Cointime

Cointime

Download App
iOS & Android

SlowMist: Analysis of Monkey Drainer NFT Phishing Group

Background

On February 8th, 2023, the SlowMist security team received a report from our partner ScamSniffer regarding multiple security breaches due to phishing attacks. An individual even suffered a significant loss, amounting to over $1.2M in USDC.

Hacker Address: 0x69420e2b4ef22d935a4e2c194bbf3a2f02f27be1Profit Address: 0x9cdce76c8d7962741b9f42bcea47b723c593efff

https://twitter.com/realScamSniffer/status/1623148125623029760


As for the broader picture of phishing attacks, our team made its first global disclosure on December 24th, 2022, regarding the “Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users”. This particular phishing incident is linked to another group known as Monkey Drainer, which we have been closely monitoring. While we have conducted a thorough analysis of some of the phishing materials and wallet addresses used by the group, we have chosen to keep certain details confidential due to privacy and confidentiality concerns.

Analysis of Phishing Websites

After conducting a thorough investigation, it was discovered that the primary tactic utilized in this phishing attack was the creation of counterfeit NFT-related websites through fake celebrity Twitter accounts and Discord groups. These NFTs were then sold on platforms such as OpenSea, X2Y2, and Rarible. The Monkey Drainer organization aimed their attack at Crypto and NFT users, using nearly 2,000 different domains.

By checking the registration information of these domain names, we found that the earliest registration date can be traced back to 4 months ago.

Initially, the Monkey Drainer organization spread their phishing campaign through false promotions on Twitter.

Meanwhile, the first NFT phishing occurred: mechaapesnft[.]art

Let’s look at two specific associated traits:

We track through a combination of traits:

Our team was able to uncover over 2,000 NFT phishing websites and related domains that share similar characteristics from the year 2022 until now.

To determine the current state of these phishing sites, we employed the use of ZoomEye to conduct a comprehensive global search. The results of our investigation revealed the staggering number of active and operational phishing sites.:

For example, the latest scam was disguised as an Arbitrum airdrop:

In contrast to the North Korean hacking organization, the Monkey Drainer phishing group does not possess the capability to track the records of victims visiting each site through a dedicated website. Instead, they employ a straightforward and brutal method, resorting to direct phishing and mass deployment. It is assumed that the Monkey Drainer phishing group uses phishing templates to automate batch deployment.

As we delved deeper into the investigation of the supply chain, we uncovered that the Monkey Drainer NFT phishing group relied on a pre-existing gray market for their infrastructure. Specifically, they utilized a template that was readily available for sale in the form of advertisement descriptions.

Supported functions in the phishing supply chain:

Based on the information provided in the introduction, the offer includes competitive prices and a wide range of features. However, due to limited space, we will not delve further into this topic at this time.

Analysis of Phishing Methods

Together with the previous “How Scammers Are Paying Nothing for Your NFTs” report released by SlowMist, we have conducted an analysis of the core code involved in this phishing incident.

The core code incorporates obfuscation techniques and manipulates victims into signing Seaport, authorizations, and other signatures.

The incorporation of an offline authorization signature mechanism for allowing USDC, among others, elevates the original phishing mechanism.

Here is an example of a fraudulent signature referred to as “SecurityUpdate”.\:

In a more readable format:

The Rabby plugin wallet’s data analysis and visualization has been thoroughly performed and presented in a clear and easily understandable format. Further analysis will not be detailed here.

Overview on chain

Based on the analysis of over 2,000 phishing websites and the SlowMist AML malicious address library associated with them, a total of 1,708 malicious addresses linked to the Monkey Drainer NFT phishing group were analyzed, with 87 of them being original phishing addresses. These relevant malicious addresses have been recorded on the MistTrack platform and the SlowMist AML malicious address database.

Tracking Analysis

Based on the analysis of the 1708 malicious addresses related to the Monkey drainer NFT phishing group, we were able to draw the following conclusions:

  • Timeframe: The earliest identified set of active on-chain addresses dates back to August 19, 2022 and remains active up to the present time.
  • Sample phishing transactions: 123
  • Amount Stolen: The overall profit generated through phishing is estimated to be around $12.972 million. 7,059 NFTs were successfully phished, resulting in a profit of 4,695.91 ETH, equivalent to approximately $7.61 million, which represents 58.66% of the total funds acquired. The ERC20 Token profit was about $5.362 million, accounting for 41.34% of the funds gained, with the major ERC20 Token profits being from USDC, USDT, LINK, ENS, and stETH. (Note: ETH prices were obtained on 2023/02/09 from the data source CryptoCompare.)

Details of stolen ERC20 tokens:

MistTrack Analysis

Our MistTrack team meticulously carried out a thorough on-chain analysis of the malicious addresses, and depicted the transfer of funds in a clear and easy-to-understand manner below.

Based on the Sanky diagram, a total of 3,876.06 ETH of the profits was traced as being transferred to physical addresses, with 2,452.3 ETH being deposited into Tornado Cash, while the remaining funds were sent to various exchanges.

