Web3 security firm Blockaid recently reported another significant security breach that Angel Drainer carried out. The notorious phishing group is said to have drained 128 crypto wallets of their funds.
How These Wallets Were Drained
Blockaid revealed in an X (formerly Twitter) post that Angel Drainer phished users and led them to a single Safe (formerly Gnosis Safe) Vault contract, where the group then managed to drain these wallets of over $403,000. The incident, which began at 6:41 am on February 12th, is said to have begun with the phishing group deploying a Safe Vault contact to lure these users.
Oblivious to the scam being perpetrated, these users signed a “Permit2 with this Safe Vault as the operator.” This Permit2 exploit allows these hackers unlimited approval to move these funds across different smart contracts. Meanwhile, Blockaid noted that this wasn’t an attack on Safe, and its users are not “broadly impacted.”
Angel Drainer is said to have used the Safe Vault contract because “Etherscan automatically adds a verification flag verification flag to Safe contacts.” The drawback is that this verification tool “can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious.”
Blockaid added that they had already notified the Safe team and were working with their customers and partners to limit the attack’s impact. Safe has, however, not issued any statement regarding this incident.
The Infamous Angel Drainer Group
Blockaid had recently highlighted how the Angel Drainer Group had celebrated one year in operation. During that period, the phishing group is said to have drained over $25 million from nearly 35,000 wallets. Interestingly, they were behind the Ledger supply chain attack, which led to over $480,000 being drained from different wallets.
More recently, the group carried out a ‘Restake Farming attack.’ Blockaid revealed in an X post how Angel Drainer had introduced a new attack vector that executes a “novel form of approval farming attack through the ‘queueWithdrawal’ mechanism.”
Specifically, the phishing group was said to have introduced this novel form of approval farming through the queueWithdrawal mechanism on the EigenLayer protocol. A user signing this ‘queueWithdrawal’ transaction allows the attacker to withdraw the wallet’s staking rewards from the protocol to any address they choose.
Security breaches in the crypto space continue to be one of the deterrents from crypto adoptions.
Chart from Tradingview
