A recent cyber attack conducted by the notorious crypto phishing group, Angel Drainer, has once again highlighted the vulnerability of the cryptocurrency space. In a bold move, Angel Drainer successfully stole over $400,000 from 128 crypto wallets by deploying a malicious vault contract. This attack, which took place on February 12, 2024, utilized a new attack vector that exploited Etherscan’s verification tool to conceal the malicious nature of the smart contract.
At 6:41am UTC on that fateful day, Angel Drainer deployed a Safe vault contract with the address 0xbaee148df4bf81abf9854c9087f0d3a0ffd93dbb. Subsequently, they used this contract to phish and scam unsuspecting users by urging them to sign a Permit2, designating the Safe Vault as the operator. Unbeknownst to the users, authorizing this transaction on the compromised contract resulted in the theft of $403,000.
By utilizing a Safe vault contract, Angel Drainer aimed to instill a false sense of security among users. They knew that Etherscan automatically adds a verification flag to Safe contracts, which can mislead users into believing that the contract is safe to interact with. This tactic is commonly employed in crypto phishing schemes, preying on users’ trust in these verification flags.
Blockaid, a blockchain security firm, promptly informed Safe about the attack and is actively working to mitigate any potential additional damage. It is crucial to note that this attack was not a direct assault on Safe itself. The user base of Safe has not experienced widespread consequences as a result of this breach. However, it raises concerns about the security vulnerabilities present in the cryptocurrency ecosystem.
The Menace of Angel Drainer
The recent attack is just one of many orchestrated by Angel Drainer, underscoring the scale of their nefarious activities. According to Blockaid, in the span of just 12 months, Angel Drainer has managed to siphon off more than $25 million from nearly 35,000 wallets. This figure is staggering and highlights the urgent need for enhanced security measures in the crypto industry.
In addition to the latest attack, Angel Drainer has also executed other major breaches, including the 2023 Ledger Connect Kit hack and the recent EigenLayer restake farming attack. The restake farming attack involved the utilization of a malicious function called “queueWithdrawal.” Through this function, Angel Drainer could redirect staking rewards to an address chosen by the attackers. These repeated breaches demonstrate the sophistication and persistence of Angel Drainer in targeting the cryptocurrency space.
The rise of Angel Drainer poses a significant threat to the security of cryptocurrencies. Their ability to exploit vulnerabilities, such as Etherscan’s verification tool, and deceive users through false sense of security tactics highlights the pressing need for stronger security measures in the crypto industry. As users and stakeholders, it is imperative to remain vigilant and adopt best practices to protect ourselves and the integrity of the cryptocurrency ecosystem.