Ethical Hacking News
A global cryptocurrency phishing operation known as FreeDrain has been exposed by cybersecurity researchers from SentinelOne and Validin. The campaign uses SEO manipulation, free-tier web services, and layered redirection techniques to target cryptocurrency wallets, resulting in the theft of over $9 million in digital assets.
Cybersecurity researchers have exposed an "industrial-scale, global cryptocurrency phishing operation" called FreeDrain. The campaign uses SEO manipulation, free-tier web services, and layered redirection techniques to target cryptocurrency wallets. Over 38,000 distinct sub-domains hosting lure pages have been identified, hosted on cloud infrastructure like Amazon S3 and Azure Web Apps. Victims are redirected to phishing pages that steal their seed phrases, with attackers using automated infrastructure to drain funds within minutes. The operation is designed to be frictionless, blending SEO manipulation, familiar visual elements, and platform trust to lull victims into a false sense of legitimacy.
In a shocking revelation, cybersecurity researchers from SentinelOne and Validin have exposed what they claim is an "industrial-scale, global cryptocurrency phishing operation" engineered to steal digital assets from cryptocurrency wallets for several years. The campaign has been codenamed FreeDrain by the threat intelligence firms.
According to the technical report shared with The Hacker News, FreeDrain uses SEO manipulation, free-tier web services such as gitbook.io, webflow.io, and github.io, and layered redirection techniques to target cryptocurrency wallets. Victims search for wallet-related queries, click on high-ranking malicious results, land on lure pages, and are redirected to phishing pages that steal their seed phrases.
The scale of the campaign is reflected in the fact that over 38,000 distinct FreeDrain sub-domains hosting lure pages have been identified. These pages are hosted on cloud infrastructure like Amazon S3 and Azure Web Apps, and mimic legitimate cryptocurrency wallet interfaces. The activity has been attributed with high confidence to individuals based in the Indian Standard Time (IST) time zone, working standard weekday hours, citing patterns of GitHub commits associated with the lure pages.
Unsuspecting users who land on these pages are served a static screenshot of the legitimate wallet interface, clicking which, one of the below three behaviors happen - Redirect the user to legitimate websites, Redirect the user to other intermediary sites, Direct the user to a lookalike phishing page that prompts them to enter their seed phrase, effectively draining their wallets.
"The entire flow is frictionless by design, blending SEO manipulation, familiar visual elements, and platform trust to lull victims into a false sense of legitimacy," the researchers said. "And once a seed phrase is submitted, the attacker's automated infrastructure will drain funds within minutes."
The findings also follow the discovery of a malvertising campaign that leverages Facebook ads that impersonate trusted cryptocurrency exchanges and trading platforms like Binance, Bybit, and TradingView to lead users to sketchy websites instructing them to download a desktop client.
"Query parameters related to Facebook Ads are used to detect legitimate victims, while suspicious or automated analysis environments receive benign content," Bitdefender said in a report shared with the publication. "If the site detects suspicious conditions (e.g., missing ad-tracking parameters or an environment typical of automated security analysis), it displays harmless, unrelated content instead."
The installer, once launched, displays the login page of the impersonated entity through msedge_proxy.exe to keep up the ruse, while additional payloads are silently executed in the background to harvest system information, or execute a sleep command for "hundreds of hours on end" if the exfiltrated data indicates a sandboxing environment.
The Romanian cybersecurity company said hundreds of Facebook accounts have advertised these malware-delivering pages mainly targeting men over 18 years in Bulgaria and Slovakia. This campaign showcases a hybrid approach, merging front-end deception and a localhost-based malware service.
By dynamically adjusting to the victim's environment and continuously updating payloads, the threat actors maintain a resilient, highly evasive operation. The researchers have noted that FreeDrain has also been observed resorting to flooding poorly-maintained websites with thousands of spammy comments to boost the visibility of their lure pages via search engine indexing, a technique called spamdexing that's often used to game SEO.
It's worth pointing out that some aspects of the campaign have been documented by Netskope Threat Labs since August 2022 and as recently as October 2024, when the threat actors were found utilizing Webflow to spin up phishing sites masquerading as Coinbase, MetaMask, Phantom, Trezor, and Bitbuy.
"FreeDrain's reliance on free-tier platforms is not unique, and without better safeguards, these services will continue to be weaponized at scale," the researchers noted. "The FreeDrain network represents a modern blueprint for scalable phishing operations, one that thrives on free-tier platforms, evades traditional abuse detection methods, and adapts rapidly to infrastructure takedowns."
By abusing dozens of legitimate services to host content, distribute lure pages, and route victims, FreeDrain has built a resilient ecosystem that's difficult to disrupt and easy to rebuild. This has significant implications for cryptocurrency users and the cybersecurity industry at large.
Related Information:
https://www.ethicalhackingnews.com/articles/The-FreeDrain-Phishing-Operation-A-Global-Cryptocurrency-Scam-Exposed-ehn.shtml
https://thehackernews.com/2025/05/38000-freedrain-subdomains-found.html
Published: Thu May 8 14:18:24 2025 by llama3.2 3B Q4_K_M
