Angel Drainer Steals Over $400K From Several Crypto Wallets

Reportedly, over $400,000 was stolen from 128 cryptocurrency wallets by the infamous phishing group Angel Drainer using a new attack vector that utilized Etherscan’s verification utility to obscure the malicious nature of a smart contract.

Angel Drainer initiated the attack at 6:40 a.m. on February 12 by deploying a malicious Safe (formerly Gnosis Safe) vault contract, according to a blockchain security firm Blockaid’s February 13 X post.

Today our researchers discovered yet another emerging attack vector from the Angel Drainer group — this time phishing users and leading them to a single Safe Vault contract where 128 wallets have been drained of $403k+ so far. All Blockaid-protected users are safe. 🧵 pic.twitter.com/niffQDlciG

— Blockaid (@blockaid_) February 13, 2024

Following the signature of 128 accounts on a “Permit2” transaction on the Safe Vault contract, $403,000 in funds was stolen.

Blockaid stated that the swindle artists utilized a Safe Vault contract to create a “false sense of security,” given that Etherscan verifies the contract’s legitimacy automatically by appending a verification flag.

Blockaid emphasized that its user base had not been “significantly impacted” and that the incident was not a direct assault on Safe. In addition to notifying Safe of the assault, the security firm stated it was attempting to prevent additional damage.

“This is not an attack on Safe […] rather they decided to use this Safe vault contract because Etherscan automatically adds a verification flag to Safe contracts, which can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious.”

Despite operating for only twelve months, Angel Drainer has reportedly emptied more than $25 million from close to 35,000 wallets, according to a post on Blockaid’s X on February 5.

Today, the Angel Drainer Group celebrated one year in operation.

They've drained over $25M from nearly 35k wallets and are behind high profile drains like last year's Ledger Connect Kit and last week's Restake Farming attack.

We seek to protect every web3 user and put them out… pic.twitter.com/U1Sg6sajd6

— Blockaid (@blockaid_) February 5, 2024

The EigenLayer restake farming attack and the $484,000 Ledger Connect Kit breach are two of the most notable attacks Angel Drainer has mounted recently.

Blockaid explained that in the restake farming attack, Angel Drainer implemented a malicious queueWithdrawal function that, after users sign, would withdraw staking rewards to an address specified by the attackers.

“Because this is a new kind of approval method, most security providers or internal security tooling does not parse and validate this approval type. So in most cases it’s marked as a benign transaction.”

Scam Sniffer, a Web3 scam tracker, reports that in January, an estimated 40,000 users across various platforms, including OpenSea, Optimism, zkSync, Manta Network, and SatoshiVM, unfortunately, encountered phishing assaults, resulting in a cumulative loss of $55 million.

The amount is projected to exceed the $295 million recorded in 2023, as stated in the 2023 Wallet Drainers Report by Scam Sniffer.