ANGEL DRAINER TARGETS USERS WITH MALICIOUS SAFE CONTRACT: $403K STOLEN

Last updated: October 25, 2025, 11:53 | Written by: Malik Everen

Angel Drainer Targets Users With Malicious Safe Contract: $403K Stolen
Angel Drainer Targets Users With Malicious Safe Contract: $403K Stolen

The cryptocurrency world is constantly evolving, bringing with it exciting opportunities and, unfortunately, increasingly sophisticated threats.The latest involves the notorious phishing group, Angel Drainer, who have reportedly siphoned off a staggering $403,000 from 128 crypto wallets.Their method? BTCUSD Bitcoin Angel Drainer targets users with malicious Safe contract: $403K stolen. The notorious phishing group deployed a nefarious Safe vault contract that used Etherscan to provide victimsA cleverly disguised attack vector that exploits the trust users place in verified smart contracts on platforms like Etherscan. The attack started at 6:40 am Feb. 12 when Angel Drainer deployed a malicious Safe (formerly Gnosis Safe) vault contract, wrote blockchain security firm Blockaid in a Feb. 13 post to X. At total of 128 wallets then signed a Permit2 transaction on the Safe vault contract, leading to $403,000 in funds being stolen.This incident serves as a stark reminder of the persistent dangers in the digital asset space and highlights the need for vigilance.This article will dissect this attack, explore the tactics employed, and provide actionable advice to protect yourself from becoming the next victim.

Imagine the sinking feeling of watching your hard-earned crypto assets vanish before your eyes.That's the reality for the 128 users targeted in this latest attack. The notorious phishing group Angel Drainer has reportedly managed to steal more than $400,000 from 128 cryptocurrency wallets using a new method. This approach involves exploiting Etherscan s verification tool to conceal the malicious intent of a smart contract.The Angel Drainer group has refined their techniques, now leveraging malicious Safe contracts to bypass security measures and exploit user trust. The notorious phishing group deployed a nefarious Safe vault contract that used Etherscan to provide victims with a false sense of security.They manipulate Etherscan's verification tool, making their harmful smart contracts appear legitimate.This deception allows them to gain access to user wallets and drain their funds with alarming efficiency. Angel Drainer targets users with malicious Safe contract: $403K stolen - Notorious phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets through a new attack vector that has leveraged Etherscan s verification tool to cover up the malicious nature of a smart contract.The attack started at 6:40 am Feb. 12 when Angel Drainer deployed a malicious Safe (formerlyHow can you avoid falling prey to such sophisticated attacks?Let's delve into the details of this incident and uncover the strategies you can use to protect your digital assets.

Understanding the Angel Drainer Attack Vector

The core of this attack lies in the deployment of a malicious Safe vault contract on the Ethereum blockchain. Notorious phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets through a new attack vector that has leveraged EtherscanSafe, formerly known as Gnosis Safe, is a popular platform for securely managing digital assets using multi-signature wallets. Today our researchers discovered yet another emerging attack vector from the Angel Drainer group this time phishing users and leading them to a single Safe Vault contract where 128 wallets have been drained of $403k so far.By creating a counterfeit Safe contract, Angel Drainer aims to trick users into interacting with it, believing it to be a legitimate service. Notorious phishing group Angel Drainer has managed to siphon over $400,000 from over 128 crypto wallets by deploying a malicious Safe vault contract. This latest attack vector exploited Etherscan s verification tool, using it to hide the malicious nature of the contract. Phishing Group Angel Drainer Targets UsersThis trust is then exploited to gain control over their assets.

The timeline of the attack, as reported by blockchain security firm Blockaid, is crucial.The assault began at approximately 6:40 am UTC on February 12th. According to Cointelegraph: Infamous phishing group Angel Drainer has reportedly employed a new malicious Safe contract attack to CBD steal $403K from 128 cryptocurrency wallets. This cunning technique manipulates Etherscan s verification tool to mask the true nature of a harmful smart contract, thus generating unintended victim trust.This timing suggests a coordinated effort designed to catch users off guard, potentially capitalizing on lower alertness during early morning hours.

Exploiting Etherscan's Verification Tool

One of the most concerning aspects of this attack is how Angel Drainer manipulates Etherscan's verification tool.Etherscan is a widely used blockchain explorer that provides transparency and information about transactions and smart contracts. Notorious phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets through a new attack vector that leveraged Etherscan s verification tool to cover up the malicious nature of a smart contract.The attack started at 6:40 am Feb. 12 when Angel Drainer deployed a maliciA verified contract indicates that the source code has been made public and matches the code deployed on the blockchain.

However, Angel Drainer cleverly cloaks the true nature of their malicious contract, potentially through techniques like:

  • Similar Contract Names: Using names that closely resemble legitimate Safe contracts, making it difficult to distinguish between the real and the fake.
  • Deceptive Code: Hiding the malicious functionality within complex or obfuscated code, making it difficult for casual observers to identify.
  • Front-End Manipulation: Presenting a legitimate-looking interface to users, further enhancing the illusion of trustworthiness.

