Web3 Security: Lessons from the Monkey Drainer Phishing Scam

Unrecognizable hacker on laptop in the dark

In recent weeks, one phishing scammer stands out: Monkey Drainer. There’s a lot to learn from how this scam operates that can help users avoid being a victim, and we’re here to unpack it for you. But first, let’s review what’s happened so far. Its ongoing nature makes Monkey Drainer a perfect study case for all the ways phishing scammers deceive users–and what you can do to protect yourself.

Monkey Drainer first popped up in late October 2022, stealing 700 ether (ETH) worth $1 million plus more than a dozen NFTs, including a Bored Ape Yacht Club NFT. Methods appeared to include an airdrop of fake Aptos crypto. The Web3 community was alerted to the problem via tweets from blockchain scam investigator ZachXBT.‍

‍He was able to identify two particular major victims who together lost $370,000 to Monkey Drainer.

Victims of Monkey Drainer were not all inexperienced rubes, either. They included Machine Zone (MZ) founder Gabriel Leydon, who fell victim to a SIM-swap attack.

‍ZachXBT’s research showed Monkey Drainer had been using a smart contract to divert funds from users’ wallets for months. He calculated that at least $3.5 million in NFTs and crypto had been stolen to date, with no end in sight.

They’re ba-ack…

‍If Monkey Drainer had stopped there, this scam wouldn’t have achieved such notoriety. There are certainly higher-ticket Web3 robberies that have taken place this year. But this attack didn’t end with one round of theft. Instead, Monkey Drainer was back a week later, raiding another set of users’ wallets for $800,000 worth of NFTs.

It soon became clear that Monkey Drainer was building a cottage industry of crime. In a move not uncommon in cyber crime, Monkey Drainer began renting code to other thieves, taking a 30% cut of what they stole.

‍Finally, Monkey Drainer made off with their ill-gotten gains by running them through a cryptocurrency mixer. These decentralized services are run by smart contracts, enabling the anonymous exchange of crypto assets without regard to how they were obtained.

In Monkey Drainer’s case, it appears they used the Ethereum-based mixer Tornado Cash to obscure their stolen assets’ origins. After exchanging the stolen crypto and NFTs on the platform, Monkey was free to take their assets and disappear.

‍That’s what we know so far. It’s useful to take a deeper look at Monkey Drainer because this scam uses several different angles. It’s important to understand each approach phishing scammers may use to trick you, so that you’re on guard and avoid becoming a victim.

‍The Monkey Drainer thefts are accomplished via phishing sites that claim to offer opportunities to mint NFTs, but which in fact stole private information to access users’ wallets and rob them of NFTs and coins. Like many successful scammers, Monkey used a variety of strategies to get unsuspecting users to expose private info that allowed their wallets to be compromised.

How did users arrive at these fraudulent websites? Information has been sparse about Monkey Drainer’s methods for getting marks to their sites, but we can assume social media played a role. Channels such as Twitter and Discord have become popular places to bait the hook for phishing scams. The fast-moving environment of social media seems to lower many users’ guard and inspire them to click without pausing to carefully examine the offer and consider whether it seems too good to be true.

Some phishers have also taken to paying for Google ads about their scam to make it look legitimate and ensnare more victims. Over $4 million was stolen via fraudulent Google ads in one attack in spring 2022, for instance.

Whichever their initial mode of contact, all roads lead to a phishing website where private information is stolen. Thieves such as Monkey Drainer post or advertise enticing offers that lure users to click and visit phishing sites–in this case, for an opportunity to easily obtain a new NFT. As we saw in the graphic just above, these phishing sites often imitate a legitimate site, but have a slightly different URL.

There are two points at which users can put the brakes on this sort of scam. One is by being wary of any ‘too good to be true’ offer they see in any social channel. The other is by carefully checking URLs and not trusting unfamiliar sites with private information.

Falling for malicious airdrops

‍As we’ve discussed in our guide to the top crypto scams, fake airdrops are particularly devious, because legitimate organizations do sometimes reward their users by airdropping them a free coin. So at first glance, it seems like your lucky day–a valuable coin has popped into your wallet and you didn’t have to do a thing for it.

The malicious coin drop comes with a link you need to click to claim your ‘free’ coin. That link brings you to a phishing site where unsuspecting users input their seed phrase. Next thing you know, your wallet’s contents have vanished.

Your seed phrase is never required for legitimate transactions. Any app/website asking for your seed phrase is trying to steal your private keys.

SIM-swapping

‍Some of the Monkey Drainer victims lost crypto assets due to SIM-swapping. This approach takes advantage of the trend towards requiring two-factor authentication, usually involving your phone. Thieves obtain your phone number and contact your carrier, pretending to be you and claiming your phone’s SIM card has been damaged or lost.

