Today a single victim lost about 343K worth of aEthWETH due to signing a malicious signature. This is yet another phishing scam where the user was tricked into giving approval access to Aave ETH.

Below are the affected wallets:

• 0x8f4dd47f9cff6b2af1ef0be7ad2263e5784b64d7 – VICTIM
• 0x96041e71aEf1499F2ff8cAd14BcBf419d2Dea73a – Malicious Contract
• 0x0BE1cED347B9CAe3a21FEb1E416813092b6DA144 – Drainer ADMIN
• 0x321D42288D1585A2DD03F0B59A81B69e0292F71F – Drainer CUSTOMER

There's a few unique instances about this particular drain that lead me to post about it.

The first is that this appears to be the work of Inferno/Angel Drainer.

Inferno/Angel Drainer

Inferno Drainer was acquired by Angel Drainer in Oct 2024 for an undisclosed sum.

The telegram message coming from the Inferno Drainer team announcing the intent to hand over their source code to Angel Drainer.

The acquisition was announced about a year after Inferno Drainer "claimed" to have shutdown. We now know that to be false.

The wallet 0x0BE1c…..A144 is an Inferno/Angel ADMIN wallet that's about two weeks old. When Inferno Drainer was operating as it's own entity, these wallets tend to get rotated every 6 – 8 months.

Now, most likely due to anti-phishing technology catching up to Drainer methods, I'm starting to see these wallets getting rotated every 2 – 3 weeks.

Additionally, instead of the wallet drain taking place in one transaction, on-chain evidence shows there's 12 that happen simultaneously. I spot checked another contract from the ADMIN wallet and it also showed 12 separate transactions.

Above is an example of what happens on-chain when a user gives token approval. Funds from the user's wallet go to 0x960…ea73a – the Malicious Contract operated by Inferno/Angel Drainer and then are split between the ADMIN and the drainer CUSTOMER.

The use of multiple transactions vs doing it all at once is also something I haven't seen before. This was done presumably to stay off the radar of anti-phishing efforts as well.

How did this Scam Happen?

It appears this particular user most likely clicked on a fake Aave ETH link from a Google search result.

I looked at some community reported thefts coming from the Inferno/Angel ADMIN wallet of 0x0BE1c…..A144 and noticed similar patterns. All of the reported thefts appear to be coming from fake AAVE websites.

AAVE had an influx of scammer activity days after hitting the milestone of 60 BILLION in deposits since launch. The scammers used Google Ads to mimiic AAVE by creating a website with the same branding and made it look as "official as possible".

Above is an example of a malicious website targeting users who search for "AAVE"

Unfortunately, these malicious ads tend to be on the top of the Google Search Results for terms like "AAVE" or "Aave Smart Contract".

The user who lost 343K may of been searching for the official AAVE website and came across a similar one that clearly was a scam.

Once token approval access was given, the aEthWETH was quickly moved to the Malicious Contract and the stolen funds were split between Inferno/Angel Drainer and the Customer.

Following the Funds

As of this moment, the user's stolen crypto is all accounted for. Inside the Inferno/Angel ADMIN wallet, the aEthWETH was swapped to ETH where it currently sits. These funds will eventually get siphoned off to other wallets controlled by Inferno/Angel, laundered, and then hit a deposit address.

Whenever a large amount of crypto is moved to the CUSTOMER's wallet, they tend to move the funds very quickly. All of the aEthWETH here was also swapped to ETH and moved to the decentralized wallet of 0x38f3A4b7Ed737FB64590be61fAB5F11e74c3623d.

Above is a visualization of the funds from the User's Wallet –> Malicious Contract –> Drainer ADMIN & CUSTOMER wallets. So far no money laundering has taken place yet.

I'm sure there will be more movement of the funds in the coming days.

Stay safe out there and remember to ALWAYS check links!