Angel Drainer targets users with malicious Safe contract: $403K stolen


Article Contents

In This Article

Notorious phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets through a new attack vector that has leveraged Etherscan’s verification tool to cover up the malicious nature of a smart contract.

The attack started at 6:40 am Feb. 12 when Angel Drainer deployed a malicious Safe (formerly Gnosis Safe) vault contract, wrote blockchain security firm Blockaid in a Feb. 13 post to X.

At total of 128 wallets then signed a “Permit2” transaction on the Safe vault contract, leading to $403,000 in funds being stolen.

Blockaid said the scammers used a Safe vault contract specifically to deliver a “false sense of security,” as Etherscan automatically adds a verification flag to confirm it as a legitimate contract.

Blockaid stressed the incident wasn’t a direct attack on Safe and that its user base had not been “broadly impacted.” The security firm added it had notified Safe of the attack and was working to limit further damage.

“This is not an attack on Safe […] rather they decided to use this Safe vault contract because Etherscan automatically adds a verification flag to Safe contracts, which can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious.”

Related: ‘Haunts me to this day’ — Crypto project hacked for $4M in a hotel lobby

Angel Drainer has only been in operation for 12 months but has managed to drain over $25 million from nearly 35,000 wallets, Blockaid stated in a Feb. 5 post X.

The $484,000 Ledger Connect Kit hack and the Eigenlayer restake farming attack are among the most notable attacks committed by Angel Drainer in recent months.

The restake farming attack involved Angel Drainer implementing a malicious queueWithdrawal function which, once signed by users, would withdraw staking rewards to an address of the attacker’s choosing, Blockaid explained.

“Because this is a new kind of approval method, most security providers or internal security tooling does not parse and validate this approval type. So in most cases it’s marked as a benign transaction.”

Approximately 40,000 users on OpenSea, Optimism, zkSync, Manta Network, and SatoshiVM fell victim to phishing attacks in January, losing a combined $55 million, according to Scam Sniffer, a Web3 scam tracker.

The figure is on track to surpass 2023’s figure of $295 million, according to Scam Sniffer’s 2023 Wallet Drainers Report.

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks