Cybersecurity experts have unveiled an extensive global cryptocurrency phishing operation named FreeDrain, which has been rapidly stealing digital assets from cryptocurrency wallets for years.
This campaign was identified by renowned threat intelligence firms, including SentinelOne and Validin.
“FreeDrain leverages SEO manipulation, free web services (like gitbook.io, webflow.io, and github.io), and advanced redirection techniques to target cryptocurrency wallets,” stated security researchers Kenneth Kinion, Sreekar Madabushi, and Tom Hegel in their technical report shared with The Hacker News.
“Victims searching for wallet-related keywords end up clicking on high-ranking malicious links, leading them to lure pages which redirect to phishing sites designed to steal their seed phrases.”
The magnitude of the FreeDrain campaign is underscored by the detection of over 38,000 distinct sub-domains that host these lure pages, often mimicking real cryptocurrency wallet interfaces, and are hosted on robust cloud platforms like Amazon S3 and Azure Web Apps.
Investigations indicate a high probability that the actors behind this operation are based in the Indian Standard Time (IST) zone, working during traditional weekday hours, as evidenced by patterns in their GitHub commits related to the lure pages.
The phishing attacks mainly target individuals searching for wallet-related phrases such as “Trezor wallet balance” across leading search engines like Google, Bing, and DuckDuckGo, redirecting them to counterfeit landing pages hosted on platforms like gitbook.io, webflow.io, and github.io.
Users who arrive on these lure pages are confronted with a static image of the legitimate wallet interface. Clicking on it can lead to one of three outcomes:
- Redirecting the user to legitimate websites
- Passing the user through intermediary sites
- Directing the user to phishing pages that ask for their seed phrase, which can empty their wallets
“The entire flow is designed to be seamless, combining SEO strategies, recognizable visual cues, and platform reliability to deceive victims into a sense of security,” the researchers noted. “Once a seed phrase is entered, the automated system swiftly drains the funds within minutes.”
It is suspected that the text used in these decoy pages is generated via large language models like OpenAI’s GPT-4o, showcasing how threat actors exploit generative AI (GenAI) tools to produce content at scale.
FreeDrain has also been found to flood poorly maintained websites with numerous spammy comments to improve the visibility of their lure pages via search engine indexing, a tactic known as spamdexing, commonly used to manipulate SEO.
Notably, Netskope Threat Labs has documented certain aspects of this campaign since August 2022, with recent reports from October 2024 pinpointing the use of Webflow to create phishing sites that mimic exchanges like Coinbase, MetaMask, Phantom, Trezor, and Bitbuy.
Researchers warn that “FreeDrain’s dependence on free-tier platforms isn’t unique; without improved security measures, these services will continue to be exploited extensively.”
“This network exemplifies a modern framework for scalable phishing operations, thriving on free-tier platforms, evading conventional abuse detection, and swiftly adapting to infrastructure shutdowns. By exploiting various legitimate services to host content, distribute lure pages, and misdirect victims, FreeDrain has established a resilient ecosystem that’s tough to dismantle and easy to recreate.”
This revelation coincides with Check Point Research’s findings of an advanced phishing campaign exploiting Discord to target cryptocurrency users, deploying a Drainer-as-a-Service (DaaS) tool called Inferno Drainer.
The attacks lure victims into joining compromised Discord servers using expired vanity invite links, while also utilizing the Discord OAuth2 authentication flow to bypass automated detection of their malicious websites.
 |
| Breakdown of total domains into suspected and confirmed URLs by quantity. |
Between September 2024 and March 2025, more than 30,000 unique wallets are estimated to have fallen victim to Inferno Drainer, resulting in losses exceeding $9 million.
Although Inferno Drainer claimed to cease operations in November 2023, recent findings indicate that the crypto drainer is still active, utilizing single-use smart contracts and encrypted configurations to evade detection.
“Attackers divert users from legitimate Web3 platforms to a fraudulent Collab.Land bot followed by phishing sites, tricking them into signing malicious transactions,” the company reported. “The drainer script on these sites was directly linked to Inferno Drainer.”
Inferno Drainer employs sophisticated anti-detection strategies—including single-use and short-lived smart contracts, encryptedconfigurations, and proxy communication—to effectively evade wallet security measures and anti-phishing blacklists.
This discovery aligns with the recent identification of a malvertising campaign that exploits Facebook ads impersonating trusted cryptocurrency exchanges and trading platforms like Binance, Bybit, and TradingView, directing users to dubious websites that encourage downloading a desktop client.
Bitdefender highlighted that “query parameters related to Facebook Ads are used to identify legitimate victims, while automated analysis environments receive innocuous content.” Thus, if a site detects suspicious conditions, it displays harmless content instead.
The installer, once activated, presents the login page of the impersonated entity through msedge_proxy.exe to maintain the façade, while additional payloads silently operate in the background to collect system information or execute a sleep command for extensive periods if the extracted data suggests a sandbox environment.
According to Bitdefender, hundreds of Facebook accounts have promoted these malware-dispensing pages, primarily targeting men over 18 in Bulgaria and Slovakia.
“This campaign exemplifies a hybrid strategy, integrating front-end deception with a localhost-based malware service,” it noted. “By dynamically adapting to the victim’s environment and consistently updating payloads, these threat actors uphold a resilient, highly evasive operation.”