Angel Drainer targets users with malicious Safe contract: $403K stolen

Notorious phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets through a new attack vector that has leveraged Etherscan’s verification tool to cover up the malicious nature of a smart contract.

The attack started at 6:40 am Feb. 12 when Angel Drainer deployed a malicious Safe (formerly Gnosis Safe) vault contract, wrote blockchain security firm Blockaid in a Feb. 13 post to X.

At total of 128 wallets then signed a “Permit2” transaction on the Safe vault contract, leading to $403,000 in funds being stolen.

Today our researchers discovered yet another emerging attack vector from the Angel Drainer group — this time phishing users and leading them to a single Safe Vault contract where 128 wallets have been drained of $403k+ so far. All Blockaid-protected users are safe. pic.twitter.com/niffQDlciG

— Blockaid (@blockaid_) February 13, 2024

Blockaid said the scammers used a Safe vault contract specifically to deliver a “false sense of security," as Etherscan automatically adds a verification flag to confirm it as a legitimate contract.

Blockaid stressed the incident wasn’t a direct attack on Safe and that its user base had not been “broadly impacted." The security firm added it had notified Safe of the attack and was working to limit further damage.

“This is not an attack on Safe […] rather they decided to use this Safe vault contract because Etherscan automatically adds a verification flag to Safe contracts, which can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious.”

Related: ‘Haunts me to this day’ — Crypto project hacked for $4M in a hotel lobby

Angel Drainer has only been in operation for 12 months but has managed to drain over $25 million from nearly 35,000 wallets, Blockaid stated in a Feb. 5 post X.

Today, the Angel Drainer Group celebrated one year in operation.

They've drained over $25M from nearly 35k wallets and are behind high profile drains like last year's Ledger Connect Kit and last week's Restake Farming attack.

We seek to protect every web3 user and put them out… pic.twitter.com/U1Sg6sajd6

— Blockaid (@blockaid_) February 5, 2024

The $484,000 Ledger Connect Kit hack and the Eigenlayer restake farming attack are among the most notable attacks committed by Angel Drainer in recent months.

The restake farming attack involved Angel Drainer implementing a malicious queueWithdrawal function which, once signed by users, would withdraw staking rewards to an address of the attacker’s choosing, Blockaid explained.

“Because this is a new kind of approval method, most security providers or internal security tooling does not parse and validate this approval type. So in most cases it’s marked as a benign transaction.”

Approximately 40,000 users on OpenSea, Optimism, zkSync, Manta Network, and SatoshiVM fell victim to phishing attacks in January, losing a combined $55 million, according to Scam Sniffer, a Web3 scam tracker.

The figure is on track to surpass 2023’s figure of $295 million, according to Scam Sniffer’s 2023 Wallet Drainers Report.

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks