A sophisticated phishing scheme, comprising a network of fake websites, has been targeting web3 projects and draining cryptocurrency wallets at scale for years.
First detected by Validin as a simple network of crypto phishing websites in April 2024, it soon became apparent that the scheme may be much more sophisticated and large scale. This led the internet intelligence platform provider to collaborate with SentinelOne’s research team, SentinelLabs, to conduct further investigation.
Instead of relying on common delivery methods like phishing emails, SMS (smishing), social media posts and blog comment spam, the scheme, dubbed FreeDrain by the investigators, leveraged SEO manipulation, free-tier web services and layered redirection techniques to target cryptocurrency wallets.
The operation, likely conducted by a team based in India (or possibly Sri Lanka), has been ongoing since at least 2022.
Validin and SentinelLabs published their findings at PIVOTcon 2025, a threat intelligence conference held in Malaga from May 7 to 9.
Uncovering A Large-Scale Crypto Phishing Network
In April 2024, Validin published a report documenting a series of crypto-draining phishing pages.
This report caught the attention of an individual who contacted Validin, claiming to have lost 8 Bitcoins, worth around $500,000 at the time.
“The victim had unknowingly submitted their wallet seed phrase to a phishing site while attempting to check their wallet balance, after clicking on a highly-ranked search engine result,” the SentinelLabs and Validin researchers explained in a joint May 8 report.
A seed phrase, also known as a recovery phrase or mnemonic seed, is a list of words used to restore a cryptocurrency wallet and access the associated funds.
It was confirmed by trusted cryptocurrency tracking analysts that the destination wallet used to receive the victim's funds was a one-time-use address.
They stated that the stolen assets were quickly moved through a cryptocurrency mixer, an obfuscation method that fragments and launders funds across multiple transactions, making attribution and recovery nearly impossible.
The researchers reported that although they were unable to assist in recovering the lost assets, the outreach effort revealed that the phishing attack was part of a broader, large-scale operation.
SEO Manipulation Techniques
Upon further investigation, the SentinelLabs and Validin researchers identified 38,048 distinct FreeDrain subdomains hosting lure pages. These subdomains are hosted on cloud infrastructure, such as Amazon S3 and Microsoft Azure Web Apps, which mimic legitimate cryptocurrency wallet interfaces.
To make the network of phishing websites more appealing to victims, hackers employed a combination of SEO manipulation techniques, free-tier web hosting services (e.g., GitHub.io, WordPress.com, GoDaddySites, Gitbook), typosquatting techniques, familiar visual elements, and layered redirection techniques to deceive victims into a false sense of legitimacy.
No tags.
