Security researchers have discovered a new series of “crypto drainer” malware attacks that have stolen $59m from victims so far after luring them to phishing pages via Google and X (formerly Twitter) ads.
A crypto drainer is a type of malware that tricks the user into approving a transaction which then automatically drains their cryptocurrency wallets. Scam Sniffer revealed that one particular version, MS Drainer, was behind the new spate of attacks.
Victims are lured to phishing pages featuring the malware by clicking on Google and X ads linked to keywords from the DeFi world such as Zapper, Lido, Stargate, Defillama, Orbiter Finance and Radiant, the firm said.
These malicious ads were first detected in March and use several techniques to bypass ad audits, such as targeting only specific regions and using “redirect deception” to take users to phishing sites.
Read more on malicious advertising: Microsoft’s Bing AI Faces Malware Threat From Deceptive Ads
Scam Sniffer said it has observed around 10,000 phishing sites since March using drainers and claimed 60% of phishing ads on X take users to malware designed to steal their virtual currency.
MS Drainer in particular has stolen $59m from 63,210 victims over the past nine months, it said.
Scam Sniffer found the drainer for sale on a dark web forum. Unlike other similar malware that is fully managed, with developers charging a 20% fee, MS Drainer’s administrators sell the source code direct to all-comers.
The security vendor urged internet users to remain cautious when interacting with online advertising and demanded the ad industry up its game.
“As can be seen, advertising has become an important means for phishing scammers to reach their victims. By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost,” it concluded.
“Combined with the utilization of domain spoofing and bypassing ad reviews, users are facing continuous phishing threats. Ad platforms need to enhance their verification processes to prevent malicious actors from exploiting their services.”