Malware

FreeDrain

FreeDrain is a large-scale cryptocurrency phishing and draining operation focused on stealing wallet seed phrases. According to the provided content, it used industrial-scale SEO manipulation and more than 38,000 malicious subdomains hosted on legitimate free-tier platforms such as gitbook.io and github.io to target users searching for wallet-related queries. Victims were lured to convincing phishing pages, including pages with AI-generated content, where they were prompted to enter wallet seed phrases; funds were then drained within minutes. The operation is described as part of the broader industrialization of cryptocurrency theft, using sophisticated infrastructure and monetization pipelines. High-confidence indicators and characteristics mentioned in the content include the use of 38,000+ subdomains, abuse of legitimate publishing platforms, wallet-themed search-engine targeting, and seed-phrase harvesting leading to rapid theft of crypto assets. No specific threat actor attribution, malware family lineage, or sector-specific victimology beyond cryptocurrency users is provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

INDICATORS OF COMPROMISE

IOCs tracked for this family

94 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

77 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

17 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

sentinelone blogNews

Jan 6, 2026

12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review

FreeDrain is an industrial-scale cryptocurrency phishing operation using SEO manipulation and thousands of malicious subdomains on free-tier publishing platforms to steal digital assets.

vulnuNews

May 9, 2025

🎓️ Vulnerable U | #115

FreeDrain is a large-scale crypto-draining operation that uses SEO poisoning and phishing to steal cryptocurrency wallet seed phrases, resulting in immediate theft of funds. It leverages legitimate hosting platforms and AI-generated content for resilience and believability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching94

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.