VTA-004514 – Massive ‘FreeDrain’ Phishing Campaign Exploits SEO and Free Hosting to Steal Cryptocurrency Wallets

A massive phishing campaign known as “FreeDrain” has been quietly operating since 2022, tricking users into giving up their cryptocurrency wallet seed phrases. Security researchers recently discovered that the campaign is tied to over 38,000 fraudulent subdomains, making it one of the largest wallet-draining operations to date. By abusing free hosting platforms and manipulating search engine results, the attackers built a convincing network of scam pages. With attackers leveraging SEO and free hosting services to mimic real crypto wallets, even experienced users are at risk of being deceived.

FreeDrain operators use a combination of aggressive search engine optimization and abuse of free web hosting services such as GitHub Pages, GitBook, and Webflow to distribute fake crypto wallet interfaces. These pages are crafted to closely resemble legitimate wallet services and are optimized to appear in search results for queries such as “create Solana wallet” or “Ethereum wallet login.” When unsuspecting users visit one of these sites, they are prompted to enter their wallet seed phrases. The stolen credentials are then funneled into a backend system hosted on cloud platforms such as AWS and Azure, which immediately drains the victims’ funds. The campaign employs thousands of keyword-laden subdomains to boost search engine visibility and cast a wide net.

To reduce the risk of falling for phishing attacks like FreeDrain, users should avoid clicking on search engine ads or unfamiliar links when accessing crypto wallets. It’s safer to bookmark official wallet URLs or use trusted directories. Verifying the domain name carefully before entering sensitive information is also crucial. Hosting providers and search engines should step up monitoring for abuse and take action against mass-generated phishing sites. Wallet providers can aid this by implementing warnings or confirmations before accepting seed phrase input on unfamiliar domains.

Severity:
Medium

Attack Surface:
Cloud Service, Online Fraud, Web Application, Web Browser

Tactics:
Command and Control, Credential Access, Exfiltration, Initial Access, Resource Development

Techniques:
T1566 – Phishing
T1078 – Valid Accounts
T1583 – Acquire Infrastructure
T1071 – Application Layer Protocol
T1555 – Credentials from Password Stores
T1041 – Exfiltration Over C2 Channel

Indicator of Compromise:
https://otx.alienvault.com/pulse/681da27aa2e2e62a71db0bd3

References:
1.https://www.sentinelone.com/labs/freedrain-unmasked-uncovering-an-industrial-scale-crypto-theft-network/

SuperPRO’s Threat Countermeasures Procedures:
1. Block or monitor access to known free hosting domains like github.io, gitbook.io, and webflow.io in enterprise environments.
2. Train users to avoid entering seed phrases on any website reached through search engine results.
3. Bookmark official wallet URLs and avoid using search engines for crypto wallet access.
4. Monitor DNS traffic for suspicious subdomain patterns commonly used in large-scale phishing operations.
5. Use browser extensions or DNS filtering tools that warn about newly registered or suspicious domains.
6. Report fake wallet sites to hosting providers and browser blacklists to accelerate takedown efforts.
7. Encourage wallet developers to implement client-side domain verification and phishing warnings.
8. Implement search engine monitoring for branded keywords being abused in scam campaigns.

Contributed by: Tasneem