The source of the fees for the 87 initial phishing addresses is shown below.

As depicted in the fee source histogram, two addresses received fees from Tornado Cash, while 79 addresses received transfers from personal addresses. The remaining 6 addresses, however, did not receive any funds.

Example

On February 8, the hacker’s address 0x69420e2b4ef22d935a4e2c194bbf3a2f02f27be1 gained access to the victim’s address throught a sophiscated phishing attack and stole over $1,200,000. They transferred 1,244,107.0493 USDC to 0x9cdce76c8d7962741b9f42bcea47b723c593efff, then exchanged the USDC for ETH through MetaMask Swap. A portion of the ETH was transferred to Tornado Cash, while the remaining funds were transferred to previously used phishing addresses.

Hackers Profile Analysis

It was discovered that some of the funds obtained through the phishing attack were held at the original address, while others were transferred to Tornado Cash, as evidenced by on-chain analytics.

A big thank you to ScamSniffer and NFTScan for their support.

Summary

We examined a common NFT phishing approach to uncover a large-scale NFT phishing group associated with the Monkey Drainer organization and to extract the phishing characteristics of the Monkey Drainer organization. As Web3 technology evolves, the phishing methods against Web3 become more varied, putting users in a challenging situation.

It is crucial for users to assess the risk level of the target address prior to executing transactions on chain. This can be achieved by inputting the target address into MistTrack and reviewing its risk score and malicious labels, which helps to minimize the likelihood of financial loss.

For the wallet projects, it is necessary to conduct a comprehensive security audit at first, with a focus on improving the security of user interaction, strengthening the What you see is what you sign mechanism, and reducing the risk of users being phished, such as:

  • Phishing Website Alert: Gather all kinds of phishing websites through the power of ecosystem or community, and prominently remind and warn of risks when users interact with these phishing websites.
  • Signature Recognition and Alert: Identify and remind requests for signatures such as eth_sign, personal_sign, and signTypedData, and focus on reminding eth_sign of the risk of blind signing.
  • What you see is what you sign: The wallet can implement a detailed analysis mechanism for contract calls to prevent Approve phishing and let users know the details of DApp transaction construction.
  • Pre-execution mechanism: The transaction pre-execution mechanism can help users understand the effect of transaction broadcast execution, and aids in predicting the execution of transactions.
  • Scam alert with the same ending number: When displaying the address, a noticeable reminder prompts users to thoroughly check the target address to avoid scams with similar ending number. Set up the whitelist address mechanism, users can add commonly used addresses to the whitelist to avoid attacks similar to the same ending number.
  • AML Compliance Alert: During the transfer, the AML mechanism is used to remind the user whether the target address of the transfer will trigger the AML rule.

SlowMist, as a leading blockchain security company with years of expertise in security audits, not only provides peace of mind for users but also serves as a deterrent against potential attacks. Additionally, institutions face huge challenges in anti-money laundering efforts due to data silos, making it difficult to identify cross-institutional money laundering syndicates. For project stakeholders, it’s equally important to promptly blacklist and disrupt the transfer of funds from malicious addresses. Our MistTrack Anti-Money Laundering Tracking System has accumulated over 200 million address labels, enabling the identification of wallet addresses from major global trading platforms, including over 1,000 address entities, over 100,000 threat intelligence data, and over 90 million risk addresses. If needed, you can contact us to access our API. Lastly, we hope that all parties will work together to make the blockchain ecosystem a better place.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.

NFT
Comments

All Comments

Recommended for you

  • NVIDIA's Market Value Surpasses $5 Trillion Again

    On April 24, NVIDIA's stock price rose by 3.08%, reaching $205.790 per share, with a total market value of $5.00 trillion. The stock price hit a new high since late October 2025.

  • Ethereum Foundation to Sell 10,000 ETH to BitMine

    On April 24, the Ethereum Foundation announced the finalization of a sale of 10,000 ETH to BitMine, the first treasury company of Ethereum, through an over-the-counter (OTC) trading platform, at an average price of $2,387 per ETH.

  • Sources: U.S. Justice Department Expected to Drop Criminal Investigation into Powell

    On April 24, multiple informed sources revealed that the U.S. Justice Department is expected to conclude its criminal investigation into Federal Reserve Chairman Jerome Powell as early as Friday, thereby ending a stalemate that could have delayed the appointment of Powell's successor. Sources indicated that senior officials from the Justice Department recently contacted several senators, including Republican Senator Thom Tillis, a member of the Senate Banking Committee, to inform them of the plan to abandon the investigation into alleged cost overruns related to the renovation of the Federal Reserve's Washington headquarters, and to refer the matter to the Federal Reserve's internal oversight body. Powell's term is set to end next month, but he stated in March that he would remain until Trump's nominee for Federal Reserve Chair, Waller, is confirmed. (ABC News)

  • U.S. Stock Indices Open Higher; Intel Surges Approximately 23% to Record High

    On April 24, U.S. stock indices opened higher across the board, with the Dow Jones up 0.02%, the S&P 500 rising 0.4%, and the Nasdaq increasing by 0.73%. Intel surged approximately 23%, reaching a record high; the company expects second-quarter revenue between $13.8 billion and $14.8 billion, while the market estimate is $13.04 billion. AMD rose over 10%, and Arm increased more than 8%. Nvidia's stock price rose by 0.11%, while Google's Class A shares fell by 0.49%. Apple's stock price decreased by 0.61%, Microsoft’s stock rose by 0.47%, Amazon's stock increased by 1.42%, Meta Platforms Inc Class A shares fell by 0.34%, Tesla's stock remained unchanged, and Netflix's stock dropped by 0.92%.

