Seed → POST request → empty balance: how fast and clean crypto theft works
It all starts with an innocent search query—and ends with an empty wallet.Cybersecurity researchers have uncovered a large-scale, well-organized phishing campaign targeting cryptocurrency holders. Over the course of several years, attackers built a resilient infrastructure involving more than 38,000 subdomains aimed at wallet owners. The investigation, conducted by SentinelOne and Validin, has been dubbed FreeDrain.
The core of the attack revolves around manipulating search engine results, exploiting free hosting platforms such as gitbook.io, webflow.io, and github.io, and utilizing a multi-layered redirection system. Users searching for wallet-related info—e.g., “Trezor wallet balance”—would land on spoofed websites mimicking real wallet interfaces. From there, one of three scenarios would unfold: redirection to a legitimate site, an intermediate landing page, or a full-fledged phishing clone prompting users to enter their seed phrase.
Every element of the attack was made to look seamless—from the site design to the credibility of the hosting platforms. Once the seed phrase was entered, the automated infrastructure would empty the victim’s wallet almost instantly. Some of these fake pages were generated using tools like GPT-4o, allowing attackers to mass-produce text content without human effort.
A notable clue to the campaign’s origin is its activity pattern: GitHub commits mainly occurred on weekdays during Indian Standard Time (IST), suggesting that the operators followed a typical office work schedule.
To boost visibility in search results, attackers also employed spamdexing—flooding vulnerable sites with fake comments containing links to their traps. Similar tactics were observed as early as 2022 by Netskope, when phishing sites impersonating brands like MetaMask, Phantom, Bitbuy, Coinbase, and Trezor began to spread.
FreeDrain is a prime example of how scalable phishing operations can thrive using free infrastructure while being resistant to takedowns. Its distributed architecture and adaptability make it difficult to permanently shut down.
In parallel, Check Point Research reported activity from another crypto theft scheme known as Inferno Drainer, a “Drainer-as-a-Service” operation. Although it was officially “shut down” in 2023, recent attacks show it’s still functional. It uses disposable smart contracts, encrypted on-chain settings, and proxies to bypass protections and blacklists.
Victims are lured through Discord, where outdated invite links are replaced and OAuth2 authorization is used for disguise. The user is led to a fake bot and then to a phishing page where they’re prompted to sign a malicious transaction. Between September 2024 and March 2025, Inferno Drainer is estimated to have stolen from over 30,000 wallets, draining at least $9 million.
Bitdefender researchers also recorded a malvertising campaign using Facebook ads* that impersonated major crypto platforms like Binance, Bybit, and TradingView. These ads led to malicious sites offering to install “official apps.” Depending on whether the request came from a real user or an analysis system, the site would either display malicious content or a harmless placeholder. The installer would show a fake login screen via the browser process msedge_proxy.exe, while silently launching components that collect data and attempt to “sleep” for hundreds of hours to evade sandbox detection.
All of this highlights the sophistication and resilience of modern phishing campaigns: from URL spoofing and content generation to mimicking trusted services and bypassing analysis tools.
Would you like this formatted as a PDF or for a forum post?