Wallet drainers are a type of scam that generally operates by cloning a legitimate website, fooling the target into providing their crypto wallet credentials, and then executing a smart contract that sends the users’ funds to bad actors.

🚨1/ Alert: A ‘Wallet Drainer’ has been linked to phishing campaigns on Google search and X ads, draining approximately $58M from over 63K victims in 9 months. pic.twitter.com/ye3ob2uTtz

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 21, 2023

Unlike targeted attacks on exchanges, which would involve actually breaching the security of said sites, drainer scams target either the community of a platform or whales whose internet presence has been tracked down.

Different Monetization Scheme

Generally, a portion of the funds are rerouted directly to the hacker who created the software, a provision encoded into the smart contract that drains the wallet to prevent the attacker from backtracking. No honor among thieves, as they say.

Late last month, Inferno Drainer, a similar tool, shut down after stealing an even larger amount over a period of several months. Both platforms had begun operating during the spring.

However, MS Drainer differs in this regard, selling access to the software for the price of $1,499. Further add-ons to the software can be purchased for an extra couple hundred bucks. If a malicious Blur signature is also requested, it will run the purchaser up another thousand dollars.

8/ Analysis shows this wallet drainer stole about $58.98 million from 63,210 victims in 9 months through associated addresses.https://t.co/um9n53GFqN

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 21, 2023

Flouting Ad Safety Measures

Although Google checks advertisements submitted to AdSense to prevent scams, illegal products, and so on from being shown to users, these processes are largely automated and thus can be thwarted by those who know their way around these systems. In this case, it seems that region switching was used to avoid detection and slow down any investigations that may have been underway.

Malicious ads have been displayed on X as well ever since the social media network started outsourcing ad space to Google. Zapper, Lido, Defillama, Radiant, and Stargate were all cloned and used in these attacks.

“In a recent sampling test of ads in X’s feeds, nearly 60% of the phishing ads were found to be using them. At the same time, these phishing ads also used redirect deception techniques to make the phishing ads more credible. For example, making the ad appear to be from an official domain, but in reality, the final destination is a phishing site. You might think you clicked on an ad for the official StarkNet website, but you actually entered a phishing site.”

In some cases, not even checking the URL would help, as the ad shown to users displayed the correct link before switching to a misspelled one later on.

In total, nearly $59 million has been stolen from over 63 thousand victims using this software.

Unlike the Inferno team, the malware provider behind this tool has no intention of shutting down anytime soon.