Etherscan users targeted in major phishing campaign via on-site ads

A number of advertisements on the Ethereum blockchain explorer Etherscan have been found to be part of a massive phishing attempt aimed directly at Etherscan users.

On April 8, X community member McBiblets identified some Etherscan advertising as wallet drainers, warning users that clicking on them will lead to phishing websites.

unreal, some ads on @etherscan are wallet drainers @Plumferno hope you don't mind me stealing your "no clickly"

url: hxxps://aps.bifi-yleld[.]xyz/

site links to ipjsonapi[.]com pic.twitter.com/YM667m0fEM

— McBiblets (@mcbiblets) April 7, 2024

Subsequent inquiries revealed that the phishing advertisements on Etherscan were also replicated across multiple well-known phishing websites.

Following McBiblets’ lead, web3 anti-scam platform Scam Sniffer discovered that the phishing advertising had extended beyond Etherscan, appearing on key search engines such as Google, Bing, and DuckDuckGo, as well as social media platform X.

🚨🕵️‍♂️ Alert: Phishing ads running rampant on Google, Twitter, Bing, & DuckDuckGo are now targeting Etherscan users.

Etherscan aggregates ads from platforms like Coinzilla & Persona, where insufficient filtering could lead to exposure to phishing attempts.🛡️🔍 pic.twitter.com/EGDLiCrrAa

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) April 8, 2024

Scam Sniffer suspects that the large-scale phishing campaign was caused by a lack of control by advertisement aggregators:

“Etherscan aggregates ads from platforms like Coinzilla and Persona, where insufficient filtering could lead to exposure to phishing attempts.”

The wallet drainer fraud involves attracting users to phony websites and asking them to attach their cryptocurrency wallets. Once linked, the scammer can withdraw funds to their personal wallet addresses without the user’s verification or authorization.

SlowMist’s principal information security officer, 23pds, also issued a warning regarding the phishing adverts on Etherscan:

“Be careful, there are phishing ads on etherscan.”

The infamous and experienced cyber phishing company Angel Drainer is suspected of leading the continuing phishing attack campaign against Etherscan users. However, no substantial evidence of the scammers’ identities has been discovered as of the time of writing.

Meanwhile, the current phishing advisory comes as the industry grapples with a rising number of phishing schemes aimed at it.

According to Scam Sniffer data, phishing attacks scammed around 97,000 crypto users of $104 million in the first few months of this year. Losses were $55 million in January, with $46.8 million coming in February.

Ethereum users suffered the most damage, losing $78 million in assets, including ETH and ERC20 tokens, according to a breakdown of the attacks.

The primary tactic used by cybercriminals was to trick victims into signing harmful phishing signatures like “Uniswap Permit2” and “increaseAllowance,” which allowed the malicious players to acquire unauthorized access to their victims’ cash.

“Most of the thefts of all ERC20 tokens were due to assets being stolen as a result of signing phishing signatures such as Permit, IncreaseAllowance, and Uniswap Permit2,” Sniffer explained in a statement.

Scam Sniffer discovered that the majority of victims were duped by false comments on social media platforms, particularly X.

The attackers frequently pose as respectable cryptocurrency organizations in order to attract unwary people to phishing sites where their digital assets are stolen.