Cybersecurity researchers have exposed what they say is an “industrial-scale, global cryptocurrency phishing operation” engineered to steal digital assets from cryptocurrency wallets for several years.
The campaign has been codenamed FreeDrain by threat intelligence firms SentinelOne and Validin.
“FreeDrain uses SEO manipulation, free-tier web services (like gitbook.io, webflow.io, and github.io), and layered redirection techniques to target cryptocurrency wallets,” security researchers Kenneth Kinion, Sreekar Madabushi, and Tom Hegel said in a technical report shared with The Hacker News.
“Victims search for wallet-related queries, click on high-ranking malicious results, land on lure pages, and are redirected to phishing pages that steal their seed phrases.”
The scale of the campaign is reflected in the fact that over 38,000 distinct FreeDrain sub-domains hosting lure pages have been identified. These pages are hosted on cloud infrastructure like Amazon S3 and Azure Web Apps, and mimic legitimate cryptocurrency wallet interfaces.
The activity has been attributed with high confidence to individuals based in the Indian Standard Time (IST) time zone, working standard weekday hours, citing patterns of GitHub commits associated with the lure pages.
The attacks have been found to target users searching for wallet-related queries like “Trezor wallet balance” on search engines like Google, Bing, and DuckDuckGo, redirecting them to bogus landing pages hosted on gitbook.io, webflow.io, and github.io.
Unsuspecting users who land on these pages are served a static screenshot of the legitimate wallet interface, clicking which, one of the below three behaviors happen –
- Redirect the user to legitimate websites
- Redirect the user to other intermediary sites
- Direct the user to a lookalike phishing page that prompts them to enter their seed phrase, effectively draining their wallets
“The entire flow is frictionless by design, blending SEO manipulation, familiar visual elements, and platform trust to lull victims into a false sense of legitimacy,” the researchers said. “And once a seed phrase is submitted, the attacker’s automated infrastructure will drain funds within minutes.”
It is believed that the textual content used in these decoy pages is generated using large language models like OpenAI GPT-4o, indicative of how threat actors are abusing generative artificial intelligence (GenAI) tools to produce content at scale.
FreeDrain has also been observed resorting to flooding poorly-maintained websites with thousands of spammy comments to boost the visibility of their lure pages via search engine indexing, a technique called spamdexing that’s often used to game SEO.
It’s worth pointing out that some aspects of the campaign have been documented by Netskope Threat Labs since August 2022 and as recently as October 2024, when the threat actors were found utilizing Webflow to spin up phishing sites masquerading as Coinbase, MetaMask, Phantom, Trezor, and Bitbuy.
“FreeDrain’s reliance on free-tier platforms is not unique, and without better safeguards, these services will continue to be weaponized at scale,” the researchers noted.
“The FreeDrain network represents a modern blueprint for scalable phishing operations, one that thrives on free-tier platforms, evades traditional abuse detection methods, and adapts rapidly to infrastructure takedowns. By abusing dozens of legitimate services to host content, distribute lure pages, and route victims, FreeDrain has built a resilient ecosystem that’s difficult to disrupt and easy to rebuild.”
The disclosure comes as Check Point Research said it uncovered a sophisticated phishing campaign that abuses Discord and singles out cryptocurrency users in order to steal their funds using a Drainer-as-a-Service (DaaS) tool called Inferno Drainer.
The attacks entice victims into joining a malicious Discord server by hijacking expired vanity invite links, while also taking advantage of Discord OAuth2 authentication flow to evade automated detection of their malicious websites.
 |
| Breakdown of total domains into suspected and confirmed URLs by quantity. |
Between September 2024 and March 2025, more than 30,000 unique wallets are estimated to have been victimized by Inferno Drainer, leading to at least $9 million in losses.
Inferno Drainer claimed to have shut down its operations in November 2023. But the latest findings reveal that the crypto drainer remains active, employing single-use smart contracts and on-chain encrypted configurations to make detection more challenging.
“Attackers redirect users from a legitimate Web3 website to a fake Collab.Land bot and then to a phishing site, tricking them into signing malicious transactions,” the company said. “The drainer script deployed on that site was directly linked to Inferno Drainer.”
“Inferno Drainer employs advanced anti-detection tactics — including single-use and short-lived smart contracts, on-chain encrypted configurations, and proxy-based communication — successfully bypassing wallet security mechanisms and anti-phishing blacklists.”
The findings also follow the discovery of a malvertising campaign that leverages Facebook ads that impersonate trusted cryptocurrency exchanges and trading platforms like Binance, Bybit, and TradingView to lead users to sketchy websites instructing them to download a desktop client.
“Query parameters related to Facebook Ads are used to detect legitimate victims, while suspicious or automated analysis environments receive benign content,” Bitdefender said in a report shared with the publication.
“If the site detects suspicious conditions (e.g., missing ad-tracking parameters or an environment typical of automated security analysis), it displays harmless, unrelated content instead.”
The installer, once launched, displays the login page of the impersonated entity through msedge_proxy.exe to keep up the ruse, while additional payloads are silently executed in the background to harvest system information, or execute a sleep command for “hundreds of hours on end” if the exfiltrated data indicates a sandboxing environment.
The Romanian cybersecurity company said hundreds of Facebook accounts have advertised these malware-delivering pages mainly targeting men over 18 years in Bulgaria and Slovakia.
“This campaign showcases a hybrid approach, merging front-end deception and a localhost-based malware service,” it added. “By dynamically adjusting to the victim’s environment and continuously updating payloads, the threat actors maintain a resilient, highly evasive operation.”
