Malicious Safe contract exploits users, resulting in $403K theft by Angel Drainer

A notorious phishing group known as Angel Drainer has allegedly stolen more than $400,000 from 128 cryptocurrency wallets using a new method that exploits Etherscan’s verification tool to conceal the malicious nature of a smart contract. The attack began on February 12th at 6:40 am when Angel Drainer deployed a harmful Safe vault contract, as reported by blockchain security firm Blockaid on February 13th. Subsequently, a “Permit2” transaction was authorized on the Safe vault contract for a total of 128 wallets, resulting in the theft of $403,000. Blockaid emphasized that the scammers utilized a Safe vault contract intentionally to create a false perception of security, as Etherscan automatically adds a verification flag to validate it as a legitimate contract. Blockaid clarified that this incident was not a direct attack on Safe and that its user base was not significantly impacted. The security firm has informed Safe about the attack and is actively working to minimize further damage. Angel Drainer, which has been operational for only a year, has already siphoned off more than $25 million from nearly 35,000 wallets, according to Blockaid’s report on February 5th. Noteworthy attacks recently carried out by Angel Drainer include the $484,000 Ledger Connect Kit hack and the EigenLayer restake farming attack. In the restake farming attack, Angel Drainer implemented a malicious queueWithdrawal function, which, once authorized by users, withdrew staking rewards to an address chosen by the attackers. In January alone, around 40,000 users on platforms like OpenSea, Optimism, zkSync, Manta Network, and SatoshiVM fell victim to phishing attacks, resulting in a combined loss of $55 million, as reported by Scam Sniffer, a scam tracker for the Web3 ecosystem. According to Scam Sniffer’s 2023 Wallet Drainers Report, this figure is projected to surpass the total losses of $295 million reported in 2023.