Posing as journalists, Pink Drainer pilfers $3.3M in crypto

Miscreants targeting Discord and Twitter accounts have stolen more than $3.3 million in cryptocurrency from 2,300 victims so far in an ongoing campaign that started in April and saw the highest spike in activity earlier this month.

According to Web 3.0 anti-fraud outfit ScamSniffer, miscreants with the Pink Drainer crew posing as journalists from well-known crypto news sources, including Decrypt and Cointelegraph contacted victims and interviewed some of them. The process took one to three days and eventually led to a know-your-customer (KYC) authentication process and then to the compromise.

Recent Pink Drainer targets include OpenAI CTO Mira Murati, cross-chain application company Evmos, Orbiter Finance (decentralized cross-rollup bridge), and Pika Protocol (perpetual swap exchange).

"Hackers send phishing links through Discord accounts they've gained access to," researchers with ScamSniffer wrote in a report. "Many users have opened malicious websites in error and signed malicious signatures, resulting in the loss of their assets."

They noted that in recent months there were a growing number of scattered reports about "hacked events" at social media sites Discord and Twitter. Through an analysis of blockchains like Mainnet, Arbitrum, BNB, Polygon, and Optimism, Scam Sniffer found that almost all of the Discord attacks in the past month were linked to the same threat group.

"By analyzing the malicious websites created by Pink Drainer in the past month, we found that many Discord hacks are related to them," the researchers wrote.

All things crypto continue to be of high interest to threat groups. According to blockchain analyst firm Chainalysis, $3.8 billion in crypto was stolen in 2022, a jump from the $3.3 billion taken the year before.

• North Korea's Lazarus Group linked to Atomic Wallet heist
• Google puts $1M behind its promise to detect cryptomining malware
• Cry-pto: Feds bury Bitcoin exchange giant Binance in 13-count fraud lawsuit
• Crypto catastrophe strikes some Atomic Wallet users, over $35M thought stolen

Discord has become a popular target. In May, a third-party service provider's system was compromised and data exposed in the breach included user email addresses, customer service messages, and attachments.

In the case of Pink Drainer, the miscreants rely on the ongoing standard of many cybercrimes: social engineering. They impersonate journalists, interview targets, and move to the KYC process, which can include embedding phishing techniques related to Discord.

In some cases, Discord administrators were told to open what turned out to be a malicious Carl verification – a Carl-bot is a legitimate tool used by Discord members – and to add bookmarks that included malicious code. A "Drag Me" button on the page contained malicious JavaScript code that steals the user's Discord authentication tokens.

With the token in hand, the threat group can access the account without needing to steal user credentials, such as passwords, or worrying about multi-factor authentication (MFA) policies.

After getting the permissions, the miscreants then move to establish persistence in the attacks, including removing other account administrators and making themselves the administrator, enabling them to continue stealing data.

"Those steps will make it hard to delete these phishing messages from Discord Server," the researchers wrote.

ScamSniffer caught onto Pink Drainer when its on-chain monitoring bots deetected that someone lost almost $320,000 in stolen non-fungible tokens (NFTs). The company was able to link that attack to other victims of Pink Drainer.

"The address that transferred the victim's assets was resolved pink-drainer.eth a few hours later, which is why we called [the group] Pink Drainer," they wrote. ®