 | There's a new drainer on the loose out there called Eleven Drainer. Eleven Drainer appears to be a Russian based Scam Service that launched sometime around August of this year. This month alone, Eleven Drainer has stolen upwards of 4.2 Million in cryptocurrency. Today I want to do a deep dive into this new scam service and look at some of the wallets owned by the operator of Eleven Drainer. What is Eleven DrainerEleven Drainer is categorized as a"scam-as-a-service" platform (SaaS). It's part of the same family of malicious applications I've posted about before: Inferno, Angel, Vanilla, and Pink Drainer to name a few. It operates through highly convincing phishing websites that impersonate legitimate Web3 projects and brands, tricking users into unknowingly authorizing fraudulent transactions. Eleven Drainer grabs its main code from eleven.js and gets its setup info from settings.json. You donβt actually see the real command-and-control (C2) domain until there's a successful wallet connection. Plus, they keep switching out the C2 panels, which makes it way harder to block. Eleven Drainer originally came on my radar after I noticed a single user lose upwards of 1.22M in crypto assets. Once I started noticing 1MM+ drains, an investigation began. How does Eleven Drainer Work?The scam starts with developers of Eleven Drainer providing the malicious toolkit and infrastructure for their customers. Customers upload the malicious code to websites impersonating legit web3 projects. The websites are promoted using compromised social media accounts (like on Twitter or Discord) or fake Google advertisements to promote fraudulent offers, such as exclusive airdrops, NFT mints, or free tokens. Once the user approves the transaction, the scam unfolds realtime as the approved assets are automatically sent to Customer and Admin wallets. In Eleven Drainer's case, the assets go into a contract first then get distributed amongst wallets owned by the Admin and Customer. There's slight variations in the distribution methods, presumably to avoid a finger-print that anti-phishing services can pick up on. Following the WalletsA look inside the inflows and outflows of the Eleven Drainer Contract. The above contract of 0x696704201839A250EE777372C5B33D0B86d9d42C is what initially drew my attention to Eleven Drainer. The contact was only active for about 4 hours but it did quite a bit of damage in that time with a single victim losing upwards of 1.22M in assets. The ENS Wallets
The above wallets were the first two wallets I found associated with Eleven Drainer. Each wallet has an ENS address associated with it. The elevendrainer.eth wallet was the 1st one registered and has very little activity. It could of been used for testing purposes to work out any bugs in the platform. The eleventeam.eth wallet does have quite a bit of activity and appears to be one of the first wallets deployed fully in production mode. I'm showing this wallet is still active as of a week ago. The ADMIN Wallets
The above ADMIN wallets belong to Eleven Drainer and are featured in just about any phishing attack attributed to Eleven Drainer. In other words, the stolen user funds typically flow into one of these four wallets. These wallets appear to get 15% of the assets with 85% going to the Customer. There's endless contracts belonging to Eleven Drainer but those still distribute funds to one of the Admin or ENS wallets and the Customer wallet. Lastly, I can't leave this section without mentioning Eleven Drainer's role in the the Aerodrome/Velodrome front-end exploit a few days ago. A tweet from Aerodrome's official Twitter account. It appears there was a security breach at the domain registrar level for both Aerodrome and Velodrome. DNS records were changed to redirect the domains to malicious pages with Eleven Drainer code. Once the new DNS records propagated, users unknowingly signed phishing transactions thinking they were engaging with the real websites. The attack lasted about 4 hours and users lost upwards of 700K. You can read the full report on Aerodrome's twitter page. The Fee Addresses
The proceeds by the Eleven Drainer ADMIN need to flow somewhere and on-chain analysis shows the funds end up at one of the two wallets listed above. Some laundering has already started but I'm showing about 475K in mostly DAI is sitting in both wallets combined. 0x22F5....C563D has the lions share of the total with about 410K in crypto. It's only a matter of time before the bulk of these funds get sent through money laundering services. I'm sure we'll be hearing more about Eleven Drainer before the year is up. I'll update any notable information to this post as it comes in. Until then, stay safe out there! [link] [comments] |
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments