January 20, 2023
TRM Labs has been tracking the emergence of a new threat to the crypto ecosystem – drainware, a type of malicious smart contract that has previously been referred to as “drainers”, “sweepers” and “wallet drainers.”
TRM investigators have dubbed the attacks “drainware” because they operate by draining cryptocurrency and NFTs directly from a user’s wallet after they unknowingly sign a transaction to purchase and mint an NFT, or interact with a phishing website. TRM’s assessment is that drainware has no legitimate uses.
Aurory NFT Attack
One of the first widely reported drainware attacks occurred prior to the launch of the high-profile Aurory NFT in August 2021. Attackers purchased a domain with a similar DNS to the real Aurory domain. Once the users signed and approved the alleged transaction mint, the malicious contract drained their wallets.
The attack led to over $1.5 million in losses and the theft of over 70 NFTs from would-be Aurory investors. The attacker(s) then quickly attempted to sell the drained NFTs on marketplaces and used a Solana DeFi Bridge to hop chains to Ethereum. As of December 19, 2022, all the stolen funds, worth approximately $1.5 million, remain in the bridged Ethereum wallet.
Monkey Drainer is one of the latest major drainware attacks targeting the crypto industry en masse. The malicious contract requires users only to approve and sign transactions, making it simpler than many traditional attack methods.
Monkey Drainer was first publicly identified by on-chain investigative sleuth Zachxbt, who linked it to over $3.5 million worth of stolen crypto. In a six-part tweet thread in late October, Zachxbt released information confirming that over a 24-hour period, 700 Ethereum was stolen from victims. The history of the Ethereum wallet shows a total of 7300 transactions in a two month period as depicted below.
Through December, multiple users reported addresses associated with at least ten reports on TRM Labs’ crowd-sourced fraud reporting platform chainabuse.com, which now enables real-time alerts on scams reported by members of the public.
TRM Labs reviewed multiple wallets flagged by Chainabuse users as likely associated with Monkey Drainer, confirming the use of Tornado Cash to launder stolen proceeds and split funds primarily amongst three centralized exchanges. One of the largest Monkey Drainer reports on chainabuse.com is associated with the theft of high value NFTs including seven Crypto Punks, 20 Otherside Meta, and One Azuki.
Most of the stolen crypto from Monkey Drainer is then laundered through Tornado Cash. In some cases the fraudsters use intermediary wallets before attempting to cash out stolen funds at three centralized exchanges, as seen in the graph below.
Drainware as a Service
In the early days of crypto, phishing attacks often directed users to send crypto to an address thatwas reportedly associated with a legitimate project. These types of attacks grew in prominence during the 2017 Initial Coin Offering (ICO) boom. Victims targeted in these phishing attacks would only lose the amount of crypto they sent to the wrong address in error.
By contrast, Web3 phishing attacks are often more sophisticated, involving customizable contracts capable of draining entire wallets. The attack vehicle is commonly distributed through Account Takeovers (ATOs) on social media platforms such as Twitter and Discord.
As NFTs entered the mainstream, attackers began to target novice NFT investors by exploiting the “FOMO” – fear of missing out – and hype surrounding the NFT world. TRM Labs has observed hundreds of phishing attacks over the last year targeting NFT projects, where real-time messaging across multiple platforms has enabled attackers to target NFT investors by publishing phishing website links at a rapid pace.
TRM found that phishing attacks linked to NFT minting scams deployed through compromised Discord accounts increased by 55% in June 2022 compared to the previous month.
This dramatic rise in Drainware attacks has even led to the emergence of Drainer Templates as a Service (DTaaS), providing ready-to-launch pre-built templates and enabling attackers to launch malicious contracts at scale as seen during the 2021 NFT boom.
While cryptocurrency adoption has the potential to revolutionize the financial industry, it also presents new challenges. Without proper education on the security risks, both crypto businesses and individuals are vulnerable to criminal activity. To help combat drainware and other fraud, visit Chainabuse and alert the crypto community to scams in real time.
TRM is also working to hinder the ability of drainware attackers to launder and cash out the proceeds of these attacks by tagging wallet addresses known to be associated with drainware scams in our compliance and forensics tools. These tools are used by crypto platforms, financial institutions and law enforcement agencies to detect and investigate money laundering and other illicit activity such as scams, hacks and sanctions evasion.
About TRM Labs
TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage cryptocurrency-related fraud and financial crime. TRM’s risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.
TRM’s Global Investigations team conducts and supports cryptocurrency investigations to combat illicit activity and build trust and confidence in the cryptocurrency economy. Our investigators use TRM Forensics to trace the flow of stolen assets and coordinate with relevant law enforcement partners. Report a cryptocurrency lead at email@example.com.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.