Hackers breached over 2,000 WordPress websites and infected the sites with crypto-draining malware.
After the hackers successfully deployed the malware, the websites were turned into NFT promotion websites that advertised portals to various fraudulent crypto sites. The advertisements promised enticing deals on NFTs and hot cryptocurrencies.
The idea is to lure unsuspecting users who regularly visit and trust the stolen websites into clicking the link and connecting their crypto wallets. Once they were tempted to click, users could connect the most popular wallets, including MetaMask, Coinbase, Ledger, and WalletConnect.
Once connected, the malware-ridden websites can begin draining your crypto wallets right out from under your nose. Users who stored crypto in their digital wallets instead of a hardware wallet saw their savings drained after opening the link.
The attack started with brute-force attacks on various WordPress sites. Through brute force alone, hackers compromised over 1’000 websites before hitting a dead end. The hackers then changed their tactics by shifting away from attacking the companies and into attacking individual users’ web browsers to probe company defenses.
The attackers weaponized these users to search for potential administrative passwords and login details, resulting in a second wave of attacks that resulted in over 1,700 more compromised websites.
Researchers with Sucuri noted that the hackers injected scripts from the dynamic-linx[.]com website during both campaigns.
“In the first two months of 2024, we tracked at least three unrelated malware campaigns that began using crypto drainers in website hacks,” write researchers with Sucuri in a recent report.
More notably, our SiteCheck remote website scanner has detected the largest variant (which uses Angel Drainer) on over 550 sites since the beginning of February alone.
In total, more than 2,000 websites were infected, meaning not every one of the 2,700 compromised websites was injected with crypto-draining malware. However, this can quickly change as hackers develop new scripts and injectors.