A crypto-stealing tool called StepDrainer is draining money from wallets across Ethereum, BNB Chain, Arbitrum, Polygon, and at least 17 other networks.
StepDrainer operates as a malware-as-a-service kit. It uses fake but realistic Web3 wallet pop-ups to trick people into approving transfers. Some of those screens are made to look like Web3Modal wallet connections.
Once someone connects their wallet, StepDrainer looks for the most valuable tokens first and automatically sends them to wallets controlled by the attackers, according to LevelBlue.
StepDrainer misuses smart contract tools
StepDrainer misuses real smart contract tools like Seaport and Permit v2 to show wallet approval pop-ups that look normal. But the details inside those pop-ups are fake.
In one case, cybersecurity researchers found that victims saw a fake message saying they were receiving “+500 USDT,” making the approval look safe.
StepDrainer loads its harmful code through changing scripts and gets its setup from decentralized on-chain accounts.
That setup helps the attackers dodge normal security tools because the harmful code is not stored in one fixed place where it can be easily scanned.
StepDrainer is not just one person’s project. Researchers said there is a developed underground market selling ready-made drainer kits, making it easier for many attackers to add wallet-stealing features to scams they already run.
EtherRAT siphons crypto from Windows users
Researchers also found another malware besides StepDrainer, called EtherRAT. It targets Windows through a fake version of the Tftpd64 network admin tool.
According to LevelBlue, EtherRAT hides Node.js inside a fake installer, makes sure it stays on the computer through the Windows registry, and uses PowerShell to check the system.
EtherRAT first targeted Linux. Now it is bringing malware tricks and crypto theft to Windows.
EtherRAT quietly runs in the background. It checks things like antivirus tools, system settings, domain details, and hardware before it starts stealing.
According to a recent Cryptopolitan report, over 500 Ethereum wallets have been drained in the past 24 hours. The attacker siphoned more than $800K in crypto assets and then swapped the funds via ThorChain.
Many of the drained wallets have been inactive for over 7 years, according to on-chain research Wazz. The drained funds were directed by a single wallet address controlled by the attacker.
Cybersecurity researchers advise users connecting wallets to unknown sites to verify the domain, read the transaction details before signing, and remove any unlimited token approvals.