient.
🚨1/ Alert: A 'Wallet Drainer' has been linked to phishing campaigns on Google search and X ads, draining approximately $58M from over 63K victims in 9 months. pic.twitter.com/ye3ob2uTtz— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 21, 2023
Wallet drainers refer to blockchain protocols enabling scammers to move crypto from a victim to the attacker without consent, typically by exploiting the token approval process. Developers commonly levy a percentage of the profit for the use of their drainer software, and this fee is embedded in smart contracts, ensuring it cannot be circumvented.
Scam Sniffer initially detected MS Drainer in March, with assistance from the SlowMist security platform team during the investigation. In June, on-chain investigator ZachXBT presented additional evidence, revealing a phishing scam named “Ordinal Bubbles” associated with the drainer. The investigators identified nine distinct phishing ads on Google, of which 60% were found to employ the malicious program.
In standard circumstances, Google employs auditing systems to prevent the posting of phishing scam ads. However, Scam Sniffer found that the scammers used “regional targeting and page-switching tactics to bypass ad audits, complicating the review process” and allowing their ads to get through Google’s quality control systems.
Furthermore, the scammers utilized web redirects to deceive Google’s users by making them believe that links led to official websites. For example, the scam site cbridge.ceiler.network, which contains a misspelling of the word “Celer,” was disguised as the correct URL: cbridge.celer.network. Despite the correct spelling being displayed on the ad, the link nevertheless redirected the user to the incorrectly spelled scam site.
Scam Sniffer reported the identification of 10,072 fraudulent sites utilizing MS Drainer. The drainer’s activity reached its peak in November but has since sharply declined to nearly zero. Throughout its operations, it siphoned $58.98 million worth of crypto from over 63,000 victims, as indicated by a Dune Analytics dashboard established to monitor its activities.
Upon further investigation, it was revealed that the developer of MS Drainer adopted an unconventional marketing approach. Unlike most wallet drainers that charge a percentage of scammers’ profits, this particular one was available for a flat fee of $1,499.99 on forums. Additionally, for those seeking additional features, the developer offered supplementary “modules” at prices such as $699.99, $999.99, or similar amounts.
Wallet drainers pose a notable challenge within the Web3 ecosystem. On November 26, the developer of the “Inferno” drainer declared its retirement, having successfully appropriated over $80 million from victims throughout its existence. In March, a similar announcement of retirement was made by the developer of “Monkey Drainer,” which had successfully stolen an estimated $13 million up to that point.