TheDinarian
News • Business • Investing & Finance
Tool used in Ledger hack altered file domains since November
December 15, 2023
post photo preview

Since late November, Angel Drainer, the tool used in the Ledger hack, has been leveraging a smart contract to modify static file domains.

Angel Drainer, in essence, is a type of malicious software, or malware, that specializes in draining cryptocurrency assets from wallets. Etherscan data shows that the tool has been used since last month to update five static file domains to redirect users to compromised versions of software or web pages, thereby enabling unauthorized access to their crypto assets. 

Event Background

Since 2022, various phishing gangs with the “Drainer” moniker have been emerging. For example, Pink Drainer obtained Discord Tokens through social engineering techniques for phishing purposes. Venom Drainer, a phishing service provider, tricked users into giving permissions or approvals to steal their assets. Monkey Drainer is a cyber phishing organization that lures victims through fake KOL Twitter accounts and Discord channels, releasing counterfeit NFT-related sites with malicious Mint functions, robbing tens of millions of dollars, check out our states here: Monkey Drainer statistics. Then there’s Inferno Drainer, which specializes in multi-chain scams.

As time progressed, some Drainers have stepped away from the cryptocurrency spotlight. However, two recent incidents have brought a previously low-profile phishing gang — Angel Drainer — to the forefront of public attention.

Event One: Balancer DNS Hijacking Attack

On September 19, 2023, Balancer issued an urgent warning asking users to stop accessing its official website, as its DNS had been hijacked, leading to its interface being compromised by malicious actors. Upon accessing the website’s link, wallets would be subjected to a phishing attack. According to MistTrack analysis, the funding behind the attackers came from the cyber phishing organization Angel Drainer. The current stolen amount from victims stands at a minimum of $350,000.

In other words, the attacker (Angel Drainer) lured users to “Approve” after compromising the Balancer website, and then used “transferFrom” to transfer funds to themselves (Angel Drainer). Based on the intelligence we have gathered, the attacker might have ties with Russian hackers. After analysis, it was discovered that the front-end of app.balancer.fi contained malicious JavaScript code.

Upon users connecting their wallets to the app.balancer.fi site, the malicious script would automatically assess the connected user’s balance and execute a phishing attack.

Event Two: Galxe DNS Hijacking Attack

On October 6, 2023, several community members reported that their assets were stolen after signing and authorizing Web3 credential data on the Galxe platform using their wallets. Subsequently, Galxe’s official team announced that their website was shut down and they were addressing the issue. According to MistTrack’s analysis, there were multiple interactions between the Galxe Hacker’s address and the Angel Drainer’s address, suggesting they might be the same hacker or group.

On October 7, Galxe released a statement indicating that their website had been fully restored. The detailed sequence of the event is as follows: On October 6, an unidentified individual contacted the domain service provider, Dynadot, pretending to be an authorized Galxe member. Using forged documents, this impersonator bypassed security procedures. Subsequently, the imposter gained unauthorized access to the domain account’s DNS. They used this access to redirect users to a fraudulent website where transactions were signed to siphon off their funds. Approximately 1,120 users who interacted with this malicious site were affected, with an estimated theft amounting to $270,000.

Below is an analysis specifically focused on some of the phishing materials and wallet addresses associated with this gang:

Phishing Website and Tactics:

Upon analysis, we found that the gang’s primary method of attack is social engineering targeted at domain service providers. Once they obtain relevant domain account permissions, they modify the DNS resolution direction and redirect users to fake websites. Data provided by SlowMist’s partner, ScamSniffer, indicates that this gang’s phishing attacks targeting the crypto industry involve over 3,000 domains.

By examining the related information of these domains, it was found that the earliest registration dates trace back to January 2023:

The website impersonated a Web3 game project called “Fight Out,” which is currently inaccessible. Interestingly, under Fight Out’s official social media platforms, multiple users reported that the project itself seemed to be a scam.

Upon inspecting the phishing website’s related address 0x00002644e79602F056B03235106A9963826d0000 through MistTrack, it was shown that the first transaction from this address took place on May 7.

