These initial lure pages-typically a single large image of a legitimate wallet interface-redirect users through a series of hops before eventually reaching a phishing page designed to steal wallet seed phrases. This sophisticated campaign leverages search engine manipulation and free-tier web hosting services to create an extensive web of malicious sites that appear legitimate to unsuspecting users searching for cryptocurrency wallet information. This code sends the captured seed phrase to an AWS API Gateway endpoint before redirecting the victim to the legitimate wallet site, leaving them unaware their credentials have been compromised until their funds disappear. When a victim clicks a malicious search result hosted on platforms like gitbook.io or webflow.io, they encounter a page displaying a screenshot of a legitimate wallet interface. The attack begins when users search for wallet-related queries such as “Trezor wallet balance” or “Ledger Live” on major search engines. Their investigation began after a distressed victim reported losing approximately 8 BTC (worth around $500,000) after entering their seed phrase on a fake Trezor wallet site. Clicking this image triggers a series of redirects through algorithmically generated domains like “shotheatsgnovel.com” or “bildherrywation.com” before landing on the final phishing page. Analysis of FreeDrain’s infrastructure revealed that the operation is likely run by individuals based in the UTC+05:30 timezone (Indian Standard Time), working standard business hours with clear weekday patterns and midday breaks-suggesting a structured, professional operation rather than opportunistic attacks. A sprawling phishing operation dubbed “FreeDrain” has emerged as an industrial-scale cryptocurrency theft network that systematically targets and drains digital wallets. SentinelOne researchers, in collaboration with Validin, recently unveiled the full scope of this operation at PIVOTcon 2025, identifying over 38,000 distinct FreeDrain subdomains hosting lure pages. “FreeDrain represents a modern blueprint for scalable phishing operations,” noted Tom Hegel, Principal Threat Researcher at SentinelOne. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Victims click on high-ranking malicious results, often appearing on the first page of search results, and land on seemingly helpful pages. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 09 May 2025 09:40:58 +0000