Google and Twitter ads are promoting sites containing a cryptocurrency drainer named ‘MS Drainer’ that has already stolen $59 million from 63,210 victims over the past nine months.
According to blockchain threat analysts at ScamSniffer, they discovered over ten thousand phishing websites using the drainer from March 2023 to today, with spikes in the activity observed in May, June, and November.
A drainer is a malicious smart contract or, in this case, a complete phishing suite designed to drain funds from a user’s cryptocurrency wallet without their consent.
Users are taken to a legitimate-appearing phishing website and tricked into approving malicious contracts, allowing the drainer to automatically perform unauthorized transactions and transfer the victim’s money to the attacker’s wallet address.
The source code for MS Drainer is sold to cybercriminals for $1,500 by a user named ‘Pakulichev’ or ‘PhishLab,’ who also charges a 20% fee on any funds stolen with the toolkit. Additionally, PhishLab sells additional modules that add new features to the malware, costing between $500 and $1,000.
According to blockchain data on MS Drainer’s activity, one of its Ethereum-chain victims lost $24 million worth of cryptocurrency, while other notable cases involve victims losing between $440,000 and $1.2 million.
Fraudulent ads on Google and X
In Google Search, MS Drainer is promoted via malicious ads that are shown for keywords related to DeFi platforms like Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant.
Many of those ads exploit Google Ads’ tracking template loophole to make the URL appear as belonging to the spoofed project’s official domain. A redirection, though, takes those who click to a phishing site.
On X, better known as Twitter, advertisements for MS Drainer are so abundant that ScamSniffer reports they account for six out of nine phishing ads on their feed.
Notably, many of the scam ads on X are posted from legitimate “verified” accounts that carried the blue tick badge when the ad was shown.
Security researcher MalwareHunterTeam, who has been tracking similar ads, told BleepingComputer they believe the Twitter account holders may have been infected with malware that stole their authentication cookies or passwords, allowing the threat actors to create advertisements from the hacked accounts.
Strangely, the researcher spoke to an X account advertising a cryptocurrency scam and was told that there was no trace of the ads in their advertising accounts.
On X, the cybercriminals used multiple themes for their ads, including one called “Ordinals Bubbles,” which promoted a supposedly limited-edition NFT (non-fungible token) collection featuring various characters encased in bubbles.
The ads also promoted NFT airdrops and new token launches on sites that contain the drainer.
ScamSniffer says one detection bypass method employed by these ads is geofencing, which only targets users from pre-defined regions and redirects the rest to legitimate/innocuous websites.
Cryptocurrency scams have always performed well on X, but with trustworthy, hacked accounts now displaying advertisements promoting malicious sites, we should expect to see these types of attacks become even more successful.
Users should be very cautious when seeing cryptocurrency-related ads and perform due diligence before signing up to new platforms, let alone connecting their wallets.