In a recent attack, the notorious phishing group Angel Drainer managed to pilfer over $400,000 from 128 crypto wallets. Employing a new tactic, the group deployed a malicious Safe vault contract, exploiting Etherscan’s verification tool to cloak the contract’s nefarious nature. Blockchain security firm Blockaid has shed light on the incident, revealing the intricacies of the attack and its ramifications.
Angel Drainer’s deceptive tactics net $403K in crypto attack
Angel Drainer initiated their assault by deploying a malicious Safe Vault contract. This move swiftly ensnared 128 unsuspecting users who unwittingly signed a “Permit2” transaction, leading to the expropriation of $403,000 in funds.
Blockaid, in a post to X on February 13th, delineated the mechanics of the attack, highlighting the utilization of Etherscan’s verification tool to lend an aura of legitimacy to the fraudulent contract.
The sophistication of Angel Drainer’s ploy lay in its exploitation of Etherscan’s verification tool. By leveraging this feature, the group managed to provide victims with a false sense of security, masking the malicious intent behind the Safe Vault contract.
Etherscan’s automatic addition of a verification flag to legitimate contracts inadvertently facilitated the success of the phishing endeavor, amplifying the impact of the attack.
Minimal impact on the safe user base
Blockaid emphasized that the attack was not a direct assault on Safe users. Instead, Angel Drainer opted to employ the Safe Vault contract due to Etherscan’s verification flag feature, which could deceive users into believing in the contract’s legitimacy.
Despite the sizable sum pilfered and the sophisticated nature of the attack, Safe’s user base has not been broadly affected. Blockaid has promptly notified Safe of the breach and is actively collaborating to mitigate further damage.
