When will the frequently launching phishing attacks and theft-addicted hacker group PinkDrainer stop?

Since the beginning of 2024, the market has been performing well, and with the optimistic sentiment among a large number of Web3 users, there may be a relaxation of vigilance against potential hacker attacks, leading to personal asset losses. With the development of Web3 technology, the methods of scams in the crypto asset circle are also continuously upgrading, and "phishing" has become a common tactic used by hackers.

PeckShieldAlert monitoring: On March 15, a certain address suffered a phishing attack resulting in a loss of $467,000 worth of SHIB and HOGE.
So, what exactly is a phishing attack? How can hackers steal assets through phishing attacks while framing other platforms? Will allowing phishing attacks to proliferate cause significant damage to the industry? The following text provides a comprehensive interpretation for readers.

Phishing Attacks That Keep Hackers Coming Back: Easily Taking Assets While Project Teams Bear the Blame

In simple terms, "phishing" is a form of online deception targeting crypto users, which involves creating fake websites disguised as official ones to steal users' authorizations, signatures, and crypto assets. The typical path of a phishing attack begins with the project's official Twitter account being hacked, after which the hacker posts enticing phishing links on the official account, luring users to click the links and interact with their wallets, thereby directly stealing their assets.
Since December of last year, several well-known Web3 projects have fallen victim to phishing attacks, including the decentralized finance protocol Set Protocol, the DeFi lending platform Compound, the security auditing company CertiK, and the Solana ecosystem NFT lending protocol Sharky. On March 15, the account of game publisher Activision Blizzard on the X platform was hacked, and a link to a crypto scam involving a Solana ecosystem token was posted; on March 19, the official Twitter account of TON was suspected to be hacked and published a presale address for a meme coin.

After the phishing attack incident, Activision Blizzard clarified the account hacking incident on the X platform.
Unlike previous hacking methods, once attackers successfully steal through "phishing," victims and many unaware users may mistakenly believe that the platform is engaging in self-theft, leading them to take various actions to seek rights protection from the platform.
The psychology and behavior of users trying to recover losses are understandable and sympathetic, but in this process, the platform that is unjustly blamed is also a victim. In a situation where it is difficult to defend themselves, the platform, also a victim, needs to expend more energy and resources to prove its innocence while also needing to fully reassure affected users and assist in investigations to recover losses.
If phishing methods are allowed to proliferate, the trust foundation of the industry will continue to collapse, and any project team dedicated to building the Web3 ecosystem will face tremendous impacts.

Recently, DeGame Actively Handled a Phishing Attack Crisis and Invited SlowMist to Investigate

Recently, the Web3 gaming aggregation platform DeGame also suffered a serious phishing attack. A user unknowingly clicked on a phishing link posted by the hacked DeGame official Twitter account and suffered losses.
After the incident, the user mistakenly believed that DeGame was engaging in self-theft during the process, so they publicly disclosed the incident on Twitter. Many KOLs, media, and a considerable number of users, unaware of the situation, continued to spread this matter, negatively impacting DeGame's brand image and platform reputation. In this situation, DeGame still took the initiative to contact the victim and negotiate compensation matters.
After the incident, DeGame activated its emergency plan and alerted users to the risks, while comprehensively strengthening the platform's cybersecurity technology. To prove its innocence and help the affected users recover their assets, DeGame proactively invited the industry third-party security auditing agency SlowMist to investigate the matter. The investigation results showed that this incident was a malicious attack initiated by a third-party hacker, and DeGame itself was also a victim.

SlowMist released a report on the phishing attack incident involving DeGame.
According to SlowMist's investigation results, the timeline of the phishing attack incident involving DeGame is roughly as follows:

