Ddos 
Attack chain summary | Image: SentinelLABS
At PIVOTcon 2025, researchers from SentinelLABS and Validin unveiled a sprawling phishing campaign that has been quietly siphoning cryptocurrency from unsuspecting users worldwide. Dubbed FreeDrain, this operation abuses search engine optimization (SEO), free-tier web hosting, and automated redirection chains to execute seamless, large-scale theft of digital assets.
Unlike traditional phishing methods that rely on unsolicited emails or malicious ads, FreeDrain’s attack chain begins where users feel safest—on major search engines.
“Victims search for wallet-related queries, click on high-ranking malicious results, land on lure pages, and are redirected to phishing pages that steal their seed phrases,” the report explains.
Researchers confirmed that queries like “Trezor wallet balance” regularly returned phishing links—ranked within the first page of results on Google, Bing, and DuckDuckGo. These pages are deceptively simple, often hosted on Gitbook.io, Webflow.io, or Github.io, and include a single large image resembling a crypto wallet dashboard.
Clicking the image redirects the user—sometimes to a legitimate site to build trust, sometimes through layers of redirection, and ultimately to a phishing page hosted on AWS or Azure.
Over four months of investigation, researchers uncovered more than 38,000 unique subdomains used to host these lure pages. The scale is huge —and the infrastructure abuse is big:
- Platforms abused: Gitbook, Webflow, GitHub Pages, Strikingly, WordPress, GoDaddySites, and more
- Redirectors with algorithmically generated domains like causesconighty[.]com and posectsinsive[.]com
- Final-stage phishing pages hosted on Amazon S3 or Azure Web Apps, mimicking Trezor, Ledger, and MetaMask
“These were not obscure or poorly maintained phishing sites; they were professionally crafted lure pages freely hosted on subdomains of trusted platforms,” the report warns.
FreeDrain operators weaponize SEO through comment spam campaigns—known as spamdexing—targeting abandoned or poorly moderated websites. Many lure pages are filled with AI-generated text, sometimes sloppily revealing strings like “4o mini” (hinting at OpenAI’s GPT-4o).
To evade blacklisting, attackers use misspellings, zero-width spaces, and Unicode lookalikes to disguise key terms like “Trezor.”
“In one striking example, we found a Korean university photo album page with a single image uploaded over a decade ago, buried under 26,000 comments, nearly all of them containing spam links,” the report highlighted.
Once a victim enters their wallet seed phrase, FreeDrain’s backend—often a simple HTML form with a JavaScript POST request—sends the credentials to an attacker-controlled endpoint. Funds are drained within minutes, usually through a cryptocurrency mixer to avoid traceability.
“Despite its simplicity, the phishing backend was effective, disposable, and often difficult to trace,” the report warned.
This isn’t a fully automated campaign. SentinelLABS and Validin found GitHub commit metadata, Webflow publish timestamps, and even live chat interactions on phishing pages—all pointing to manual activity from operators working in the UTC+05:30 timezone (Indian Standard Time), likely from India.
“Without stronger default safeguards, identity verification, or abuse response infrastructure, these services will continue to be abused,” the report concluded.
Donate