A team of developers behind a scam-as-a-service wallet drainer has taken an unconventional approach by registering as a legitimate business in the UK. According to CertiK, a blockchain security firm, the company behind the phishing software, Crypto Grab, has listed itself on the official website of Companies House, the UK government agency responsible for business registrations. By doing so, Crypto Grab hopes to be perceived as a legitimate entity and gain access to Extended Validation Certificates (EV SSL certificates).
Wallet drainers are Web3 protocols used by scammers to steal cryptocurrency. They typically deceive victims into visiting malicious websites and approving token transfers, resulting in losses of over $300 million in 2023, as reported by Scam Sniffer.
Crypto Grab promotes its “Nova Drainer” application through its official Telegram group, advertising it as a tool that steals ERC20 tokens and ETH (Ether). The team also markets the software on its official website, Cryptograb.io, positioning itself as “Your Gateway to Crypto Affiliate Success.” The website features an embedded YouTube video promoting their “phishing” and “drainer” products.
The official business registration is under the name Crypto Grab Limited, which aligns with the company’s website. Additionally, the developer showcases its Certificate of Incorporation on read.cryptograb.org as proof of its legitimacy.
CertiK’s investigation into phishing sites connected to Nova Drainer revealed three contract addresses used in the scam operation. One of these addresses ends with 00000. CertiK’s report suggests that Nova Drainer charges a fee of approximately 30% on the stolen funds, leaving the remaining proceeds to the client who sets up the phishing site. To date, there have been over 7,000 transactions made using these contracts.
While CertiK claims that Bradley Robertson, listed as the director of Crypto Grab, is likely a fake identity, Companies House acknowledges that it does not verify the accuracy of the information provided during registration. If someone suspects false information in a registration, they can file a complaint via email. However, Companies House has no investigatory powers and relies on forwarding suspected fraud cases to the police. It advises victims of fraud to report incidents to the Action Fraud hotline.