New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Hackers are Breaching Scam Sites to Hijack Crypto Transactions

In a perfect example of there being no honor among thieves, a threat actor named ‘Water Labbu’ is hacking into cryptocurrency scam sites to inject malicious JavaScript that steals funds from the scammer’s victims. In July, the FBI warned of malicious ‘dApps’ (decentralized applications) that impersonated cryptocurrency liquidity mining services in order to steal victims’ crypto investments. Liquidity mining refers to a transaction in which an investor lends their crypto to a decentralized exchange in exchange for high rewards, commonly generated through trading fees.

Instead of creating their own scam sites, the threat actors leave all the social engineering work to the original scammers. Trend Micro researchers estimate that Water Labbu has compromised at least 45 scam websites.

Water Labbu hacks into these types of fake dApp sites and injects JavaScript code into site’s HTML. The script monitors newly connected wallets on the scam sites and retrieves the address and balances of TetherUSD and Ethereum wallets contains crypto holdings above 0.005 ETH or 22,000 USDT. If the victim is on a mobile device, Water Labbu’s malicious script sends a transaction approval request via the dApp site, so it appears as if it comes from the scam website. If the recipient agrees to the transaction, the malicious script will drain the wallet of its funds and send them to an address owned by Water Labbu. For Windows users, the hacked sites will show a fake Flash Player update notice overlayed on the scam site instead. The Flash installer is a backdoor fetched directly from GitHub.

Analyst Notes

To avoid these types of scams, always research dApp sites, especially liquidity mining platforms, to determine if they are legitimate before connecting a wallet to them. Also, periodically review wallets’ allowed sites to make sure a scam site was not inadvertently added. In addition, avoid conducting investments with unvetted or anonymous parties introduced via social media, as these scenarios commonly lead to scams. Finally, avoid trading cryptocurrency on unknown or unvetted exchanges, as these activities put the entirety of a wallet at risk.