Crypto Phishing Group Angel Drainer Reportedly Steals $400,000 From 128 Wallets

Brian Yue

Last updated: February 14, 2024 15:53 EST | 1 min read

Phishing group Angel Drainer stole over $400,000 from 128 crypto wallets after deploying a malicious vault contract yesterday.

According to an X post published on February 13 by blockchain security firm Blockaid, Angel Drainer employed a new attack vector that exploited Etherscan’s verification tool to conceal the malicious characteristics of a smart contract.

Angel Drainer Goes Crypto Phishing

The attack occurred at 6:40 am on February 12 when Angel Drainer deployed a malicious Safe vault contract, Blockaid said.

At 6:41am UTC on Monday, February 12th, Angel Drainer group deployed a Safe vault contract— 0xbaee148df4bf81abf9854c9087f0d3a0ffd93dbb— which they have since used to phish and scam users, prompting them to sign a Permit2 with this Safe Vault as the operator. pic.twitter.com/8ydY9nQO2R

— Blockaid (@blockaid_) February 13, 2024

128 wallets then signed a “Permit2” transaction on the vault contract which prompted users to also sign a Permit2 with the Safe vault contract as the operator, leading to $403,000 in funds being stolen.

The blockchain security firm noted that Angel Drainer specifically chose to use a Safe vault contract to deliver a “false sense of security,” as Etherscan automatically adds a verification flag to Safe contracts which does not necessarily indicate whether the contract is malicious.

Blockaid emphasized that the attack was not a direct assault on Safe, clarifying that its user base had not experienced widespread consequences. The security firm also said that it had informed Safe about the attack and was working to mitigate any potential additional damage.

“This is not an attack on Safe […] rather they decided to use this Safe vault contract because Etherscan automatically adds a verification flag to Safe contracts, which can provide a false sense of security as it’s unrelated to validating whether or not the contract is malicious,” Blockaid said.

Angel Drainer’s Track Record

Despite being operational for only 12 months, Angel Drainer has successfully siphoned more than $25 million from nearly 35,000 wallets in that short period, according to a February 5 post by Blockaid.

Angel Drainer is also responsible for the Ledger Connect Kit hack in December 2023 and the EigenLayer restake farming attack from two weeks ago.

The restake farming attack conducted by Angel Drainer involved the usage of a malicious queueWithdrawal function. Once users sign, this function would withdraw staking rewards to an address chosen by the attackers, the security firm explained.