FreeDrain

FreeDrain is an industrial-scale, global cryptocurrency phishing operation focused on stealing wallet seed phrases and draining victims’ digital assets. It has been active since at least 2022, accelerated in mid-2024, and remains active. The operation was documented by Validin and SentinelLABS. FreeDrain targets cryptocurrency users searching for wallet-related terms such as "Trezor wallet balance." It uses SEO manipulation and spamdexing to push malicious lure pages high in search results on Google, Bing, and DuckDuckGo. Researchers identified more than 38,000 distinct lure-page subdomains, with pages hosted on trusted free-tier and publishing platforms including GitBook, Webflow, GitHub Pages, Teachable, Strikingly, WordPress.com, Weebly, GoDaddySites, Educator Pages, and Webador. The attack chain typically begins with a search result leading to a lure page that imitates legitimate wallet content and often displays a clickable screenshot of wallet interfaces such as Trezor, MetaMask, or Ledger. Victims are then redirected through one or more intermediary domains to phishing pages that mimic legitimate wallet interfaces and capture seed phrases. FreeDrain uses layered redirection infrastructure with algorithmically generated, English-like .com domains; researchers found that all identified redirector domains were registered through Key-Systems GmbH. The redirector layer may be shared infrastructure used by multiple threat actors or campaigns. Final phishing pages were primarily hosted on Amazon S3 and Azure Web Apps. Researchers observed HTML forms and AJAX POST requests used to exfiltrate stolen seed phrases, including posting to an AWS API Gateway endpoint and, in some cases, backend services on azurewebsites.net. Some Azure-hosted phishing pages included live chat widgets, and researchers confirmed that human operators responded in real time. FreeDrain also uses large-scale comment spam on neglected websites with weak moderation to boost search rankings. Researchers found signs that the operators likely used generative AI to create lure-page content at scale, including artifacts such as "4o mini," and observed extensive text and metadata variation to evade detection. Based on GitHub repository metadata and Webflow publish timestamps, researchers assessed with high confidence that the operators likely work in the UTC+05:30 timezone, probably India, during standard weekday business hours. FreeDrain is described as a criminal operation that has industrialized cryptocurrency theft using sophisticated infrastructure and monetization pipelines.