Angel Drainer exploited the Ledger Connect Kit (855670622173) The latest report by SlowMist on the Ledger Connection Kit exploit yesterday shows that the hacking group Angel Drainer was responsible for the attack which resulted in a minimum loss of $600,000. SlowMist says in a post about X that “Angel Drainer used smart contracts to control the domains for malicious JavaScript files.” Ledger Connect Kit Attacked: Read about the Zapper, SushiSwap and Balancer. What is the Angel Drainer? SlowMist gave the crypto-community detailed insight into Angel Drainer tactics earlier in October. Angel Drainer was initially recognized as a relatively low-profile Web3 phishing group. However, it later focused on larger projects. It launched attacks against the DeFi Protocol Balancer and Web3 Community Platform Galxe on 19 September. SlowMist’s report explains that “after analysis we discovered that the group’s main method of attack was social engineering targeting domain service providers.” Once the criminals obtain the relevant domain account access, they then manipulate DNS resolution to redirect users towards fake websites. According to the report, data from ScamSniffer cybersecurity firm estimated that more than 3,000 domains are involved in Angel Drainer phishing. Source: Medium SlowMist SlowMist analysis shows that these domains have been registered since January 2023. The site that impersonated “Fight Out”, a Web3 project game, was linked with an email address associated with 107 phishing websites. The sites included a wide range of NFTs, authorization management tools such as RevokeCash and exchanges, like Gemini. They also covered cross-chain links, like Stargate Finance. This address was the source of the first transaction in May. SlowMist’s October report also highlights numerous phishing websites targeting the public chain Arbitrum as well as the NFT projects Pollen, Blur NFT Marketplace, the Uniswap Exchange, and others. What is the cost of Angel Drainer services? SlowMist’s Angel Drainer Service Offer includes a $40,000 fee and a deposit of $40,000. It also offers a draining strategy log, full customization, an “excellent log system”, as well as other features. Angel Drainer promotes their services also in Russian. It does not matter if the X profile is associated with the real Angel Drainer or the fake one, the account states that “for us, first and foremost is our name. And of course, when our community feels happy.” Prioritizing reputation above financial gain. Source: Medium SlowMist Angel Drainer rewards its customers who have earned the most money with Angel Drainer by giving them expensive NFTs such as BAYCs or MAYCs. According to SlowMist’s preliminary estimations, Angel Drainer had collected at least $2,000 in fees as of October. Some of the profits were transferred to various platforms, including Binance, eXch Bybit OKX Tornado Cash and others. Loch Debunks Blast Connection to Inferno Drainer Rumors Angel Drainer is known for its exploits such as the Balancer DNS and Galxe DNS attacks. The Balancer incident was caused by malicious JavaScript being injected into the app.balancer.fi front-end user interface. The users were unknowingly approving malicious transactions. This resulted in the attackers transferring over $350,000 through phishing. In Galxe, criminals impersonated Dynadot as the domain service provider and gained unauthorized access the DNS of the domain account. Nearly 1,120 people who interacted with the fake site ultimately lost almost $270,000. Angel Drainer has now targeted Ledger. A renowned maker of cold crypto and hardware wallets. The Ledger Connect Kit was exploited by the phishing group, affecting the interfaces on connected applications such as Balancer (which has been affected before by Angel Drainer), SushiSwap and Revoke.cash. Zapper also suffered. At least $600,000 in user funds were stolen. SlowMist, in collaboration with Scam Sniffer’s team, used characteristics of Angel Drainer (an utility that supports the detection of domains hosting phishing sites targeting Web3 users) to identify thousands phishing websites. The goal of this collaborative effort is to reduce the likelihood that Web3 users will fall victim to phishing and experience asset loss. SlowMist used Urlscan to collect phishing sites. Researchers have added the contract addresses that the Angel Drainer Group uses to control the domain access of malicious JS. These addresses can be found on Dune’s dedicated dashboard as well as GitHub.
