FreeDrain crypto hackers are watching you search for help.
When you think of cybercriminal actors watching you, maybe phishing threats such as Hello Pervert, where the attacker claims to know where you live and has proof to back it up, spring to mind. Or how about the ransomware gang that has been found to install employee monitoring software to watch victims at work? Recent reports even suggested that a quarter of Americans think someone is spying on their smartphone usage. But I’m more concerned with the hackers who watch what you are searching for in order to launch targeted attacks. I wrote about one such attack campaign on March 16, where MassJacker threat actors used people searching for pirated software as a means to get them to download malware. The latest attacks, however, involve crypto hackers exploiting people looking for help with their wallets and striking while they are at their most vulnerable. Here’s what you need to know about the FreeDrain campaign that security experts have warned is operating at an industrial scale.
FreeDrain Crypto Hackers Strike On An Industrial Scale
FreeDrain might not have made it onto the list of the world’s most prolific cybercrime actors, but I can’t help but think it’s only a matter of time.
Threat intelligence researchers initiated their investigation on May 12, 2024, following a plea for assistance from an individual who had discovered that 8 BTC, equivalent to approximately $500,000 at the time, had been stolen from their cryptocurrency wallet. Initially, it appeared to be a run-of-the-mill phishing attack, albeit employing a highly ranked search engine result to kickstart the attack. It soon became apparent it was far from the norm. Welcome to the vast and coordinated world of weaponized searches and crypto theft known as FreeDrain.
A joint report by Tom Hegel at SentinelOne’s Sentinel Labs team alongside Kenneth Kinion and Sreekar Madabushi from Validin, has confirmed that FreeDrain is “an industrial-scale, global cryptocurrency phishing operation that has been stealing digital assets for years.”
Crypto Hackers Target The Vulnerable Searching For Help
The security researchers found that simple queries for help, such as asking how to get a specific crypto wallet balance, for example, produced multiple malicious links on major search sites, although not always on page one, but “often within the first few result pages.” By following those links that the investigators knew were not legitimate websites, they encountered live phishing pages immediately. The attack chain, it seems, was a pretty straightforward one as these things go:
- Search for wallet-related queries.
- Click a high-ranking result.
- Land on a page displaying a screenshot of the legitimate wallet interface.
- Click on the image and get redirected to a phishing page that prompts for the wallet seed phrase.
- Arrive at the final phishing site, a near-perfect clone of the real wallet service, prompting the user to input their seed phrase.
How the crypto hackers were able to pull off this search engine manipulation is as fascinating as it is concerning. “We identified several indexed URLs pointing back to high-ranking lure pages,” the report said, “and traced them to massive comment spam campaigns.” This isn’t new; it’s something called spamdexing that has been used to game SEO for years. The FreeDrain campaign, however, appeared to put it to very good use. “We found a Korean university photo album page with a single image uploaded over a decade ago,” the researchers said, “buried under 26,000 comments, nearly all of them containing spam links.” The end result was more than 200,000 unique malicious URLs in search results, and 38,000 FreeDrain subdomains hosting the phishing pages. I’ve said it before, and I will say it again: be careful what you search for. More importantly, be careful where some of those searches take you. If you want help concerning a particular crypto wallet, go to the vendor site directly and seek that help there.
