Cybercriminals behind FreeDrain operation steal millions through sophisticated phishing infrastructure targeting cryptocurrency wallet users.
A sophisticated cryptocurrency phishing operation dubbed “FreeDrain” has been uncovered after stealing millions from unsuspecting wallet users through an elaborate network of fake websites.
In a recent investigation by security researchers at SentinelLABS and Validin, the operation was revealed following a single investor’s devastating loss of approximately $500,000 in bitcoin. The victim had attempted to access their Trezor wallet but instead landed on a cleverly disguised phishing site promoted in search results.
“The results were startling. Search terms like ‘Trezor wallet balance’ returned multiple malicious results across Google, Bing, and DuckDuckGo, often within the first few result pages,” reads the report by SentinelLABS.
Researchers uncovered over 38,000 distinct subdomains hosting FreeDrain lure pages, with the actual collection during their four-month investigation totaling around 200,000 unique URL addresses. The operation’s scale is described as “industrial” in its approach to cryptocurrency theft.
The attack chain is deceptively simple yet highly effective. Users searching for wallet-related queries click on top-ranking results, leading to a landing page with a clickable image. This image directs them to a near-perfect clone of legitimate wallet services where victims are prompted to enter their seed phrases, immediately triggering fund transfers to the attackers.
FreeDrain relies heavily on artificial intelligence for text generation and employs sophisticated techniques to avoid detection, including “46 unique renderings of the word ‘Trezor'” using Unicode tricks and mixed script alphabets.
The scam’s success hinges on aggressive SEO manipulation, with attackers posting thousands of spam comments across websites with weak moderation to boost their search rankings. The ultimate user data-stealing phishing sites are hosted on legitimate cloud infrastructure such as Amazon S3 and Azure, and often mirror the interfaces of well known wallets like Trezor, Metamask and Ledger.
Analysis of GitHub repositories associated with the operation reveals a professional operation likely based in India, with commits showing a clear 9-to-5 weekday work pattern complete with consistent breaks.
“A clear 9-to-5 weekday work pattern emerged, complete with a consistent midday break,” noted the researchers.
FreeDrain has been active since at least 2022, with a significant increase in activity observed last year. Security experts warn that combating this type of scam is particularly challenging, as many free-tier platforms used by the threat actors lack direct methods for reporting malicious content.
Also read
US Vice President JD Vance to Champion Bitcoin in Vegas Keynote
Cryptocurrency users are urged to manually type wallet website addresses rather than relying on search results, and never to share seed phrases online under any circumstances.
The stolen cryptocurrency is typically moved immediately to mixing services, making recovery nearly impossible for victims.
FreeDrain is currently targeting Trezor, MetaMask, Ledger, and other popular cryptocurrency wallet users. The operation’s reach continues to expand, with researchers warning that its infrastructure appears to be part of an even broader cybercrime network.
