Phishing Scammer Steals $1M in ETH and NFTs in a Day, Remains Active
In late October, on-chain investigator and crypto Twitter community member @ZachXBT notified his followers that a phishing scammer known as Monkey Drainer had stolen the equivalent of 700 ETH worth around $1 million at the time and several NFTs in 24 hours.
One victim of Monkey Drainer lost $370k in digital assets. A second victim lost several NFTs, including 1 BAYC, 1 CloneX, 36k USDC, and 12 other NFTs worth $150k. A third victim almost lost $6.2 million worth of crypto in their wallet, but only $220k was stolen as they managed to reject any additional malicious transactions
Monkey Drainer Uses Malicious Phishing Websites Promoted on Twitter to Drain Wallets
@ZachXBT added that the phishing scammer had exceeded 7,300 transactions from their drainer wallet after only being active for a few months. He explained that Monkey Drainer had managed to amass such a large amount in stolen ETH and NFTs by tricking victims into signing transactions on malicious phishing sites promoted on Twitter, such as the ones below.
Two examples of malicious sites promoted on Twitter. Source, @ZachXBT
Monkey Drainer is Part of a Scammer Chat Group
Furthermore, @ZachXBT pointed out that Monkey Drainer was part of a scammer chat group on what looked like Telegram messenger. He provided the following screenshot of a conversation within the chat after Monkey Drainer stole several NFTs and attempted to sell them on OpenSea.
Monkey Drainer posting his gains in a scammer chat group. Source, @ZachXBT
Monkey Drainer Remains Active
Four Ethereum addresses linked to Monkey Drainer have since been flagged. Most of Monkey Drainer’s heists have been linked to the following two Ethereum addresses by @ZachXBT.
A quick check on Etherscan reveals that the second address currently holds 522 ETH worth an estimated $828k. Furthermore, the Monkey Drainer wallet remains active, with incoming transactions suggesting that more crypto and NFT holders continue to fall victim to their ways.
Recent transactions suggest Monkey Drainer remains active. Source, Etherscan
The team at Wallet Guard has also spotted other recently created fake minting sites that use Monkey Drainer on the backend. The Wallet Guard team recommended that crypto and NFT owners ‘be very careful with new projects right now.’
Google Searches Display Crypto Phishing Sites – CZ
Fake phishing websites are not limited to Twitter, as they have found their way to the top of Google search results related to cryptocurrencies and NFTs.
In an October 27th Tweet, Binance founder and CEO warned his followers that Google searches of Coinmarketcap are now yielding phishing sites at the top of the results. He said:
Google displays phishing sites when users search CMC. This affects users adding smart contract addresses to MetaMask using these phishing sites. We are trying to contact Google for this, and in the meantime alerting users about this through social channels.
Phishing Scams Continue to Evolve
News of the Monkey Drainer phishing incidences and Google still displaying phishing sites at the top of search results comes less than a week after users of the 3Commas trading bot were, themselves, victims of phishing through fake websites.
In the latter case, the fake websites posed as the 3Commas platform and managed to capture API trading keys that were then used to incur heavy trading losses on their owners on the FTX crypto exchange.
Phishing remains the preferred method of exploiting crypto and NFT investors. According to a report by blockchain security firm Certik, an estimated $2 billion worth of digital assets was stolen in Q1 and Q2 of 2022. Phishing attacks have also increased by 170% between the two quarters, with social media platforms identified as the major pain point for Web3 projects. Additionally, the report forecasted that 2022 would see a 223% increase in the funds lost to such attacks compared to 2021.
How to Stay Vigilant and Protect Yourself from Phishing Scams
The phishing scams mentioned above have one thing in common: they still use social engineering to access sensitive personal information that can be used to steal digital assets.
Scammers have evolved and are improving their con game, and it is up to crypto and NFT owners to stay one step ahead through the following measures.
- Never trust an airdrop or NFT mint sent via DM on Twitter, Discord, Telegram, or any other social media platform
- Being on the lookout for modified handles/usernames that look like legitimate projects or individuals on Twitter, Telegram, and Discord promoting fake airdrops and NFT mints
- Spreading out your digital assets across several wallets, with some of your holdings in cold storage. This reduces the chances of losing everything in one go in the event of a hack
- Constantly update your crypto wallet to guarantee it is up to date on security.
- Never trust the sites at the top of Google search results
- Double-check website addresses and email addresses to determine if they are from legitimate sources
- Opting for a different search engine other than Google, which focuses on privacy, such as DuckDuckGo.com, SwissCows.com, and Gibiru.com, to name a few
- Being up to date with new ways phishing attacks are being carried out
- Using a VPN regularly
- Using the OMNIA Protocol to generate secure endpoints when accessing the blockchain. Click here for a tutorial for generating a secure RPC endpoint using OMNIA and here for additional configurations.