We discovered that this address is associated with 107 phishing sites, encompassing not only NFT projects, authorization management tools like RevokeCash, and exchanges like Gemini, but also cross-chain bridges such as Stargate Finance, among others.

Tracing back further from this address to March 16, 2023, we identified an address labeled as Fake_Phishing76598: 0xe995269255777303Ea6800bA0351C055C0C264b8. This address is associated with 17 phishing sites, primarily focusing on the NFT project Pollen and the public chain Arbitrum. All of these phishing websites are currently inaccessible.

Reviewing one of the gang’s recently deployed phishing websites, blur[.]app-io.com.co:

By investigating the Access Key, we linked to another phishing website: unsiwap[.]app.se.net. The correct spelling is “Uniswap,” but the attacker confused users by swapping the positions of the letters ‘s’ and ‘i’.

This website also exists in our dataset and began its operation in August.

Below are screenshots of a series of websites linked to this domain:

A global search using ZoomEye revealed that 73 phishing sites are concurrently running and deployed under this domain.

Further tracking showed that Angel Drainer conducts sales in both English and Russian. The offerings include 24/7 support, a deposit of $40,000, a 20% fee, support for multiple chains and NFTs, and an automatic site cloning tool.

Here’s an overview of the seller:

Following the contact details provided on the page, we found a Bot. The addresses involved in the image below currently have no transaction records, leading us to speculate that it might be a bot impersonating Angel Drainer.

Selecting a site at random for inspection, when users click on “Claim”, the website evaluates whether the user has a balance. Depending on the tokens and balance held by each victim’s address, it employs a combination of attacks: Approve — Permit/Permit2 signature — transferFrom.

For users with a lower sense of security awareness, they might inadvertently grant the attacker unlimited permission to their addresses. If new funds are transferred to the user’s address, the attacker will immediately transfer those funds away.

Due to space constraints, we won’t delve further into the analysis here.

MistTrack Analysis

By analyzing the aforementioned 3,000+ phishing URLs and correlating them with the SlowMist AML malicious address database, we identified a total of 36 malicious addresses (on the ETH blockchain) associated with the Angel Drainer phishing gang. Of these, there are two hot wallet addresses belonging to Angel Drainer, spanning multiple chains, with the ETH and ARB chains involving significant amounts of funds.

Based on the 36 malicious addresses linked and set as our on-chain analysis dataset, we derived the following conclusions about this phishing group on the Ethereum (ETH) chain:

  • The earliest activity time of the on-chain address set dates back to April 14, 2023. (Transaction ID: 0x664b157727af2ea75201a5842df3b055332cb69fe70f257ab88b7c980d96da3)
  • Stolen funds: According to preliminary estimates, the gang has profited approximately 2 million USD via phishing. This includes a profit of 708.8495 ETH, equivalent to approximately 1,093,520.8976 USD. They are also involved with 303 ERC20 Tokens, valued at around 1 million USD, primarily consisting of LINK, STETH, DYDX, RNDR, VRA, WETH, WNXM, APE, and BAL. (Note: Prices are based on the rates as of October 13, 2023, with data sourced from CoinMarketCap.)
  • Analyzing the related malicious addresses’ Ethereum data post-April 14, 2023, for the first two layers, we observed that out of the profit funds, a total of 1652.67 ETH was transferred to Binance, 389.29 ETH to eXch, 116.57 ETH to Bybit, 25.839 ETH to OKX, and 21 ETH to Tornado Cash. The remaining funds were transferred to other individual addresses.
We would like to extend our gratitude to ScamSniffer for helping us gather this data

Conclusion

This article, pivoting on the Balancer Hack and Galxe Hack incidents, delves into the phishing group Angel Drainer, extrapolating several characteristic features of this organization. As Web3 continues to innovate, the methodologies targeting Web3 phishing are also diversifying, catching many off-guard.

For users, it’s imperative to be informed about the risk profile of the target address before making on-chain transactions. Platforms like MistTrack can be used to input the target address and check its risk score and malicious labels. This can significantly reduce the risk of financial losses.

For wallet project developers, a holistic security audit is paramount. Emphasis should be on enhancing the user interaction security segment, fortifying the ‘what you see is what you sign’ mechanism, thereby minimizing the users’ susceptibility to phishing. Here are some specific measures to consider:

  • Phishing Site Alerts: Harness the power of the ecosystem or community to compile various phishing sites. Prominently warn and alert users when they interact with these phishing sites.
  • Signature Recognition and Alerts: Identify and alert requests for signatures such as eth_sign, personal_sign, and signTypedData. Emphasize the risks associated with eth_sign blind signing.
  • What You See Is What You Sign: Implement an extensive parsing mechanism within the wallet for contract calls. This will prevent ‘Approve’ phishing and inform users of the detailed content constructed during DApp transactions.
  • Pre-execution Mechanism: By using a transaction pre-execution system, users can understand the effects after the transaction broadcast. This aids users in predicting the outcome of transaction executions.
  • Same Suffix Scam Alerts: When displaying addresses, prominently remind users to check the complete target address, preventing scams that utilize identical suffixes. Implement a whitelist address mechanism, allowing users to add frequently used addresses to a whitelist and avoid attacks that exploit identical suffixes.
  • AML Compliance Alerts: During transactions, utilize AML (Anti-Money Laundering) mechanisms to alert users if the target address for their transfers might trigger AML rules.

SlowMist, as a leading blockchain security company, has been deeply involved in threat intelligence for many years. We primarily serve our vast clientele through security audits and anti-money laundering tracing services, establishing a solid network for threat intelligence collaboration. Security audits not only reassure users but also serve as a means to reduce potential attacks. However, due to data silos among various institutions, it’s challenging to identify money laundering gangs that operate across different platforms, presenting a significant challenge for anti-money laundering efforts. For project owners, promptly blocking and preventing the transfer of funds from malicious addresses is of paramount importance.

Our MistTrack anti-money laundering tracing system has accumulated labels for more than 200 million addresses, capable of identifying various wallet addresses from major global trading platforms. This includes more than a thousand address entities, over 100,000 threat intelligence data sets, and over 90 million risk addresses. If needed, you can contact us to access our API. In conclusion, we hope that everyone can join hands to make the blockchain ecosystem safer and better.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Their goal is to make the blockchain ecosystem as secure as possible for everyone. They are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

 

community logo
Join the TheDinarian Community
To read more articles like this, sign up and join my community today
0
What else you may like…
Videos
Podcasts
Posts
Articles
Brad Garlinghouse In Washington 🚀

It’s time for a fair and open level playing field.

Under Gary Gensler it was quite the opposite.

  • Brad Garlinghouse
    July 9, 2025
00:01:56
More Of The Same...l

🚨 JUST IN: Patriot Tom Fitton, who has been fighting DOJ and FBI to release documents for years, has practically thrown in the towel.

👉 "The justice department and the FBI are irredeemably compromised and corrupted.
The leadership needs to understand that and act accordingly." ~Tom Fitton

00:01:30
Christine Lagarde just gave Ripple & Circle A Shoutout!
00:00:44
👉 Coinbase just launched an AI agent for Crypto Trading

Custom AI assistants that print money in your sleep? 🔜

The future of Crypto x AI is about to go crazy.

👉 Here’s what you need to know:

💠 'Based Agent' enables creation of custom AI agents
💠 Users set up personalized agents in < 3 minutes
💠 Equipped w/ crypto wallet and on-chain functions
💠 Capable of completing trades, swaps, and staking
💠 Integrates with Coinbase’s SDK, OpenAI, & Replit

👉 What this means for the future of Crypto:

1. Open Access: Democratized access to advanced trading
2. Automated Txns: Complex trades + streamlined on-chain activity
3. AI Dominance: Est ~80% of crypto 👉txns done by AI agents by 2025

🚨 I personally wouldn't bet against Brian Armstrong and Jesse Pollak.