1. Between 4:00 AM and 9:30 AM on March 14, after the DeGame official X account (@degame_l2y) was hacked, it sent out airdrop tweets, with the airdrop links all being imitation phishing websites disguised as DeGame's official site. A user reported that after clicking the airdrop link, they lost about 57 PufETH;
2. After 9:30 AM, the DeGame official Twitter operations personnel discovered the phishing links on the platform and deleted them immediately. At the same time, DeGame communicated this news to all users through official social media and community channels and issued a warning announcement. So far, no other users have reported asset theft;
3. During the abnormal time period of the DeGame official Twitter account, the victim user encountered the phishing website link and the explanatory text posted by the attacker. Unaware of the situation, they mistakenly believed that the link was indeed part of a token airdrop event organized by DeGame in collaboration with other project parties. After clicking the link, they followed the attacker's preset instructions and subsequently lost their assets;
4. SlowMist's report shows that when users clicked the phishing website to connect their wallets, the website would automatically check if there were any assets in the wallet address. If there were assets, it would directly pop up a Permit Token Approval transaction signature. Unlike regular transaction signatures, this signature is completely off-chain and entirely anonymous, likely to be used for improper purposes. Additionally, users do not need to authorize in advance to interact with the application contract by adding an authorization signature (Permit).
5. In this theft incident, the phishing hacker obtained the Permit Token Approval transaction signature authorized by the victim user to the phishing contract address 0xd560b5325d6669aab86f6d42e156133c534cde90, and after submitting the Permit call to approve token authorization in the attack transaction, they transferred the stolen funds. In contrast, in the airdrop activity organized by DeGame and its project partners, all transactions are on-chain, and the asset transaction authorization process is strictly controlled, making it impossible for such a situation to occur under normal circumstances.

SlowMist Verification: The Recidivist Pink Drainer Provides Tools for Phishing Attackers and Receives a 25% Commission

The report results provided by SlowMist indicate that this was a malicious attack event with clear purpose and planning, and DeGame has no suspicion of self-theft. The report results from SlowMist are as follows:
A. The provider of the phishing link tool is the hacker scam group Pink Drainer, which is a known recidivist in the industry. According to the ETH chain block explorer Etherscan, the address that initiated the stolen transaction is marked as Pink Drainer: Wallet 1, which is the wallet address number 1 of the phishing group Pink Drainer;
B. In this stolen transaction, about 25% of the stolen funds were transferred to PinkDrainer: Wallet 2, which is the wallet address number 2 of the phishing group Pink Drainer. According to intelligence from SlowMist's AML team regarding the phishing group Pink Drainer, it is suspected that the hacker implementing the phishing attack received a share from Pink Drainer after using their phishing tools;

SlowMist releases details of the transaction call stack for the stolen transaction in the phishing attack incident involving DeGame.
C. The contract creator of the phishing contract address 0xd560b5325d6669aab86f6d42e156133c534cde90 authorized by the stolen user is also PinkDrainer: Wallet 1.
It should be noted that Pink Drainer is a Malware-as-a-Service (MaaS) that allows users to quickly establish malicious websites to obtain illegal assets through this malicious software. The blockchain security company Beosin pointed out that the phishing website uses a crypto wallet stealing tool to lure users into signing requests. Once the request is signed, the attacker will be able to transfer NFTs and ERC-20 tokens from the victim's wallet. Pink Drainer charges users a fee based on the stolen assets, reportedly up to 30% of the stolen assets. The Pink Drainer team is notorious for its high-profile attacks on platforms like Twitter and Discord, involving incidents such as Evomos, Pika Protocol, and Orbiter Finance.
Based on the above information, the following conclusions can be drawn:
In this phishing incident, Pink Drainer is the tool provider, 0xe5621a995c80387a4f87978477be0dcf85cd3289 is the hacker address implementing the phishing, and after successfully phishing, the hacker shares about 25% of the proceeds with the tool provider.

As the Market Warms Up, Phishing Attacks May Become More Prevalent; Projects and Users Should Be Cautious

Currently, the perpetrators and accomplices of this malicious attack remain at large, and under the lure of enormous profits, their malicious actions will continue. However, both DeGame and SlowMist have stated that they will pursue the matter to the end and will not compromise with hackers.
Especially since the beginning of 2024, under the impact of U.S. interest rate cuts and significant positive news like Bitcoin spot ETFs, the crypto market has been continuously warming up, and on-chain interaction activities are also heating up, which may provide opportunities for attackers like Pink Drainer. If no precautions are taken, more serious tragedies may occur in succession.
Here, I remind all project parties to pay attention to the security of all account information, and users should also carefully verify website links and interaction processes when participating in projects. Once assets are lost, the recovery process can be extremely cumbersome. Asset security in the Web3 industry is the premise of everything, and caution is essential.