Best crypto insights delivered straight to your inbox.
- A malware-as-a-service platform called StepDrainer is stealing crypto assets across more than 20 blockchain networks.
- It generates fake wallet-connection interfaces that trick users into approving token transfers.
- Researchers say the tool is part of a growing merger between traditional malware operations and cryptocurrency-focused theft.
A crypto-stealing tool called StepDrainer is draining money from wallets across Ethereum, BNB Chain, Arbitrum, Polygon, and at least 17 other networks.
StepDrainer operates as a malware-as-a-service kit. It uses fake but realistic Web3 wallet pop-ups to trick people into approving transfers. Some of those screens are made to look like Web3Modal wallet connections.
Once someone connects their wallet, StepDrainer looks for the most valuable tokens first and automatically sends them to wallets controlled by the attackers, according to LevelBlue.
StepDrainer misuses smart contract tools
StepDrainer misuses real smart contract tools like Seaport and Permit v2 to show wallet approval pop-ups that look normal. But the details inside those pop-ups are fake.
In one case, cybersecurity researchers found that victims saw a fake message saying they were receiving “+500 USDT,” making the approval look safe.
StepDrainer loads its harmful code through changing scripts and gets its setup from decentralized on-chain accounts.
That setup helps the attackers dodge normal security tools because the harmful code is not stored in one fixed place where it can be easily scanned.
StepDrainer is not just one person’s project. Researchers said there is a developed underground market selling ready-made drainer kits, making it easier for many attackers to add wallet-stealing features to scams they already run.
EtherRAT siphons crypto from Windows users
According to a recent Cryptopolitan report, over 500 Ethereum wallets have been drained in the past 24 hours. The attacker siphoned more than $800K in crypto assets and then swapped the funds via ThorChain.
Many of the drained wallets have been inactive for over 7 years, according to on-chain research Wazz. The drained funds were directed by a single wallet address controlled by the attacker.
Cybersecurity researchers advise users connecting wallets to unknown sites to verify the domain, read the transaction details before signing, and remove any unlimited token approvals.
The smartest crypto minds already read our newsletter. Want in? Join them.
FAQs
What is StepDrainer?
StepDrainer is a crypto-stealing platform that works across more than 20 blockchains, including Ethereum, Arbitrum, and Polygon. It uses fake wallet screens to trick users, then steals their crypto funds.
How does StepDrainer bypass security detection?
StepDrainer loads its malicious code through dynamic script injection and gets its setup from on-chain accounts. This makes it harder for normal security tools to detect.
What is EtherRAT and how is it related?
EtherRAT is malware that started on Linux but now targets Windows through a fake Tftpd64 installer. The malware is being reused for crypto theft.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Randa Moses
Randa Moses is an editor and reporter at Cryptopolitan covering tech, AI, robotics, crypto, scams, and hacks. She has worked in the crypto space since 2017. She held roles at Forward Protocol, AmaZix, and Cryptosomniac. Randa holds a degree in Electrical and Electronics Engineering from the University of Bradford.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)