Amid a rash of crypto scams that have pilfered millions of dollars’ worth of Ethereum NFTs from unsuspecting users’ wallets, the unknown pseudonymous entity referred to as “Monkey Drainer” has claimed a fresh cache of valuable CryptoPunks and Otherside NFTs.
Self-described “on-chain sleuth” ZachXBT—a pseudonymous Twitter user with a history of publishing data on crypto scams and controversial figures—shared Thursday evening that Monkey Drainer had stolen 520 ETH worth of NFTs from those two valuable Yuga Labs collections, which works out to roughly $800,000.
Some of the NFTs were funneled between multiple wallets and ultimately sold. Based on public blockchain data visible through Etherscan, the attacker then funneled 400 ETH through Tornado Cash, a crypto privacy tool for Ethereum that was sanctioned by the U.S. government in August and cannot legally be used by citizens.
Last week, ZachXBT reported that Monkey Drainer took roughly 700 ETH worth of assets from unsuspecting users who signed malicious transactions, thinking they were opting in to free NFT airdrops. However, they were really scams promoted through impersonated Twitter accounts. When victims clicked the links and connected their wallets, their assets disappeared.
ZachXBT previously estimated that Monkey Drainer had stolen well over $3.5 million worth of crypto and NFTs. Monkey Drainer was also used for an exploit perpetrated through the hijacked Twitter account of Gabriel Leydon, CEO of Web3 gaming startup Limit Break, on Wednesday.
Adding this week’s attacks to the tally brings the total estimated damage to over $4.3 million. But who, or what, is Monkey Drainer? While the drainer’s identity remains unknown, ZachXBT told Decrypt via Twitter DM that Monkey Drainer “is likely one person.”
“Monkey Drainer is likely one person with a type of [as-a-service] situation,” he said. “Many people are customers however.”
In other words, other parties may be using Monkey Drainer’s playbook to perpetrate an even wider array of scams. To further complicate the ambiguity surrounding Monkey Drainer’s identity, an influx of Twitter bots also attacked ZachXBT’s thread on the latest NFT thefts with the phrase “MONKEY DRAINER BEST – Team Monkey.”
The bizarre spam comments imply that Monkey Drainer has a “team” of some kind, though it’s unclear whether Monkey Drainer is actually one person, a group of affiliates, or a group of pseudonymous strangers using Monkey Drainer’s “toolkit” for ill-gotten gains.
Web3 security firm Wallet Guard similarly believes Monkey Drainer is a type of malware-as-service, meaning the creator of the “drainer” smart contract—that is, the code that powers NFTs and decentralized applications—is selling their phishing toolkit to others.
“Monkey sells his drainer for 30% cut of an attack,” ZachXBT tweeted. “So other scammers are coming to him with these accounts.”
Monkey sells his drainer for 30% cut of an attack. So other scammers are coming to him with these accounts.
— ZachXBT (@zachxbt) November 3, 2022
But David Schwed, COO of Web3 security firm Halborn, doesn’t think these attacks are particularly complex—even though the drainer tool is still garnering plenty of victims.
“The attacks are somewhat unsophisticated, and with some proper cyber hygiene, NFT holders can easily protect themselves,” Schwed told Decrypt via email. “For the scam to work, the NFT holders have to grant the malicious actor access to effectuate a transaction.”
The NFT space has seen a surge in these scams over the course of 2022. Many are shared through hacked social media accounts, which point to what collectors believe is a legitimate NFT mint or airdrop claim. Instead, they unwittingly give full access to their wallet holdings to the attacker, and typically have their NFTs and crypto swiped before they realize it.
Monkey Drainer may be running amok across the Ethereum network for now, but at least one ethical hacker is trying to slow its reign of chaos.
Crypto browser extension PocketUniverse reported that a Discord user named “blockdev” has been able to successfully block some draining transactions that Monkey Drainer initiated by attacking the drainer’s API keys. Still, the damages from Monkey Drainer’s exploits are piling up.
He attacked their API keys!
So one of Monkey’s attack moves is
1) Trick you into signing a gasless OS offer that gives him your NFTs for free
2) Broadcast that offer to the ETH blockchain and ‘activates’ the offer to steal your assets
blockdev was blocking step 2 ?
— Pocket Universe ? (@PocketUniverseZ) October 30, 2022
ZachXBT told Decrypt he believes Monkey Drainer first started around August this year, and that whoever created the exploit may face competition from other scammers looking to get in on the same kind of racket.
“I imagine in the long run they’ll need to continuously update Monkey Drainer to stay competitive otherwise new methods will gain market share,” Zach responded, when asked if the drainer could be stopped.