Phishing Group Angel Drainer Steals Over $400,000 from Crypto Wallets
An infamous phishing group known as Angel Drainer has successfully stolen more than $400,000 from 128 crypto wallets using a malicious Safe vault contract. This attack exploited Etherscan’s verification tool to conceal the contract’s malicious nature. Blockaid, a blockchain security firm, exposed the attack and its consequences.
Angel Drainer Targets Unsuspecting Users
The attack began on February 12 when Angel Drainer deployed a malicious Safe vault contract, specifically targeting 128 users who had signed a Permit2 transaction. As a result, $403,000 was stolen from these users.
“Today, our researchers discovered yet another emerging attack vector from the Angel Drainer group — this time phishing users and leading them to a single Safe Vault contract where 128 wallets have been drained of $403k+ so far. All Blockaid-protected users are safe.”
Exploiting Etherscan’s Verification Tool
Angel Drainer utilized Etherscan’s verification tool to legitimize the contract and deceive victims into thinking it was secure. This strategy masked the malicious intent of the contract, resulting in a successful attack. However, Blockaid clarified that this was not a direct attack on Safe and that its user base was not significantly affected. Safe has already been informed and is taking measures to minimize any further consequences.
“This is not an attack on Safe […]. Rather, they decided to use this Safe vault contract because Etherscan automatically adds a verification flag to Safe contracts, which can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious.”
Identifying Angel Drainer
Angel Drainer is a notorious phishing group that has been active for about a year. Within this timeframe, they have managed to steal over $25 million from nearly 35,000 individual wallets. Notable attacks include the $484,000 Ledger Connect Kit hack and the Eigenlayer restake farming attack, where a malicious queueWithdrawal function allowed them to withdraw staking rewards from unsuspecting users.
“Because this is a new kind of approval method, most security providers or internal security tooling does not parse and validate this approval type. So in most cases, it’s marked as a benign transaction.”
Increasing Phishing Attacks
The number of phishing attacks targeting crypto and web3 users has been steadily rising. In January alone, over 40,000 users fell victim to these attacks on platforms such as OpenSea, zkSync, Manta Network, Optimism, and SatoshiVM. Scam Sniffer data shows that these attacks resulted in a combined loss of over $55 million.
By
By
By
By
By