FreeDrain Crypto Hackers Are Monitoring Your Online Searches
When we think about cybercriminals tracking our activities, we often associate it with phishing scams like Hello Pervert, where the attacker claims to have personal information about the victim. Additionally, there are ransomware groups that utilize employee monitoring software to surveil their targets. Recent surveys indicate that around 25% of Americans feel they might be under surveillance while using their smartphones. However, my main concern lies with hackers who observe users searching for assistance in order to execute targeted cyberattacks. Previously, I reported on a campaign where MassJacker actors exploited individuals seeking pirated software to spread malware. The current focus is on crypto hackers who prey on those looking for help with their wallets, striking when victims are most susceptible. Here’s a closer look at the FreeDrain operation, which cybersecurity experts warn is functioning on a massive scale.
FreeDrain Crypto Hackers Operate on a Large Scale
Although FreeDrain may not yet rank among the most notorious cybercriminal organizations globally, it seems likely to rise in prominence. Researchers in threat intelligence began their investigation on May 12, 2024, after a person reached out for help regarding the theft of 8 BTC, valued at around $500,000 at that time, from their cryptocurrency wallet. Initially, the incident appeared to be a standard phishing attack, utilizing a high-ranking search engine result to initiate the scam. However, it quickly became clear that this was part of a more extensive and coordinated scheme related to weaponized searches and cryptocurrency theft, dubbed FreeDrain. A collaborative report from Tom Hegel of SentinelOne’s Sentinel Labs and Kenneth Kinion and Sreekar Madabushi from Validin confirmed that FreeDrain is “an industrial-scale, global cryptocurrency phishing operation that has been pilfering digital assets for years.”
Crypto Hackers Target Individuals Seeking Assistance
The security analysts discovered that simple help-related queries, such as those regarding checking a specific crypto wallet balance, yielded numerous malicious links on prominent search engines. While these links were not always featured on the first search results page, they often appeared within the initial few pages. By clicking on these dubious links, which the researchers knew were not legitimate, they were immediately directed to active phishing sites. The sequence of the attack was rather straightforward: users would search for wallet-related information, click on a top-ranking result, land on a page that mimicked the genuine wallet interface, and then be redirected to a phishing page requesting their wallet seed phrase. The final phishing site closely resembled the actual wallet service, urging users to enter their sensitive seed phrase.
The method used by these crypto hackers to manipulate search engine results is both intriguing and alarming. The report indicated, “We identified several indexed URLs pointing back to high-ranking lure pages,” and traced them to extensive comment spam campaigns. This practice, known as spamdexing, has been employed to manipulate SEO for years. However, the FreeDrain campaign seems to have effectively leveraged this method. “We found a Korean university photo album page with a single image uploaded over a decade ago,” the researchers noted, “buried under 26,000 comments, almost all containing spam links.” The outcome was staggering, with over 200,000 unique malicious URLs appearing in search results and 38,000 FreeDrain subdomains hosting phishing pages. As I have emphasized previously, exercise caution regarding what you search for online. More importantly, ensure that you are careful about the sites you visit after conducting those searches. If you require assistance with a specific crypto wallet, it is advisable to navigate directly to the vendor’s official site for help.