👉 Coinbase just launched an AI agent for Crypto Trading

same for: https://coinmarketcap.com/community/articles/686e68f5d405956445e039ff/

🚨 Ripple Picks BNY Mellon to Back RLUSD Stablecoin Amid Major Surge 🚨

Ripple has selected BNY Mellon, one of the world’s largest and most trusted financial institutions, to serve as the primary custodian for its RLUSD stablecoin. This decision comes as RLUSD experiences a surge in demand, highlighting growing institutional interest in Ripple’s stablecoin offering.

🔹 Institutional Partnership

🔹 BNY Mellon will safeguard the reserves backing RLUSD, ensuring transparency, security, and regulatory compliance for the stablecoin.

🔹 This partnership is designed to build trust with both institutional and retail users by leveraging BNY Mellon’s expertise in asset custody.

🔹 RLUSD’s Rapid Growth

🔹 RLUSD has seen a significant increase in adoption, reflecting confidence in Ripple’s approach to stablecoins and its commitment to compliance and transparency.

🔹 The collaboration with BNY ...

From Wall Street to Web3: Building Tomorrow’s Digital Asset Markets

COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS will meet in OPEN SESSION, HYBRID FORMAT to conduct a hearing entitled, “From Wall Street to Web3: Building Tomorrow’s Digital Asset Markets.” The witnesses will be: The Honorable Summer Mersinger, CEO, Blockchain Association; Mr. Jonathan Levin, CEO, Chainalysis; Mr. Dan Robinson, General Partner, Paradigm; Mr. Brad Garlinghouse, CEO, Ripple; The Honorable Timothy Massad, Research Fellow and Director of Digital Assets Policy Project of the Mossavar-Rahmani Center for Business and Government, Kennedy School of Government at Harvard University, former CFTC Chairman; and Mr. Richard Painter, S. Walter Richey Professor of Corporate Law, University of Minnesota Law School, former Associate Counsel to the President and chief White House ethics lawyer.

https://www.banking.senate.gov/hearings/from-wall-street-to-web3-building-tomorrows-digital-asset-markets

‼️XRP ETF INFOGRAPHIC REVEALS AMERICAN EXPRESS UTILIZES XRP‼️

“A well-known company that uses XRP is American Express, which leverages RippleNet to enable realtime cross-border payments for corporate clients.

Through its partnership with Ripple, American Express uses XRP indirectlyvia Ripple's infrastructure to facilitate faster and more transparent transactions between the U.S. and international markets, helping businesses move money efficiently and reduce settlement times from days to seconds.”✅

OP: Smqkedqg

post photo preview
post photo preview
Musk Turns On Starlink to Save Iranians from Regime’s Internet Crackdown

Elon Musk, the world’s richest man and a visionary behind SpaceX, has flipped the switch on Starlink, delivering internet to Iranians amid a brutal regime crackdown.

This move comes on the heels of Israeli strikes targeting Iran’s nuclear facilities, as the Islamic Republic cuts off online access.

The former Department of Government Efficiency chief activated Starlink satellite internet service for Iranians on Saturday following the Islamic Republic's decision to impose nationwide internet restrictions.

As the Jerusalem Post reports, that the Islamic Republic’s Communications Ministry announced the move, stating, "In view of the special conditions of the country, temporary restrictions have been imposed on the country’s internet."

This action followed a series of Israeli attacks on Iranian targets.

Starlink, a SpaceX-developed satellite constellation, provides high-speed internet to regions with limited connectivity, such as remote areas or conflict zones.

Elizabeth MacDonald, a Fox News contributor, highlighted its impact, noting, "Elon Musk turning on Starlink for Iran in 2022 was a game changer. Starlink connects directly to SpaceX satellites, bypassing Iran’s ground infrastructure. That means even during government-imposed shutdowns or censorship, users can still get online, and reportedly more than 100,000 inside Iran are doing that."

During the 2022 "Woman, Life, Freedom" protests, Starlink enabled Iranians to communicate and share footage globally despite network blackouts," she added.