According to the latest update on yesterday’s Ledger Connect Kit exploit by the cybersecurity team SlowMist, the attack that led to a loss of at least $600,000 was orchestrated by the phishing group Angel Drainer. SlowMist adds in its post on X, “Angel Drainer utilized smart contracts to manage the access domains of malicious JavaScript files.”
Read also: Zapper, SushiSwap, and Balancer Affected by Attack on Ledger Connect Kit
How does Angel Drainer work?
Earlier in October, SlowMist provided the crypto community with detailed insights into Angel Drainer’s tactics. Initially recognized as a low-profile phishing gang in the Web3 space, Angel Drainer later shifted its focus to larger projects, launching attacks on the DeFi protocol Balancer on September 19 and the Web3 community platform Galxe.
“Upon analysis, we found that the gang’s primary method of attack is social engineering targeted at domain service providers,” explained SlowMist in its report, noting that once the malicious actors obtain relevant domain account permissions, they manipulate DNS resolution and redirect users to fake websites. The report referenced data from cybersecurity firm ScamSniffer, estimating that over 3,000 domains were involved in Angel Drainer’s phishing attacks.
According to SlowMist’s analysis, these domains were registered as early as January 2023. One of the sites impersonated the “Fight Out” Web3 game project, associated with an address linked to 107 phishing sites. These sites covered a broad spectrum, including NFT projects, authorization management tools like RevokeCash, exchanges like Gemini, and cross-chain bridges such as Stargate Finance. The earliest transaction from this address occurred in May.
The October report by SlowMist also highlighted numerous phishing sites targeting public chain Arbitrum, the NFT project Pollen, the Blur NFT marketplace, the Uniswap exchange, and more.
How much do Angel Drainer’s services cost?
In the Angel Drainer service offer outlined by SlowMist, the phishing team demands a $40,000 deposit along with a 20% fee, boasting extensive features such as an automated site cloner with a linked drainer, a “great log system,” full customizability, draining strategy logs, and more.
The Angel Drainer team promotes its services in Russian, too. The X account operating under the Angel Drainer name, whether it is the authentic profile associated with the scam vendor or not, states, ‘”For us first is the name and of course when our community is happy,” prioritizing reputation over financial gains.
If this account is indeed linked to the phishing team, it means Angel Drainer also incentivizes its clients by rewarding those who earn the most with Angel Drainer with expensive NFTs like BAYCs and MAYCs.
As of October, preliminary estimates from SlowMist indicate that Angel Drainer had accumulated at least $2 million in fees. A portion of the profits was transferred to platforms such as Binance, eXch, Bybit, OKX, Tornado Cash, and others.
Read also: Loch Debunks Rumors about Blast’s Connection with Inferno Drainer
Particularly notable exploits orchestrated by Angel Drainer include the Balancer and Galxe DNS hijacking attacks.
In the Balancer incident, the website’s interface was compromised by injecting malicious JavaScript code into the front-end interface of app.balancer.fi. This led users to unwittingly approve malicious transactions, resulting in over $350,000 being transferred to attackers through phishing attacks.
In the Galxe case, malicious actors impersonated Dynadot, the domain service provider, gaining unauthorized access to the domain account’s DNS. Subsequently, nearly 1,120 users interacting with the fraudulent site lost nearly $270,000.
Ledger, a renowned manufacturer of hardware and cold crypto wallets, became the latest target of Angel Drainer. The phishing team exploited the Ledger Connect Kit, impacting the front-end interfaces of connected applications including Balancer, which has already suffered from Angel Drainer, as well as SushiSwap, Revoke.cash, and Zapper, stealing from users at least $600,000.
In collaboration with the Scam Sniffer team, SlowMist utilized characteristics associated with Angel Drainer to identify thousands of phishing websites reported to the eth-phishing-detect (a utility supporting the detection of phishing domains targeting Web3 users). This collaborative effort aims to minimize the risk of Web3 users falling victim to phishing attacks and experiencing asset losses. To collect phishing domains, SlowMist utilized the Urlscan tool.
On-chain researchers have already added contract addresses used by the Angel Drainer group to manage the access domain of malicious JS files. These addresses are available on the dedicated Dune dashboard and GitHub.
