Crypto scammers are fighting amongst themselves over stolen funds

(Image credit: Future)

Cybersecurity researchers have uncovered a hacker compromising cryptocurrency scam sites and diverting already stolen funds to his own wallets, and have already raked in hundreds of thousands of dollars this way.

According to Trend Micro, a threat actor called “Water Labbu” found and breached 45 scam websites and replaced their wallet addresses with his own. That way, any funds that the scammers trick people into giving, would actually go to him.

The scam sites are mostly fake liquidity mining pools. Genuine liquidity mining pools work by having people lend out their cryptocurrencies to decentralized exchanges, in order to create a liquidity pool. That liquidity pool allows cryptocurrency traders to trade their tokens directly (in a decentralized manner, as opposed to a centralized manner where a single entity provides the liquidity). The lenders make a profit by getting a portion of the trading fees.

Fake sites, fake apps

To lend their cryptocurrencies, the users need to connect their wallets to the liquidity mining pool. Fake sites, on the other hand, only wait for people to connect their wallets, and then drain them dry. Between building fake apps and engaging in social media activity to promote the scam, there’s plenty of work to be done. Water Labbu bypasses all of it, letting the original scammers do all the heavy lifting for them.

Trend Micro says that so far, the scammer obtained more than $300,000, from nine identified victims.

> Apple iPhone 14 launch used to hook victims into a crypto scam

> Crypto scams are now a billion-dollar market

> Here's our rundown of the best endpoint protection services around

“In one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64- encoded JavaScript payload using the “onerror” event, in what is known as an XSS evasion technique, to bypass Cross-Site Scripting (XSS) filters,” Trend Micro’s explained in its report. “The injected payload then creates another script element that loads another script from the delivery server tmpmeta[.]com.”

The script looks for new wallets that hold at least 0.005 ETH or 22,000 USDT and, depending on the platform (either Windows or one of the two mobile platforms), initiates the transfer.

To protect against such scams, Trend Micro warns, users should be very careful when connecting their wallets and make sure they’ve done their due diligence before giving away their tokens.

These are the best firewalls right now

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.