MacDonald also mentioned ongoing tests of "direct-to-cell" capabilities, which could allow smartphone connections without a dish, potentially expanding access and supporting free expression and protest coordination.

Musk confirmed the activation, noting on Saturday, "The beams are on."

This follows the regime’s internet shutdowns, which were triggered by Israeli military actions.

Adding to the tension, Israeli Prime Minister Benjamin Netanyahu addressed the Iranian people on Friday, urging resistance against the regime.

"Israel's fight is not against the Iranian people. Our fight is against the murderous Islamic regime that oppresses and impoverishes you,” he said.

Meanwhile, Reza Pahlavi, the exiled son of Iran’s last monarch, called on military and security forces to abandon the regime, accusing Supreme Leader Ayatollah Ali Khamenei in a Persian-language social media post of forcing Iranians into an unwanted war.

Starlink has been a beacon in other crises. Beyond Iran, Musk has leveraged Starlink to assist people during natural disasters and conflicts.

In the wake of hurricanes and earthquakes, Starlink has provided critical internet access to affected communities, enabling emergency communications and coordination.

Similarly, during the Ukraine-Russia conflict, Musk activated Starlink to support Ukrainian forces and civilians, ensuring they could maintain contact and access vital information under dire circumstances.

The genius entrepreneur, is throwing a lifeline to the oppressed in Iran, and the libs can’t stand it.

Conservative talk show host Mark Levin praised Musk’s action, reposting a message stating that Starlink would "reconnect the Iranian people with the internet and put the final nail in the coffin of the Iranian regime."

"God bless you, Elon. The Starlink beams are on in Iran!" Levin wrote.

Musk, who recently stepped down from leading the DOGE in the Trump administration, has apologized to President Trump for past criticisms, including his stance on the One Big Beautiful Bill.

Source

🙏 Donations Accepted 🙏

If you find value in my content, consider showing your support via:

💳 PayPal: 
1) Simply scan the QR code below 📲
2) or visit https://www.paypal.me/thedinarian

🔗 Crypto – Support via Coinbase Wallet to: [email protected]

Or Buy me a coffee: https://buymeacoffee.com/thedinarian

Your generosity keeps this mission alive, for all! Namasté 🙏 Crypto Michael ⚡  The Dinarian

Read full Article
post photo preview
GENIUS Act lets State banks conduct some business nationwide. Regulators object

The Senate passed the GENIUS Act for stablecoins last week, but significant work remains before it becomes law. The House has a different bill, the STABLE Act, with notable differences that must be reconciled. State banking regulators have raised strong objections to a provision in the GENIUS Act that would allow state banks to operate nationwide without authorization from host states or a federal regulator.

The controversial clause permits a state bank with a regulated stablecoin subsidiary to provide money transmitter and custodial services in any other state. While host states can impose consumer protection laws, they cannot require the usual authorization and oversight typically needed for out-of-state banking operations.

The Conference of State Bank Supervisors welcomed some changes in the GENIUS Act but remains adamantly opposed to this particular provision. In a statement, CSBS said:

“Critical changes must be made during House consideration of the legislation to prevent unintended consequences and further mitigate financial stability risks. CSBS remains concerned with the dramatic and unsupported expansion of the authority of uninsured banks to conduct money transmission or custody activities nationwide without the approval or oversight of host state supervisors (Sec. 16(d)).”

The National Conference of State Legislatures expressed similar concerns in early June, stating:

“We urge you to oppose Section 16(d) and support state authority to regulate financial services in a manner that reflects local conditions, priorities and risk tolerances. Preserving the dual banking system and respecting state autonomy is essential to the safety, soundness and diversity of our nation’s financial sector.”

Evolution of nationwide authorization

Section 16 addresses several issues beyond stablecoins, including preventing a recurrence of the SEC’s SAB 121, which forced crypto assets held in custody onto balance sheets. However, the nationwide authorization subsection was added after the legislation cleared the Senate Banking Committee, with two significant modifications since then.

