A threat actor identified as Water Labbu has been spotted hacking into cryptocurrency scam sites developed by other scammers. The goal is to inject malicious JavaScript into sites that steal funds from victims.
Water Labbu’s hijacking attacks
Water Labbu hacked into fake DApp sites and injected JavaScript code inside the site's HTML source code.
The attackers do not engage with the victims directly and leave all the social engineering work to the scammers.
When an investor (who lends their crypto to a decentralized exchange for high rewards) connects their wallet to DApp, a script is used to detect if it has a sufficient amount of crypto holdings.
If the script finds any crypto holdings (more than 0.001 ETH or 1 USDT), the attackers try to steal the funds using different techniques.
Widespread impact
Water Labbu has attacked 45 scam websites so far and, notably, most are following the lossless mining liquidity pledge theme.
The profit made by the attacker is believed to be $316,728, looking at the transactions from nine victims.
OS-based attacks
If a victim is using a mobile device, the script sends a transaction approval request via the DApp site. If the recipient agrees, the script drains the wallet and sends the funds to the address controlled by Water Labbu.
If the device uses Android or iOS, it returns a request for the first stage script of cryptocurrency-theft abilities.
For Windows-based users, the hacked sites display a fake Flash Player update notice overlayed on the scam site.
In reality, the Flash installer is a backdoor obtained from GitHub directly.
Conclusion
Experts suggest that users should always research about DApp sites, especially for liquidity mining platforms. Doing so will allow them to determine if those are genuine before they connect their wallets to them. Further, monitor wallet's allowed sites to make sure of avoiding the addition of scam sites.