Cybersecurity researchers revealed what, according to them, is an “industrial large -scale, global surgery of phishing cryptocurrency” developed for theft of digital assets from cryptocurrencies for several years.
The company was named code name Vacant by threat of intelligence firms Roomy and Validan.
“Freedrain uses SEO manipulation, free-level web services (eg gitBook.io, webflow.io and github.io), as well as redirect methods to focus on cryptocurrencies’ wallets,” said the research researchers in a technical report.
“Victims are looking for requests related to wallets, click on high -ranking malicious results, land on the bait pages and redirected to the phishing pages that steal their seed phrases.”
Scale campaign It is reflected in what more than 38,000 separate Friedreinian under domains have been identified that place the bait pages. These pages are located on cloud infrastructure, such as Amazon S3 and Azure Web Apps, and mimic the legitimate wallet interfaces for cryptocurrencies.
Activities were due to high confidence for people based on Indian standard time (IT), working standard hours on weekdays, citing GitHub models related to bait pages.
The attacks were found to be focused on users looking for wallets -related requests such as “Trezor Wallet”, search engines such as Google, Bing and DuckDuckGo, redirecting them to fake target pages located on gitBook.io, webflow.io and github.io.
Not suspended users who land on these pages are provided by a static screenshot of the legitimate interface wallet by clicking on which, one of the three lower behavior, occur –
- Redire the user to legitimate web -res
- Redire the user to other sites -medical officers
- Direct the user to the Phishing page that pushes them to enter your seed phrase, effectively draining their wallets
“The whole stream without friction design, mixing SEO manipulation, acquaintances of visual elements and a trust platform for the victims in a false sense of legitimacy,” the researchers said. “And after the seminal phrase is presented, the automated infrastructure of the attacker will drain within minutes.”
It is believed that the textual content used on these bait pages is generated using large language models such as Openai GPT-4O, indicating how the threatening subjects abuse general artificial intelligence tools (Genai) to produce content.
Friedrenin also noted that it turns to the flood of poorly conceived sites with thousands of spam commentaries to increase the visibility of their belonging pages through indexing the search engine, technique called Spamdexing This is often used to play SEO.
Worth it to note some aspects The company has been recorded by the Netskope threats since August 2022 and as recently In October 2024, when the threatening subjects were found using Webflow to promote phishing sites that are masked as Coinbase, Metamask, Phantom, Trezor and Bitbuy.
“Friedin’s hope on the free-level platforms is not unique, and without the best guarantees, these services will still be armed,” the researchers noted.
“The Freedrain Network is a modern plan of scale phishing operations that blooms on free -level platforms, eliminates the traditional methods of detecting abuse and quickly adapts to discard the infrastructure. out of the violation and the lung in recovery. “
Disclosure occurs when Check Point Research said she found a complex phishing campaign that abused discord and nomination of cryptocurrency users Winker Duter.
The attacks attract victims to the admission to the harmful disorder server by hijacking the past pride that invites the links, as well as using the Discord Oauth2 Authentication Flow to avoid automated identification of their malicious sites.
 |
| The gap of common domains in the suspected and confirmed URL in number. |
From September 2024 to March 2025, more than 30,000 unique wallets were estimated by Diferno Dreaker, which led to a minimum of $ 9 million.
Winker Duter state To close your activity in November 2023. But the latest conclusions indicate that the crypto-drainage remains active, using reasonable contracts with one-time use and encrypted configuration to make the detection more complicated.
“The attackers redirect users from the legitimate web3 web3 to fake Collab.land Bot And then to phishing, by fooling them with the signing of malicious operations “, the company” – Note. “The script drained on this site was directly related to the disk disk.”
“The University of Inferno uses advanced detection tactics, including disposable and short-term reasonable contracts, encrypted configurations in the circuit and communication based proxy bypassing the safety wallets and anti-physical black lists.”
The data also follows from the detection of Malvertizing, which uses advertising on Facebook, representing themselves a reliable cryptocurrency exchange and trading platforms such as Binance, Bybit and Tradingview to bring users to the sketch websites that entrust them to download the desktop client.
“Request -related Facebook requests are used to detect legitimate victims, while suspicious or automated analysis environments receive benign content,” Bitdefender – Note In a report that is shared with the publication.
“If the site discovers suspicious conditions (for example, there is no advertising tracking parameters or environment characteristic of automated security analysis), instead, the content is displayed.”
After launching the installer reflects the entry page through msedge_proxy.exe to keep the refund, while additional useful loads are silent in the background to collect system information or perform a sleeping team at “hundreds of hours at the end” when the selected data indicate the sandbox.
The Romanian cybersecurity company said hundreds of Facebook accounts have advertised these pages that tolerate malware, mostly focusing on men in Bulgaria and Slovakia.
“This company demonstrates a hybrid approach by combining the deception of the front end and the Localhost malware service,” he added. “Dynamically adapting to the victim’s environment and constantly updating the useful loads, the threats support the elastic, very eliminated operation.”