  • BTC Surpasses $78,000

    Market data shows that BTC has surpassed $78,000, currently priced at $78,013.14, with a 24-hour increase of 0.7%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Central Bank and Eight Departments: Prohibit Online Marketing Services for Virtual Currency Issuance and Trading

    On April 24, the People's Bank of China and eight other departments jointly issued the "Regulations on the Management of Online Marketing of Financial Products," which will take effect on September 30, 2026, systematically regulating online marketing activities for financial products. The regulations specify that only approved financial institutions and their self-operated platforms, as well as entrusted third-party internet platforms, may engage in online marketing of financial products. It prohibits providing online marketing services for illegal financial activities such as illegal fundraising, virtual currency issuance and trading, and illegal foreign exchange margin trading. The regulations detail requirements regarding the authenticity of marketing content, risk disclosure, algorithm recommendations, pop-up advertisements, account naming, trademark usage, cooperation models, and the protection of data and personal information. They also clarify the regulatory responsibilities and penalties for financial management departments, internet information, telecommunications, and market supervision departments.

  • BTC Surpasses $78,000

    Market data shows that BTC has surpassed $78,000, currently priced at $78,049.83, with a 24-hour increase of 0.04%. The market is experiencing significant volatility, so please ensure proper risk management.

  • DeepSeek-V4 Preview Version Officially Launched and Open-Sourced

    On April 24, DeepSeek announced via its official WeChat account that the preview version of the new model series DeepSeek-V4 is officially online and open-sourced. DeepSeek-V4 features a million-word ultra-long context and leads in agent capabilities, world knowledge, and reasoning performance in both domestic and open-source fields. The model is available in two versions based on size. Starting today, users can log in to the official website chat.deepseek.com or the official app to interact with the latest DeepSeek-V4 and explore the new experience of 1M ultra-long context memory. The API service has also been updated; by changing the model_name to deepseek-v4-pro or deepseek-v4-flash, users can access it.

  • Intel CEO: Semiconductor Potential Market Size Approaching $1 Trillion

    On April 24, local time, after the U.S. stock market closed on April 23, Intel officially released its Q1 fiscal year 2026 financial report and held an earnings call. The company delivered its sixth consecutive quarter of better-than-expected results, with revenue, gross margin, and earnings per share all surpassing guidance. The AI business has become the core growth engine, with a surge in demand for server CPUs and advancements in advanced processes and packaging exceeding expectations. Following this financial report, Intel's stock price surged nearly 20% in after-hours trading. During the earnings call, Intel CEO Pat Gelsinger stated that despite continuous improvements in factory capacity, demand across all business segments remains higher than supply, particularly for Xeon server CPUs, which are expected to maintain strong growth momentum over the next two years. Gelsinger also noted, 'In recent years, the focus in high-performance computing has been almost entirely on graphics processors and other accelerators. In recent months, clear signs have shown that central processing units are becoming an indispensable foundation in the era of artificial intelligence.' Looking at the overall market, Gelsinger anticipates that driven by explosive growth in AI demand, the overall potential market size of the semiconductor industry is approaching $1 trillion. However, Intel's management also warned that the company still faces multiple pressures, including declining demand in the PC market, rising costs, expanding capital expenditures, and supply constraints. (Dongxin News Agency)

  • Trump: U.S. to Soon Capture Nearly 50% of Chip Market

    On April 24, U.S. President Trump declared on the 23rd that the United States will soon capture nearly 50% of the chip market, warning that chip companies that do not manufacture in the U.S. will face very high tariffs in a year and a half to two years. U.S. Secretary of Commerce Gina Raimondo stated that the U.S. previously held only 3% to 4% of the chip market while having the largest demand for chips. Under Trump's directive, the U.S. is requiring semiconductor fabs to return to domestic production, with expectations that fabs worth $1 trillion will come to the U.S. Raimondo emphasized that this is not about tech giants purchasing chips, but rather about chip manufacturing. She mentioned commitments from Micron Technology to invest $200 billion and TSMC to invest $165 billion, along with $500 billion in funds from Taiwan expected to flow into the U.S. Raimondo also indicated during a congressional hearing on the 23rd that investments in the U.S. semiconductor industry during Trump's term are expected to reach $1 trillion. (Dongxin News Agency)

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company