Infamous NFT Hacker ‘Monkey Drainer’ Steals $200K Worth of Digital Assets

SlowMist security team analyses Monkey Drainer NFT Phishing group

The SlowMist security team has linked the popular phishing group Monkey Drainer to multiple security breaches. The team thoroughly examined some of the group’s phishing materials and wallet addresses.

Investigation of security threats and findings on the Monkey Drainer

The SlowMist security team received a report about multiple security breaches from their partner ScamSniffer on February 8th. Traders are losing funds to these phishing attacks.

The team’s first disclosure was on December 24th, 2022, about an investigation of a large-scale North Korean APT phishing attack on NFT users. This attack was linked to Monkey Drainer, which attracted scrutiny from the security team and is now under investigation. However, the team has chosen to withhold some investigation details due to privacy and confidentiality concerns.

After their investigation, the team discovered that the basic tactic utilized in the attack was creating fake NFT-related websites by creating fake celebrity Twitter accounts and Discord groups. The group sold the fake NFTs on marketplaces like OpenSea, Rarible, and X2Y2. The Monkey Drainer hackers used almost 2,000 domains to attack Crypto and NFT users.

Further investigating the domains, the team realized that the earliest registration date was four months ago. They also discovered that the Monkey Drainer group initially used false Twitter advertising to spread their phishing campaigns. Additionally, the group uses a clear and malicious technique depending on phishing and mass deployment.

Researchers have uncovered over 2,000 phishing websites and domains with similar features since 2022. Additionally, they were able to determine the current state of the many phishing sites using ZoomEye. A good example is the latest scam, a counterfeit Arbitrum airdrop.

Unlike the North-Korean hacking group, the Monkey Drainer cannot track victims’ records from a specific website. Therefore, they use a more brutal and precise method that involves direct phishing and mass deployment. The assumption is that Monkey Drainers uses phishing templates to automate batch deployments.

Upon further scrutiny, the team discovered that the group relies on a pre-existing gray market for its infrastructure. It uses a readily available template for sale in the form of advertisement descriptions.

Analysis of the Phishing attacks and conclusions drawn

SlowMist security has analyzed the core code used in the phishing incident besides their previously released report on ‘how scammers are paying nothing for your NFTs.’ The core code uses obscure techniques and manipulates victims into submitting their signatures on various documents.

An offline authorization signature allows USDC and other coins to support the original phishing mechanism. Upon analysis, they linked 1,708 malicious addresses to the Monkey Drainer group. Eighty-seven of these were actual phishing addresses. The team then uploaded the addresses on the MistTrack platform and SlowMist AML malicious address database.

The investigation concluded that the earliest set of on-chain addresses was on August 9th, 2022, and is still active. Moreover, the phishing incident generated about $12.792M in profits. 7,059 NTFs were phished successfully and yielded a 4,695.91 ETH ($7.61M) profit accounting for 58.66% of funds stolen.


Similar Posts