Being wary of journalists can be a good thing at times. Take the case of Orbiter Finance. A claimed journalist from a crypto news website contacted one of its Discord moderators last month and requested that they complete out a form. The moderator had no idea that this uncomplicated action would give someone else control of their Discord server.
Once inside, the offender froze other admins' access to the system and restricted community members' ability to submit messages. Everyone who clicked on the phoney airdrop announcement was taken to a phishing website intended to steal their NFTs. The plan was successful. They quickly took NFTs and tokens worth $1,000,000 while the squad was only onlookers.
"We were so concerned," Gwen, a business development manager at Orbiter Finance, said in an interview. "If we cause any damage to [our community members], we will just lose their trust."
The Orbiter attack is only one of many recent examples involving NFT drainers and compromised Discord servers or Twitter accounts. Data obtained by NFT researcher and security specialist OKHotshot shows that at least 900 Discord servers have been infiltrated for phishing attempts since December 2021, with a noticeable uptick in the previous three months.
According to statistics obtained by PeckShield and several dashboards on Dune Analytics by Scam Sniffer and others, such assaults have hit at least 32,000 victim wallets over the last nine months. Attackers have stolen NFTs and tokens worth a total of $73 million.
Culprits behind the attacks
These methods frequently involve wheeling and dealing in a growing drainer code black market.
The masterminds behind the phishing assaults first go to Telegram and Discord, where they can identify channels hosted by the creators of various drainers.
They contact the developer and acquire the drainer, which is a set of code that can be installed into websites, while often agreeing to give the developer 20-30% of the proceeds. Then, using their own tactics, such as the fake news site stated above, they will hijack a Discord server or Twitter account and advertise a false website containing the NFT drainer code in order to steal NFTs and whatever else they can get their hands on.
That is, when they are not preoccupied with homework.
"95% of them are kids below the age of 18 who are still in high school," said Plum, a pseudonymous security researcher who works on the trust and safety team at NFT marketplace OpenSea, adding that the frequency of attacks tends to spike around the Summer holidays.
“I personally have talked to quite a few of them and know they’re still in school,” stated Plum. “I’ve seen pictures and videos of various of them from their schools. They talk about their teachers, how they’re failing their classes or how they need to do homework.”
These kids appear to make little effort to conceal their newfound wealth.
“They'll buy a laptop, some phones, shoes and spend vast amounts of money on Roblox. They all play Roblox for the most part. So they'll buy the coolest gear for their Roblox avatar, video games, skins and things like that,” Plum added.
Plum went on to say that they frequently buy gift cards with cryptocurrency on the gift card marketplace Bitrefill, spend thousands of dollars on Uber Eats, buy luxury clothes, pay individuals to do their homework for them, and even buy automobiles they can't drive yet. They also enjoy gambling.
The exploiters try to hide their tracks by paying people in lower-income countries to use their personal information to register on exchanges, obscuring the trail when they cash out, according to Plum. They claim that if law enforcement had been interested in arresting them, at least some of them should have been apprehended by now because they leave adequate evidence of their actions.
Plum mused on why offenders believe they can get away with such crimes, saying that "they feel invincible, they have God mode — that no-one can touch them."
While countries such as North Korea are also involved in phishing operations against NFTs, Plum claims that they normally employ their own drainers and are less connected with drainers for sale. The NFT drainers' creators, who in some cases carry out assaults using their own technology, are a little more elusive, but their pseudonymous profiles leave a unique trail.
The growing problem of NFT drainers
Monkey, one of the first NFT drainers, launched their Telegram channel in August. But it wasn't until October that it really got going. According to PeckShield, their technology was utilised to steal 2,200 NFTs worth $9.3 million and an additional $7 million in tokens over the next few months.
Monkey chose to retire on February 28th. Its creator stated in a parting message that "all young cyber criminals should not lose themselves in the pursuit of easy money." They advised its customers to use Venom, a competitor drainer.
Venom was a worthy opponent. It was another of the first drainers, and it was used to steal over 2,000 NFTs from over 15,000 victims throughout time. Customers of the drainer employed 530 phishing sites to perform attacks on crypto projects such as Arbitrum, Circle, and Blur, netting a total of $29 million in NFTs, ether, and different currencies.
While Venom was one of the first NFT drainers to go multichain, security experts say they failed miserably. However, their drainer was the first to be used to steal NFTs from the NFT marketplace Blur.
Inferno, which was used to steal $9.5 million from 11,000 victims, and Pussy, which was used to steal $14 million from 3,000 victims, were two other rivals. Customers of Angel, which began on a Russian hacking forum, used it to steal $1 million from over 500 victims in the form of NFTs and various tokens, most notably compromising the
Twitter account of crypto wallet Zerion.
However, the drainers' operation stays the same, with a few tweaks here and there. Plum believes that the solution rests in safety-oriented wallet extensions, which are successful in protecting wallets. It is also prudent to use and preserve multiple wallets in cold wallets.