Originally, the provision applied only to special bank charters like Wyoming’s Special Purpose Depository Institutions or Connecticut’s Innovation Banks. Examples include crypto-focused Custodia Bank and crypto exchange Kraken in Wyoming, plus traditional finance player Fnality US in Connecticut. Recently the scope was expanded to cover most state chartered banks with stablecoin subsidiaries, possibly due to concerns about competitive advantages.

Simultaneously, the clause was substantially tightened. The initial version allowed state chartered banks to provide money transmission and custody services nationwide for any type of asset, which would include cryptocurrencies. Now these activities can only be conducted by the stablecoin subsidiary, and while Section 16(d) doesn’t explicitly limit services to stablecoins, the GENIUS Act currently restricts issuers to stablecoin related activities.

However, the House STABLE Act takes a more permissive approach, allowing regulators to decide which non-stablecoin activities are permitted. If the House version prevails in reconciliation, it could result in a significant expansion of allowed nationwide banking activities beyond stablecoins.

Is it that bad?

As originally drafted, the clause seemed overly permissive.

The amended clause makes sense for stablecoin issuers. They want to have a single regulator and be able to provide the stablecoin services throughout the United States. But it also leans into the perception outside of crypto that this is just another form of regulatory arbitrage.

The controversy over Section 16(d) reflects concerns about creating a regulatory gap that allows banks to operate interstate without the oversight typically required from either federal or state authorities. As the two Congressional chambers work toward reconciliation, lawmakers must decide whether stablecoin legislation should include provisions that effectively reduce traditional banking oversight requirements.

Source

🙏 Donations Accepted 🙏

If you find value in my content, consider showing your support via:

💳 PayPal: 
1) Simply scan the QR code below 📲
2) or visit https://www.paypal.me/thedinarian

🔗 Crypto – Support via Coinbase Wallet to: [email protected]

Or Buy me a coffee: https://buymeacoffee.com/thedinarian

Your generosity keeps this mission alive, for all! Namasté 🙏 Crypto Michael ⚡  The Dinarian

Read full Article
post photo preview
Dubai regulator VARA classifies RWA issuance as licensed activity
Virtual Asset Regulatory Authority (VARA) leads global regulatory framework - makes RWA issuance licensed activity in Dubai.

Real-world assets (RWAs) issuance is now licensed activity in Dubai.

~ Actual law.
~ Not a legal gray zone.
~ Not a whitepaper fantasy.

RWA issuance and listing on secondary markets is defined under binding crypto regulation.

It’s execution by Dubai.

Irina Heaver explained:

“RWA issuance is no longer theoretical. It’s now a regulatory reality.”

VARA defined:

- RWAs are classified as Asset-Referenced Virtual Assets (ARVAs)

- Secondary market trading is permitted under VARA license

- Issuers need capital, audits, and legal disclosures

- Regulated broker-dealers and exchanges can now onboard and trade them

This closes the gap that killed STOs in 2018.

No more tokenization without venues.
No more assets without liquidity.

UAE is doing what Switzerland, Singapore, and Europe still haven’t:

Creating enforceable frameworks for RWA tokenization that actually work.

Matthew White, CEO of VARA, said it perfectly:

“Tokenization will redefine global finance in 2025.”

He’s not exaggerating.

$500B+ market predicted next year.

And the UAE just gave it legal rails.

~Real estate.
~Private credit.
~Shariah-compliant products.

Everything is in play.

This is how you turn hype into infrastructure.

What Dubai is doing now is 3 years ahead of everyone else.

Founders, investors, ecosystem builders:

You want to build real-world assets onchain.

Don’t waste another year waiting for clarity.

Come to Dubai.

It’s already here.

 

Source

🙏 Donations Accepted 🙏

If you find value in my content, consider showing your support via:

💳 PayPal: 
1) Simply scan the QR code below 📲
2) or visit https://www.paypal.me/thedinarian

🔗 Crypto – Support via Coinbase Wallet to: [email protected]

Or Buy me a coffee: https://buymeacoffee.com/thedinarian

Your generosity keeps this mission alive, for all! Namasté 🙏 Crypto Michael ⚡  The Dinarian

 

Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals