Scammers used a wallet draining service called “MS Drainer” to siphon approximately $59 million in crypto from victims over the past nine months, according to a Dec. 21 report on X (formerly Twitter) from blockchain security platform Scam Sniffer. The scammers used Google Ads to target victims with fake versions of popular crypto sites, including Zapper, Lido, Stargate, DefiLlama, Orbiter Finance and Radient, the report states.
1/ Alert: A 'Wallet Drainer' has been linked to phishing campaigns on Google search and X ads, draining approximately $58M from over 63K victims in 9 months. pic.twitter.com/ye3ob2uTtz
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 21, 2023
Wallet drainers are blockchain protocols that allow scammers to transfer crypto from a victim to the attacker without their consent, usually by exploiting the token approval process. Developers usually charge a percentage of the profit in exchange for using their drainer software, and this fee is enforced through smart contracts, making it impossible to avoid.
Related: Pink, Pussy, Venom, Inferno — Drainers coming for a crypto wallet near you
Scam Sniffer first became aware of MS Drainer in March. At the time, the SlowMist security platform team helped with the investigation. In June, on-chain sleuth ZachXBT provided further evidence, uncovering a phishing scam called “Ordinal Bubbles” that was linked to the drainer. The investigators uncovered nine different phishing ads on Google, 60% of which used the malicious program.
Under normal circumstances, Google uses auditing systems to prevent phishing scam ads from being posted. However, Scam Sniffer found that the scammers used “regional targeting and page-switching tactics to bypass ad audits, complicating the review process” and allowing their ads to get through Google’s quality control systems.
The scammers also used web redirects to fool Google’s users into thinking links led to official websites. For example, the scam site cbridge.ceiler.network, which contains a misspelling of the word “Celer,” was disguised as the correct URL: cbridge.celer.network. Despite the correct spelling being displayed on the ad, the link nevertheless redirected the user to the incorrectly spelled scam site.
Scam Sniffer reported that it found 10,072 fake sites that used MS Drainer. The drainer’s activity peaked in November and has since declined to near zero. During the course of its operations, it drained $58.98 million worth of crypto from over 63,000 victims, according to a Dune Analytics dashboard that was set up to track it.
Further investigation revealed that the developer of MS Drainer employed an unusual marketing strategy. While most wallet drainers charge a percentage of scammers’ profits, this one was sold on forums for a flat fee of $1,499.99. If a scammer wanted more features, the developer provided them with additional “modules” for $699.99, $999.99 or similar sums.
Wallet drainers have become a significant problem in the Web3 ecosystem. On Nov. 26, the developer of the “Inferno” drainer claimed to be retiring it after successfully stealing more than $80 million from victims during the software’s lifetime. In March, a similar announcement of retirement was made by the developer of “Monkey Drainer,” which had successfully stolen an estimated $13 million up to that point.