A trader lost $1.28 million worth of cryptocurrency after signing a malicious consent transaction.
According to blockchain security firm PeckShieldAlert, on October 14, a cryptocurrency investor lost 108 billion PEPE, 73.8 million APU, and 165,000 MSTR tokens after being tricked into signing a phishing consent signature transaction.
This is called a confirmation phishing attack, which transfers control of the victim’s wallet to the attacker, allowing the fraudsters to drain stored assets.
In this case, the victim’s wallet, identified as “0xb0b..40c7”, lost approximately $1.2 million worth of cryptocurrency in six transactions within minutes; The stolen assets were distributed to multiple addresses controlled by the attackers.
One of the addresses, labeled “Fake_Phishing442846,” was involved in a separate attack two weeks ago, with the affected wallet losing $32 million worth of spWETH tokens after signing a similar malicious transaction.
At the time, blockchain intelligence firm Arkham reported that the attack was carried out using multi-chain cryptocurrency fraud service provider Inferno Drainer. Therefore, it is likely that the bad actors behind the recent attack also used the fraud toolkit.
For those unaware, Inferno Drainer is a subscription-based phishing tool-as-a-service that allows criminals to create malicious websites and applications to trick users into taking control of their wallets. Developers charge scammers 30% to create phishing websites and 20% for each successful attack.
To date, Inferno Drainer has managed to steal $237,775,036 from over 200,000 victims, per Dune analysis data, by targeting many crypto-related projects. On November 26, 2023, the developers announced that they planned to discontinue the service indefinitely. However, the toolset resurfaced in May 2024 due to renewed demand from its “customers”.
**BREAKING**
🚩Inferno Drainer is BACK🚩🙃
This is not good news if you are somehow unaware…
(yes, I know they never turn off completely, so I know most of you won’t be surprised by this at all) pic.twitter.com/zbWCkXquTd
— Erik (@Plumferno) May 20, 2024
Phishing attacks have become a growing threat in the cryptocurrency space; One of the main reasons behind victims’ losses is confirmation phishing attacks. These attacks have spent over $2.7 billion since 2021, according to Chainalytics’ report in August.
Last week, a wallet reportedly tied to a venture capital fund reportedly lost $35 million worth of fwDETH tokens after signing a suspicious permission signature.
In its Q3 report, blockchain security company CertiK labeled phishing as the most damaging attack vector of the quarter, with losses of $343.1 million across 65 incidents.