Water Labbu attacker robs scammers of their loot

Threat actor Water Labbu abuses scam pages to rob swindlers of the opportunity to con unsuspecting victims.

Proving the old saying ‘no honor among thieves,’ threat actors dubbed Water Labbu devised malware to outmaneuver scammers trying to cash in on victims they were working on for long periods of time.

According to cybersecurity firm Trend Micro researchers, threat actors breach websites of scammers that pose as a decentralized application (DApp) and inject malicious code of their own.

The original scammers usually set up a website posing as a legitimate DApp service. Later they employ social engineering tactics to convince victims to part with their cryptocurrency, promising juicy profit. The FBI claims that the process often takes weeks as scammers avoid spooking their targets by rushing.

Meanwhile, Water Labbu lurks in the shadows, observing how the scammer dances around its victim. Once Water Labbu notices a high-value victim, threat actors inject JavaScript payload into a scam website connected to the high-value victim.

“The request is disguised to look like it was being sent from a compromised website and asks for permission to transfer a nearly-unlimited amount of USD Tether from the target’s wallet,” reads Trend Micro’s report.

From the victims’ perspective, the request comes from a fake DApp they already trust. However, once Water Labbu drains the victim’s account, owners of the scam DApp are left empty-handed. Unfortunately, victims suffer financial loss no matter which scammer ends up robbing them.

The somewhat parasitic tactics have caught on as Trend Micro discovered 45 fraudulent crypto-related DApp websites that Water Labbu has compromised. An analysis of nine victims showed that the ‘scam the scammers’ affairs netter threat actors over 315k in USDT, a stablecoin pegged to the US dollar with a value of 1:1.