CyberSecurity news
FlagThis
@cyberpress.org
//
A joint investigation by SentinelLABS and Validin has exposed a massive cryptocurrency phishing operation named "FreeDrain." This industrial-scale network has been siphoning digital assets for years by exploiting weaknesses in free publishing platforms. FreeDrain utilizes aggressive SEO manipulation, free-tier web services like gitbook.io, webflow.io, and github.io, along with sophisticated layered redirection techniques to lure unsuspecting victims. The operation's primary goal is to steal cryptocurrency wallet login credentials and seed phrases, often resulting in rapid fund exfiltration.
FreeDrain operators achieve high search engine rankings by creating over 38,000 malicious subdomains on trusted platforms, including Amazon S3 and Azure Web Apps. These subdomains host lure pages that often feature AI-generated content and screenshots of legitimate wallet interfaces. When users search for wallet-related queries, they are redirected through comment-spammed URLs and custom redirector domains to highly convincing phishing clones. These phishing pages frequently include live chat widgets manned by real human operators who encourage victims to submit their credentials.
Researchers believe the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours. The sophistication of FreeDrain lies in its scale, automation, and ability to avoid traditional phishing email delivery vectors. Victims are funneled from benign-seeming search queries directly to malicious pages ranked at the top of major search engines. Validin first became aware of FreeDrain on May 12, 2024, after a victim reported losing approximately 8 BTC (around $500,000 at the time) to a phishing site.
ImgSrc: blogger.googleu
References :
FreeDrain operators achieve high search engine rankings by creating over 38,000 malicious subdomains on trusted platforms, including Amazon S3 and Azure Web Apps. These subdomains host lure pages that often feature AI-generated content and screenshots of legitimate wallet interfaces. When users search for wallet-related queries, they are redirected through comment-spammed URLs and custom redirector domains to highly convincing phishing clones. These phishing pages frequently include live chat widgets manned by real human operators who encourage victims to submit their credentials.
Researchers believe the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours. The sophistication of FreeDrain lies in its scale, automation, and ability to avoid traditional phishing email delivery vectors. Victims are funneled from benign-seeming search queries directly to malicious pages ranked at the top of major search engines. Validin first became aware of FreeDrain on May 12, 2024, after a victim reported losing approximately 8 BTC (around $500,000 at the time) to a phishing site.
ImgSrc: blogger.googleu
Share:
References :
- cyberpress.org: FreeDrain phishing campaign exploits users
- malware.news: Massive FreeDrain cryptophishing campaign uncovered
- www.scworld.com: Massive FreeDrain cryptophishing campaign uncovered
- www.sentinelone.com: FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network
Classification:
- HashTags: #CryptoTheft #Phishing #FreeDrain
- Company: SentinelOne
- Target: Cryptocurrency users
- Attacker: FreeDrain operators
- Product: wallet
- Feature: SEO manipulation
- Malware: FreeDrain
- Type: Phishing
- Severity: HighRisk