Next, they get the carrier to activate a new SIM card that gives control of your phone to the attacker’s device. From there, the bad actor can change your passwords, locking you out of your own accounts. They can now intercept login information allowing them to access your digital assets. Phishing expeditions claiming to be from your phone carrier may have tricked you into disclosing other information that allows the attacker to answer your security questions.

One easy way to drain your accounts is for the attacker to set up another account at the same institution in your name, which they actually control. A secondary account for an existing customer attracts little notice, making it easy for the attacker to transfer your funds to the new account and then withdraw them.

Because so many accounts are now accessed only after you respond to a text message with a one-time code in it, SIM-swapping is a powerful way to gain access to user accounts. Somewhere along the line, Monkey Drainer’s SIM-swap victims revealed password information that enabled this route to hacking their accounts.

Anonymity: The two-edged sword of crypto

‍Most Web3 users are engaged in legal, legitimate transactions. That includes private transactions on crypto mixers where identity is obscured as multiple transactions are combined. When criminals strike, though, it can be frustrating. Monkey Drainer’s Ethereum wallet address is well known, yet nothing can be done to find out who owns the wallet.

Mixers have been at the forefront of regulatory controversy over anonymity and money transfers. Shortly before Monkey Drainer washed some of its profits on Tornado, the currency mixer was sanctioned by the OFAC (Office of Foreign Assets Control). The Treasury agency charged that using Tornado had enabled notorious North Korean crime syndicate the Lazarus Group to obscure their ownership of $455 million in stolen crypto assets.

As a result, U.S.-based users’ accounts were all frozen for roughly six weeks. After this interlude, OFAC offered legit users of the mixer the opportunity to reclaim their assets by applying for a license. This step required sharing private information with the government office, which step many users resisted.

OFAC may consider Tornado Cash and mixers like it a national security risk, but most users consider mixers legitimate and desirable. Crypto exchange Coinbase is funding a lawsuit opposing the Tornado sanctions. It’s a controversy in the crypto space whether this government sanction is appropriate–or overly broad and detrimental to the ongoing development of the Web3 ecosystem.‍

Will Monkey Drainer strike again?

‍Likely, yes–nothing has changed in the Web3 environment that would prevent it. With the drainer contract being made available for other thieves to use, the outlook is for more of the same.

If not the Monkey Drainer itself, another scam like it will take its place as long as users take a casual attitude toward their actions. Despite numerous warnings in social media and the crypto press, users continue to fall for phishing scams of this type.

If users take their assets’ security seriously, they can avoid becoming victims. For instance, a similar scam was revealed just months prior to Monkey Drainer’s emergence on the scene. In August 2022, five alleged thieves were indicted in Paris for stealing NFTs in a scheme that promised to animate Bored Ape Yacht Club NFTs. Instead, the BAYC NFT supplied was simply stolen.

The grift was successful in part because the thieves had hacked the official BAYC Discord channel and used it to send out phishing link-bearing messages. As with Monkey Drainer, the earlier scam was revealed by ZachXBT, whose documentation of the scam helped bring about the indictments.

Web3 security steps every user can take

How can you make sure you’re not Monkey Drainer’s next victim? Here’s a list of important actions every Web3 user should take:

  • Beware of any "too good to be true" offers you see in social media.
  • Never connect your wallet to a website you’re not familiar with or don't trust.
  • Never share private keys or seed phrases in a transaction you didn’t initiate. It’s notable that one of the SIM-swap victims of Monkey Drainer didn’t lose everything in their wallet because they realized the problem and declined subsequent transactions.
  • Know that Google ads can contain scams–if you’re interested in the offer, go directly to the legitimate site rather than clicking the ad link.
  • Carefully check website URLs before taking any actions, especially sharing private keys that could give bad actors wallet access.
  • Don’t let the fast pace of the crypto world lead you to feel pressured to take action immediately, without verifying the identity of sites you’re interacting with.
  • Don’t share your phone number, secret question answers, or passwords with anyone you don’t know. Change passwords frequently.
  • Contact the issuer of any airdropped coin directly to verify it comes from a legitimate source. Don’t click any link attached to the airdropped tokens.

The nature of Web3 is unlikely to change. It will continue to be anonymous, decentralized, and freewheeling. That’s what users like about it.

What the crypto community does need is stronger efforts to reduce vulnerability to scams, and that begins with education. Take responsibility for safeguarding your assets–read up about scams that are happening and how they work.

Only you can make sure your crypto assets are protected. Remember, any field with funds is a rich vein for thieves to mine. It’s up to you to stay alert and avoid getting conned. Always proceed with caution and safeguard all private information that could give attackers a chance to make off with your tokens.

Subscribe to updates from the Dragonscale Newsletter

Don't miss out on the latest posts. Sign up now to get new posts sent directly to your inbox.
jamie@example.com
Subscribe