A joint investigation by SentinelLABS and Validin has uncovered “FreeDrain,” a vast, industrial-scale phishing campaign systematically targeting cryptocurrency users to steal wallet login credentials and seed phrases.
FreeDrain exploits weaknesses in free-tier web publishing platforms, applies aggressive SEO manipulation, and uses sophisticated layered redirection to lure victims-resulting in large-scale theft of digital assets, often within minutes of compromise.
Automated Crypto Phishing Operation
First observed after a victim lost 8 BTC (valued at approximately $500,000) via a highly-ranked malicious search result, researchers traced the attack chain from search engine poisoning through lure pages to final credential-harvesting destinations.
FreeDrain operators achieved search engine visibility by creating over 38,000 malicious subdomains on trusted platforms like gitbook.io, webflow.io, github.io, and others.
These sites, often featuring AI-generated content and large screenshots of legitimate wallet interfaces, redirected users via comment spammed URLs and custom redirector domains to highly convincing phishing clones.
Analysis revealed that most lure and phishing pages were hosted on cloud infrastructure such as Amazon S3 and Azure Web Apps, with static or AJAX-based forms sending harvested seed phrases to attacker-controlled endpoints.
According to SentinelLabs, in many cases, phishing pages also embedded live chat widgets, where real human operators engaged victims to encourage submission of credentials.
Financial Credential Theft Increases with SEO and AI
What sets FreeDrain apart is its scale, automation, and ability to avoid traditional delivery vectors like phishing emails.
Instead, victims are funneled from benign-seeming search queries (“Trezor wallet balance,” etc.) directly to malicious pages ranked at the top of major search engines.
This reach is achieved through mass SEO spamdexing-mainly, the abuse of poorly-moderated websites for comment spam, driving backlinks and artificially inflating search engine rankings for lure pages.
The campaign’s lure pages and infrastructure display significant variation-often utilizing obfuscated keyword spellings, Unicode tricks, and AI-generated guidance text to evade detection.
Redirector domains follow algorithmic naming conventions, obscuring network relationships and further complicating takedown efforts.
Most of the commit metadata, publish timings, and infrastructure signals point to coordinated manual activity, with operators working standard business hours (UTC+5:30, likely Indian Standard Time).
Despite coordinated takedown attempts, FreeDrain’s reliance on disposable, free-tier infrastructure makes it highly resilient.
Platform-level deficiencies in abuse detection and limited reporting workflows further exacerbate the persistence and growth of the operation.
FreeDrain highlights a rapidly escalating threat to digital asset security, one that exploits both human trust and technology enablers at scale.
The campaign demonstrates the urgent need for more robust abuse detection, faster takedown mechanisms, and improved user education around credential safety-especially for high-value targets in the crypto sector.
Without ecosystem-wide changes, attackers will continue to weaponize trusted platforms and search infrastructure to harvest financial login credentials.
Indicators of Compromise (IOCs)
| Type | Examples |
|---|---|
| Lure Pages (Sample) | https://metamaskchromextan.gitbook.io/ushttps://home-trezsor-start.gitbook.io/en-ushttps://ledgerauth-wellat.webflow.io/ |
| Redirector Domains | antressmirestos[.]comshotheatsgnovel[.]combildherrywation[.]comcausesconighty[.]com |
| Phishing URLs | https://atomicwallet.azurewebsites[.]net/https://blockfi-api.azurewebsites[.]net/https://cnbse13liv.s3.eu-north-1.amazonaws[.]com/index.html |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
