A notorious phishing group known as Angel Drainer is reported to have pilfered more than $400,000 from 128 cryptocurrency wallets, employing a novel attack approach that exploited the Etherscan verification tool to conceal the malicious nature of smart contracts. According to a post from blockchain security firm Blockaid dated February 13, the assault unfolded at 6:40 a.m. on February 12, as Angel Drainer deployed a malicious Safe (formerly Gnosis Safe) vault contract.
During the attack, 128 wallets proceeded to authorize "Permit2" transactions on the SafeVault contract, resulting in the illicit siphoning of $403,000 in funds. Blockaid highlighted the scammers' use of SafeVault contracts to impart a false sense of security, as Etherscan automatically affixes a verification flag, seemingly confirming the contract's legitimacy.
It is emphasized that the incident did not directly target Safe, and the platform's user base was not extensively impacted. Blockaid promptly notified Safe of the attack and is actively collaborating to mitigate further fallout. The security firm underscores that the selection of the SafeVault contract was strategic on the part of the attackers, exploiting Etherscan's verification feature to deceive unsuspecting users.
Angel Drainer, operating for just 12 months, has already managed to siphon over $25 million from nearly 35,000 wallets, according to Blockaid's findings. Notable incidents attributed to Angel Drainer include the $484,000 Ledger Connect Kit hack and the EigenLayer re-staking mining attack, both executed in recent months.
Blockaid elucidated the re-staking mining attack, wherein Angel Drainer implemented a nefarious queue withdrawal function, redirecting staking rewards to an address designated by the attacker upon user authorization. Due to its innovative approval method, this attack often eludes detection by conventional security measures, resulting in it being flagged as a benign transaction in many instances.
In January alone, approximately 40,000 users across platforms such as OpenSea, Optimism, zkSync, Manta Network, and SatoshiVM fell victim to phishing assaults, collectively suffering losses totaling $55 million, as per data from Web3 scam tracker Scam Sniffer. This figure is anticipated to surpass the $295 million recorded in 2023, according to Scam Sniffer's 2023 Wallet Churners Report.
