Full Report
FreeDrain is a modern, scalable phishing operation exploiting weaknesses in free publishing platforms to steal cryptocurrency on a global scale.
Analysis Summary
# Tool/Technique: FreeDrain Network
## Overview
FreeDrain is an industrial-scale, global cryptocurrency phishing operation designed to steal digital assets by tricking victims into submitting their wallet seed phrases. It leverages SEO manipulation, free-tier web hosting services, and layered redirection to deliver phishing pages mimicking legitimate cryptocurrency wallet interfaces.
## Technical Details
- Type: Operation/Technique (Phishing Campaign)
- Platform: Web-based (targets cryptocurrency wallet users across various platforms)
- Capabilities: SEO manipulation, layered redirection, large-scale subdomain generation, hosting on legitimate cloud infrastructure (e.g., Amazon S3, Azure Web Apps) to bypass detection.
- First Seen: Operation appears active for years prior to the May 2025 report; investigation escalated after May 12, 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less likely primary vector, but related)
- T1566.002 - Spearphishing Link
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Session Cookie (Relevant for seed phrase capture)
- TA0011 - Command and Control (C2 is implied through collection infrastructure)
- T1573 - Encrypted Channel (Likely used for final exfiltration, though not explicitly detailed)
## Functionality
### Core Capabilities
- **SEO Manipulation:** Artificially boosting the search ranking of malicious links for terms like "Trezor wallet balance."
- **Layered Redirection:** Using multiple stages of redirects to guide victims from search results to lure/phishing pages.
- **Infrastructure Sprawl:** Hosting over 38,000 distinct subdomains across free/low-cost services like `gitbook.io`, `webflow.io`, and `github.io`.
- **Lure Pages:** Presenting seemingly legitimate pages to convince users of the search context.
### Advanced Features
- **Cloud Hosting Mimicry:** Phishing pages hosted on reputable cloud infrastructure (Amazon S3, Azure Web Apps) to blend in with legitimate traffic.
- **Seed Phrase Harvesting:** Primary mechanism is direct capture of cryptocurrency wallet seed phrases.
- **Instant Laundering:** Stolen assets are quickly moved to a cryptocurrency mixer for obfuscation, making recovery difficult.
- **Evasion/Anti-Analysis (Client-Side):** The presented JavaScript snippet shows client-side anti-analysis aimed at discouraging debugging:
- Disabling the right-click context menu.
- Blocking keyboard shortcuts for opening developer tools (F12, Ctrl+Shift+I/J/C, Ctrl+U).
- Using `setInterval` and `Object.defineProperty` on an Image object to attempt to detect open developer tools and potentially redirect or alert a user/log.
## Indicators of Compromise
- File Hashes: [Not provided in the summary]
- File Names: [Not provided in the summary]
- Registry Keys: [Not provided in the summary]
- Network Indicators: Hosted on free-tier services: `gitbook.io`, `webflow.io`, `github.io`. C2/Exfiltration infrastructure used domains hosted on `azurewebsites[.]net` (implied through initial investigation correlation) and final laundering via cryptocurrency mixers.
- Behavioral Indicators: High volume of redirection chains initiated from search engine results corresponding to specific wallet queries; rapid movement of stolen crypto funds into mixers.
## Associated Threat Actors
- Operators are suspected to be based in the UTC+05:30 timezone (Indian Standard Time) and work typical weekday business hours. The specific group name is "FreeDrain Network."
## Detection Methods
- Signature-based detection: Limited effectiveness due to the use of legitimate hosting platforms.
- Behavioral detection: Targeting URLs/redirect chains originating from search results leading to seed phrase input forms. Monitoring for suspicious configuration on free-tier hosting subdomains.
- YARA rules: [Not provided in the summary]
## Mitigation Strategies
- **Platform Defenses:** Improved moderation and tighter safeguards across free publishing platforms (GitHub, GitBook, etc.).
- **User Education:** Critical need for user education regarding seed phrase security and never entering them on web forms, even if they appear legitimate.
- **Proactive Monitoring:** Adaptive detection strategies focusing on the infrastructure fingerprint of large-scale phishing campaigns like FreeDrain.
## Related Tools/Techniques
- Standard cryptocurrency phishing campaigns.
- Use of cryptocurrency mixers (e.g., CoinJoin implementers) for laundering of stolen funds.