Reportedly, over $400,000 was stolen from 128 cryptocurrency wallets by the infamous phishing group Angel Drainer using a new attack vector that utilized Etherscan’s verification utility to obscure the malicious nature of a smart contract.
Angel Drainer initiated the attack at 6:40 a.m. on February 12 by deploying a malicious Safe (formerly Gnosis Safe) vault contract, according to a blockchain security firm Blockaid’s February 13 X post.
Following the signature of 128 accounts on a “Permit2” transaction on the Safe Vault contract, $403,000 in funds was stolen.
Blockaid stated that the swindle artists utilized a Safe Vault contract to create a “false sense of security,” given that Etherscan verifies the contract’s legitimacy automatically by appending a verification flag.
Blockaid emphasized that its user base had not been “significantly impacted” and that the incident was not a direct assault on Safe. In addition to notifying Safe of the assault, the security firm stated it was attempting to prevent additional damage.
“This is not an attack on Safe […] rather they decided to use this Safe vault contract because Etherscan automatically adds a verification flag to Safe contracts, which can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious.”
Despite operating for only twelve months, Angel Drainer has reportedly emptied more than $25 million from close to 35,000 wallets, according to a post on Blockaid’s X on February 5.
The EigenLayer restake farming attack and the $484,000 Ledger Connect Kit breach are two of the most notable attacks Angel Drainer has mounted recently.
Blockaid explained that in the restake farming attack, Angel Drainer implemented a malicious queueWithdrawal function that, after users sign, would withdraw staking rewards to an address specified by the attackers.
“Because this is a new kind of approval method, most security providers or internal security tooling does not parse and validate this approval type. So in most cases it’s marked as a benign transaction.”
Scam Sniffer, a Web3 scam tracker, reports that in January, an estimated 40,000 users across various platforms, including OpenSea, Optimism, zkSync, Manta Network, and SatoshiVM, unfortunately, encountered phishing assaults, resulting in a cumulative loss of $55 million.
The amount is projected to exceed the $295 million recorded in 2023, as stated in the 2023 Wallet Drainers Report by Scam Sniffer.
