FreeDrain Phishing Scam Drains Crypto Hobbyists’ Wallets

A sophisticated phishing scheme, comprising a network of fake websites, has been targeting web3 projects and draining cryptocurrency wallets at scale for years.

First detected by Validin as a simple network of crypto phishing websites in April 2024, it soon became apparent that the scheme may be much more sophisticated and large scale. This led the internet intelligence platform provider to collaborate with SentinelOne’s research team, SentinelLabs, to conduct further investigation.

Instead of relying on common delivery methods like phishing emails, SMS (smishing), social media posts and blog comment spam, the scheme, dubbed FreeDrain by the investigators, leveraged SEO manipulation, free-tier web services and layered redirection techniques to target cryptocurrency wallets.

The operation, likely conducted by a team based in India (or possibly Sri Lanka), has been ongoing since at least 2022.

Validin and SentinelLabs published their findings at PIVOTcon 2025, a threat intelligence conference held in Malaga from May 7 to 9.

Uncovering A Large-Scale Crypto Phishing Network

In April 2024, Validin published a report documenting a series of crypto-draining phishing pages.

This report caught the attention of an individual who contacted Validin, claiming to have lost 8 Bitcoins, worth around $500,000 at the time.

“The victim had unknowingly submitted their wallet seed phrase to a phishing site while attempting to check their wallet balance, after clicking on a highly-ranked search engine result,” the SentinelLabs and Validin researchers explained in a joint May 8 report.

A seed phrase, also known as a recovery phrase or mnemonic seed, is a list of words used to restore a cryptocurrency wallet and access the associated funds.

It was confirmed by trusted cryptocurrency tracking analysts that the destination wallet used to receive the victim’s funds was a one-time-use address.

They stated that the stolen assets were quickly moved through a cryptocurrency mixer, an obfuscation method that fragments and launders funds across multiple transactions, making attribution and recovery nearly impossible.

The researchers reported that although they were unable to assist in recovering the lost assets, the outreach effort revealed that the phishing attack was part of a broader, large-scale operation.

SEO Manipulation Techniques

Upon further investigation, the SentinelLabs and Validin researchers identified 38,048 distinct FreeDrain subdomains hosting lure pages. These subdomains are hosted on cloud infrastructure, such as Amazon S3 and Microsoft Azure Web Apps, which mimic legitimate cryptocurrency wallet interfaces.

To make the network of phishing websites more appealing to victims, hackers employed a combination of SEO manipulation techniques, free-tier web hosting services (e.g., GitHub.io, WordPress.com, GoDaddySites, Gitbook), typosquatting techniques, familiar visual elements, and layered redirection techniques to deceive victims into a false sense of legitimacy.

“We were stunned by the sheer volume of lure pages appearing among top-ranked search results across all major search engines,” said the researchers.

“In most cases, the pages consisted of just a single large image (again, usually a screenshot of a legitimate crypto wallet interface) followed by a few lines of text that offered seemingly helpful instructions, ironically, some even claimed to educate users on how to avoid phishing.”

While seemingly basic, these webpages displayed direct answers to questions search engine users are likely to type. These types of pages are known to be rewarded by search engine algorithms, especially when hosted on high-reputation platforms.

Additionally, the FreeDrain operators employed large-scale comment spamming on poorly maintained websites to increase the visibility of their lure pages through search engine indexing – a technique known as spamdexing.

“This technique allows FreeDrain to sidestep traditional delivery vectors like phishing emails or malicious ads, instead meeting victims exactly where they’re looking, at the top of trusted search engines,” the researchers wrote.

AI-Aided Content Generation

The text on many lure pages showed evidence of having been generated by large language models, according to the investigators.

They stated that copy-paste artifacts were found, revealing the specific tools used, including strings like ‘4o mini’, likely a reference to OpenAI’s GPT-4o mini model.

The investigators noted that these signs suggested that the FreeDrain operators were utilizing generative AI to create scalable content, but were doing so carelessly at times.

The Attack Chain: A Step-by-Step Breakdown

The SentinelLabs and Validin researchers were able to outline the step-by-step process that ultimately leads to the phishing site:

1. Search for wallet-related queries (e.g. “Trezor wallet balance”) on a major search engine
2. Click a high-ranking result, often hosted on a seemingly trustworthy platform like gitbook.io or webflow.io
3. Land on a page displaying a large, clickable image (usually a static screenshot of the legitimate wallet interface)
4. Click the image, which either leads to a phishing page or redirects the user to an intermediary site
5. Arrive at the final phishing site, a near-perfect clone of the real wallet service, prompting the user to input their seed phrase

Once a seed phrase is submitted, the attacker’s automated infrastructure will drain funds within minutes.

Attributing the FreeDrain Campaign

Finally, the investigators stated that attributing the FreeDrain operation was challenging due to its ephemeral infrastructure and use of shared, free-tier services.

However, by analyzing repository metadata, behavioral signals and timing artifacts, they were able to gather significant insights into the operators’ characteristics, including their likely location, work patterns and level of coordination.

The researchers reported that their investigation revealed several key findings. They analyzed GitHub repositories associated with FreeDrain and found that the email addresses used in the commits were unique and tied to individual GitHub accounts, with most coming from free email providers.

Moreover, the commit timestamps were predominantly in the UTC+05:30 timezone, corresponding to Indian Standard Time (IST), suggesting a strong geographic link to India – or possibly Sri Lanka.

This finding was corroborated by analyzing metadata from other services, such as Webflow, which revealed a clear 9-to-5 weekday work pattern in the IST time zone.

The researchers concluded that, based on the combined evidence, it was highly likely that the FreeDrain operation was being carried out by individuals based in India, working standard weekday hours.

They also noted that the campaign had been active since at least 2022, with a significant increase in activity in mid-2024, and remained active at the time of their report.

Mitigation Recommendations

The investigators recommend that free-tier content platforms take steps to prevent abuse and improve their response to malicious activity, as highlighted by the FreeDrain campaign:

• Improve abuse reporting mechanisms by allowing abuse to be reported directly from published content pages and establishing direct communication lines with trusted threat intel analysts and threat researchers
• Invest in basic abuse prevention tooling to monitor for patterns of misuse, such as bulk account creation, similar domain structures and repeated hosting of external phishing kits
• Enhance detection capabilities to identify coordinated abuse, such as repetitive naming patterns and identical templates reused across subdomains