FreeDrain Phishing Scam Depletes Cryptocurrency Assets of Enthusiasts

A sophisticated phishing scheme, comprising a network of counterfeit websites, has been identified as a significant threat to web3 projects, draining cryptocurrency wallets on a large scale for several years.

Originally discovered by Validin as a collection of crypto phishing websites in April 2024, the operation soon revealed itself to be more extensive and intricate than initially thought. In response, Validin collaborated with SentinelOne’s research division, SentinelLabs, to investigate further.

Rather than utilizing standard phishing tactics such as emails or social media, the scheme—designated as FreeDrain by the researchers—employs SEO manipulation, free-tier web services, and intricate redirection methods to specifically target cryptocurrency wallets.

Reports suggest that the operation has been active since at least 2022, possibly orchestrated by a team based in India or Sri Lanka.

Findings were disclosed at PIVOTcon 2025, a distinguished threat intelligence conference held in Malaga from May 7 to 9.

Uncovering A Large-Scale Crypto Phishing Network

In April 2024, Validin released a report detailing various phishing pages aimed at draining cryptocurrencies. This report drew attention when an individual reached out, claiming the loss of 8 Bitcoins—valued at approximately $500,000 at the time—after unwittingly submitting their wallet seed phrase to a phishing site while trying to check their balance via a top-ranking search engine result.

The seed phrase, also known as a recovery mnemonic, is crucial for restoring access to a cryptocurrency wallet. Trusted analysts confirmed that the wallet receiving the stolen funds was a one-time-use address, with quickly laundered assets through a cryptocurrency mixer, complicating recovery efforts.

The outreach from the victim exposed a broader, systematic phishing operation.

SEO Manipulation Techniques

Further investigation revealed 38,048 unique FreeDrain subdomains hosting deceptive lure pages, primarily utilizing cloud infrastructure like Amazon S3 and Microsoft Azure Web Apps. These subdomains were designed to imitate legitimate cryptocurrency wallet interfaces.

To enhance their entrapment methods, attackers leveraged an array of SEO techniques, free-tier hosting services (e.g., GitHub.io, WordPress.com), typosquatting, and layered redirection techniques to instill a false sense of credibility in their targets.

“We were stunned by the sheer volume of lure pages appearing among top-ranked search results across all major search engines,” researchers noted. The phishing pages often featured a large image (usually a screenshot of a legitimate wallet) coupled with disclaimers that curiously included tips on avoiding phishing—a deceptive strategy designed to make them appear credible.

These seemingly rudimentary webpages yielded direct answers to specific queries, enhancing their favorability in search engine algorithms, especially when hosted on reputable platforms. Comment spamming on poorly maintained sites was employed to increase visibility through spamdexing, effectively allowing FreeDrain to evade traditional phishing delivery methods.

AI-Aided Content Generation

Analysis of the lure pages indicated that the text appeared generated by advanced language models. Copy-paste artifacts and specific strings suggested the use of generative AI, including references indicating the model utilized. Investigators highlighted that FreeDrain operators adopted AI to generate scalable content but sometimes did so in a careless manner.

The Attack Chain: A Step-by-Step Breakdown

The research team outlined the sequence leading to the phishing sites:

1. Targeting wallet-related queries (e.g., “Trezor wallet balance”) on popular search engines.
2. Clicking on a high-ranking result, often from a seemingly trustworthy domain.
3. Landing on a page with a large, clickable image (typically a screenshot of a legitimate wallet interface).
4. Clicking the image, leading to either a phishing page or a redirect through an intermediary site.
5. Arriving at a phishing site, a near-exact replica of the legitimate wallet service, prompting the user to input their seed phrase.

Once the seed phrase is obtained, attackers can drain funds within minutes.

Attributing the FreeDrain Campaign

Attributing the FreeDrain operation proved challenging due to its transient infrastructure and reliance on shared, free-tier services. However, analysis of repository metadata, behavioral indicators, and timing artifacts revealed insights into the operators’ characteristics, suggesting a connection to India or possibly Sri Lanka.

Investigators examined GitHub repositories associated with FreeDrain and found that the email accounts used in commits were unique, primarily linked to free email services. The patterns and timestamps indicated activity during typical weekday hours in the UTC+05:30 timezone, corresponding to Indian Standard Time (IST).

This analysis consistently indicated that FreeDrain’s operations were likely executed by individuals in India, with a notable uptick in activity coinciding with mid-2024.

Mitigation Recommendations

To counter the tactics evident in the FreeDrain campaign, the researchers recommend that free-tier content platforms implement the following measures to enhance their defense against abuse:

– Establish robust abuse reporting mechanisms to facilitate direct reporting from published pages, along with communication channels with trusted threat intelligence analysts.
– Invest in abuse prevention tools to monitor misuse patterns, such as bulk account creation or repeated hosting of phishing kits.
– Enhance detection capabilities for coordinated abuse, identifying repetitive naming conventions and identical templates across various subdomains.