A sophisticated phishing scheme has been uncovered, targeting web3 projects and draining cryptocurrency wallets at scale for several years. Initially identified as a network of crypto phishing websites in April 2024, further investigation revealed that the operation, known as FreeDrain, is highly sophisticated and likely orchestrated by a team based in India or possibly Sri Lanka.
Validin and SentinelLabs collaborated to investigate the FreeDrain scheme and presented their findings at PIVOTcon 2025. The phishing network utilized SEO manipulation, free-tier web services, and layered redirection techniques to deceive victims into submitting their wallet seed phrases. Victims were lured to fake websites that mimicked legitimate cryptocurrency wallet interfaces, leading to the loss of significant amounts of cryptocurrency.
The attackers employed various techniques to enhance the credibility of their phishing websites, including SEO manipulation, free-tier web hosting services, typosquatting, and familiar visual elements. Large-scale comment spamming on vulnerable websites was also utilized to increase the visibility of the fake pages through search engine indexing.
The investigators discovered that the text on the lure pages showed signs of being generated by AI language models, suggesting that the attackers used generative AI to create scalable content. The attack chain involved victims searching for wallet-related queries, clicking on high-ranking search results, and ultimately landing on phishing sites where they were prompted to input their seed phrases.
Despite the challenges in attributing the FreeDrain campaign due to its ephemeral infrastructure and use of shared services, the researchers were able to gather insights into the operators’ characteristics. Analysis of repository metadata and behavioral signals pointed to a strong geographic link to India, with the campaign likely being carried out by individuals based in India working standard weekday hours.
To mitigate similar phishing campaigns in the future, the investigators recommend that free-tier content platforms enhance their abuse reporting mechanisms, invest in abuse prevention tooling, and improve detection capabilities to identify coordinated abuse.
In conclusion, the FreeDrain phishing scheme highlights the need for increased vigilance and collaboration among threat intelligence analysts, threat researchers, and content platforms to combat sophisticated cyber threats targeting cryptocurrency wallets.