Angel Drainer targets users with malicious Safe contract: $403K stolen

Notorious phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets through a new attack vector that leveraged Etherscan’s verification tool to cover up the malicious nature of a smart contract.

The attack started at 6:40 am Feb. 12 when Angel Drainer deployed a malicious Safe (formerly Gnosis Safe) vault contract, according to a Feb. 13 X post from blockchain security firm Blockaid.

A total of 128 wallets were then signed a “Permit2” transaction on the Safe vault contract, leading to $403,000 in funds being stolen.

Blockaid said the scammers used a Safe vault contract specifically to deliver a “false sense of security,” as Etherscan automatically adds a verification flag to confirm it as a legitimate contract.

Blockaid stressed the incident wasn’t a direct attack on Safe and that its user base had not been “broadly impacted.” The security firm added it had notified Safe of the attack and was working to limit further damage.

Related: ‘Haunts me to this day’ — Crypto project hacked for $4M in a hotel lobby

Angel Drainer has only been in operation for 12 months but has managed to drain over $25 million from nearly 35,000 wallets, Blockaid stated in a Feb. 5 X post.

The $484,000 Ledger Connect Kit hack and the EigenLayer restake farming attack are among the most notable attacks committed by Angel Drainer in recent months.

The restake farming attack involved Angel Drainer implementing a malicious queueWithdrawal function which, once signed by users, would withdraw staking rewards to an address of the attackers choosing, Blockaid explained.

Approximately 40,000 users on OpenSea, Optimism, zkSync, Manta Network and SatoshiVM fell victim to phishing attacks in January, losing a combined $55 million, according to Scam Sniffer, a Web3 scam tracker.

The figure is on track to surpass 2023’s figure of $295 million, according to Scam Sniffer’s 2023 Wallet Drainers Report.