A massive “industrial-scale cryptocurrency phishing operation” has been uncovered involving tens of thousands of lure pages, SEO manipulation, abuse of legitimate services, and victims with massive losses.
It came to light after one individual, a crypto investor, sent a plea for help after losing approximately eight bitcoin (BTC), or around $500,000 at the time. The victim wanted to log in to Trezor Suite to check the account, but instead of going to the website directly, they ended up on a phishing website, likely suggested by a search engine.
Unfortunately, the victim typed the seed words, and cybercriminals immediately made two transactions to a one-time-use address. Later, they quickly moved the assets to a cryptocurrency mixer to launder the money. This makes attribution and crypto recovery nearly impossible.
However, this theft signaled to researchers that the event is not isolated. The lure page used in the scam was hosted on azurewebsites[.]net, a legitimate Microsoft-owned domain used by Azure App Service. The scam had many other similarities to previously documented series of crypto-draining phishing pages.
Researchers from SentinelLABS and Validin called the new cybercrime network FreeDrain. When they set out to uncover the infrastructure, the researchers were surprised by the scale of the operation.
Top-ranked search engine results lead victims to a trap
When users enter an incomplete website URL into the browser’s address bar, they often end up on a search engine, such as Google, Bing, or DuckDuckGo. Hackers know that and use many tricks to appear at the top of the search results.
“Curious whether we could reproduce the victim’s experience, we conducted a series of keyword searches ourselves. The results were startling. Search terms like ‘Trezor wallet balance' returned multiple malicious results across Google, Bing, and DuckDuckGo, often within the first few result pages,” reads the report by SentinelLABS, a cybersecurity laboratory.
Malicious results were found on all three search engines, and the phishing sites “were not obscure or poorly maintained,” but professionally crafted websites hosted on legitimate, trusted platforms. Hackers used subdomains of gitbook.io, webflow.io, github.io, and others.
SentinelLABS and Validin researchers uncovered over 38,000 distinct subdomains hosting FreeDrain lure pages.
The attack chain is simple yet dangerous, as the entire flow is frictionless, lulling victims into a false sense of legitimacy.
One-click on the top-ranking result after searching for wallet-related queries leads to a landing page with a large clickable image, which is a static screenshot of the legitimate wallet interface the user was looking for.
Another click will present a near-perfect clone of the real wallet service on a malicious website, prompting a user to input the seed phrase.
The scam heavily relies on artificial intelligence (AI) for text generation and automation.
The researchers noted that the 38,000 identified subdomains are the result of aggressive filtering. During four months of collection, they amassed a total of 200,000 unique URL addresses leading users to phishing pages.
“Identifying FreeDrain lure pages at scale proved difficult due to extreme variation in phrasing, metadata, and platform-specific formatting. For example, we identified 46 unique renderings of the word “Trezor”, all visually similar, using tricks like added Unicode characters, zero-width spaces, and mixed script alphabets,” SentinelLABS said.
However, the redirection infrastructure remained consistent across pages and platforms on which they were hosted. Nearly all redirect pages used “.com” top-level domains exclusively, names appeared algorithmically generated, and had English-adjacent structure (visually familiar but never forming real English words).
The redirect domains appear to belong to a much larger network of thousands of domain names that route traffic for various purposes. It’s unclear if FreeDrain buys access to the network or is a subdivision of an even broader cybercrime operation.
The final phishing websites collecting user data are often hosted on cloud infrastructure, primarily Amazon S3 and Azure. These sites mimic Trezor, MetaMask, Ledger, and other legitimate cryptocurrency wallet interfaces.
FreeDrain spams comments on websites to boost SEO
Even when consisting of just a single image followed by a few lines of text, FreeDrain lure pages appear among the top results on major search engines. The content doesn’t explain their success.
“We identified several indexed URLs pointing back to high-ranking lure pages, and traced them to massive comment spam campaigns,” the researchers say.
The threat actor abuses an old tactic known as spamdexing, posting thousands of comments on websites with open or weakly moderated comments.
Who’s behind this?
The researchers couldn't attribute FreeDrain operation to any particular threat actor. However, they were able to extract some meaningful insights.
Hundreds of GitHub repositories, commits, usernames, and email addresses revealed that hackers were scrupulous about operations security. Each email was always unique, tied 1:1 with a GitHub account, and never reused. All emails came from legitimate providers such as Gmail, Hotmail, Outlook, and ProtonMail.
It appears that the scam is operated from India since 99% of GitHub commits were timestamped in Indian Standard Time (UTC+05:30), indicating the geographic location.
“A clear 9-to-5 weekday work pattern emerged, complete with a consistent midday break,” the researchers noted.
FreeDrain has been active since at least 2022, with a notable surge in activity last year.
Fighting this scam is challenging. Many free-tier platforms used by the threat actor lack a direct method for reporting malicious content and their own detection capabilities.
The report includes over 40,000 URLs and other indicators of compromise.
Your email address will not be published. Required fields are markedmarked