This manipulation creates a false sense of security, leading users to believe they are interacting with a safe and verified contract when they are actually placing their assets at risk.

The Permit2 Transaction: A Key to the Drain

A crucial element in the success of this attack is the use of the Permit2 transaction. The assault began at 6:40 am Feb. 12 when Angel Drainer deployed a malicious Protected (previously Gnosis Protected) vault contract, wrote blockchain safety agency Blockaid in a Feb. 13 post to X. At whole of 128 wallets then signed a Permit2 transaction on the Protected vault contract, resulting in $403,000 in funds being stolen.Permit2 is a protocol that allows users to approve token spending for a specific contract, without having to spend gas fees for each individual transaction. According to cybersecurity firm Blockaid, on Tuesday, a phishing attack targeting over 128 user wallets siphoned off approximately $403,000. The drain, which commenced at 6:41 am UTC on Monday, February 12th, was orchestrated by deploying the malicious Safe Vault contract on the Ethereum blockchain.While Permit2 can improve user experience and reduce costs, it also introduces potential vulnerabilities if used with malicious contracts.

In this case, the 128 victim wallets signed a Permit2 transaction on the malicious Safe vault contract.This signature effectively granted the contract permission to access and transfer their funds. Notorious phishing group, Angel Drainer, has reportedly stolen over $400,000 from victim s 128 crypto wallets through a new attack vector, using a malicious Safe Contract. The attack leveraged Etherscan s verification tool to cover up the malicious nature of a smart contract.Once the permission was granted, Angel Drainer was able to drain the wallets of approximately $403,000 worth of crypto assets. Angel Drainer targets users with malicious Safe contract: $403K stolen Febru The notorious phishing group deployed a nefarious Safe vault contract that used Etherscan to provide victims with a false sense of security.This attack highlights the importance of understanding what you are approving when signing any transaction, especially those related to token permissions.

The Financial Impact and Scope of the Attack

The immediate financial impact of the Angel Drainer attack is significant, with $403,000 stolen from 128 wallets.However, the damage extends beyond the monetary losses. Crypto Phishing Group Angel Drainer Reportedly Steals $400,000 From 128 WalletsThis attack erodes trust in the cryptocurrency ecosystem, particularly in tools and platforms designed to provide security and transparency.

Beyond the immediate victims, this incident serves as a warning to all cryptocurrency users. Angel Drainer targets users with malicious Safe contract: $403K stolen siphons $403K through a deceptive smart contract. Angel Drainer used malicious SafeIt demonstrates the sophistication of modern phishing attacks and the lengths to which malicious actors will go to exploit vulnerabilities.The psychological impact of losing funds can be devastating, and the fear of future attacks can deter potential investors from entering the crypto space.

Furthermore, the attack highlights the need for increased security measures across the industry. Notorious phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets through a new attack vector that leveraged Etherscan s verification tool to cover up theExchanges, wallet providers, and blockchain infrastructure projects must work together to develop more robust defenses against phishing and other malicious attacks.

Who is Angel Drainer and How Do They Operate?

Angel Drainer is a notorious phishing group known for employing sophisticated techniques to steal cryptocurrency from unsuspecting users. The attack utilized a new tactic that exploited Etherscan s verification tool to mask the malicious nature of a smart contract. Attack Details. According to a February 13 post from blockchain security firm Blockaid, the attack commenced at 6:40 am on February 12, when Angel Drainer deployed a malicious Safe (formerly Gnosis Safe) vault contract.They operate by creating convincing fake websites and smart contracts that mimic legitimate platforms. Notorious phishing group Angel Drainer has reportedly stolen over $400,000 from 128 crypto wallets through a new attack vector that has leveraged Etherscan s verification tool to cover up the malicious nature of a smart contract.These deceptive creations lure users into entering their private keys or approving malicious transactions, ultimately leading to the theft of their funds.

While specific details about the group's organization and membership remain elusive, their methods suggest a high level of technical expertise and a coordinated operational structure.They are constantly evolving their tactics, adapting to new security measures and exploiting emerging vulnerabilities in the crypto ecosystem.

Reports suggest a connection between Angel Drainer and other malicious entities in the crypto space, such as Nova Drainer. Trusted News Discovery Since 2025. Global Edition. Saturday, ApThese connections highlight the interconnectedness of cybercriminal networks and the potential for collaboration in carrying out sophisticated attacks.Information suggests that groups like Nova Drainer provide services to scammers charging a percentage of stolen funds.

Protecting Yourself from Phishing Attacks and Malicious Contracts

safe contracts approach
safe contracts approach

The threat posed by groups like Angel Drainer demands a proactive approach to security. Nova Drainer charges scammers 30% of their stolen Angel Drainer targets users with malicious Safe contract: sites linked to Nova Drainer and discovered three contract addresses used in theHere are some actionable steps you can take to protect yourself from phishing attacks and malicious smart contracts:

  • Double-Check Everything: Always verify the URL of any website you visit, especially those related to cryptocurrency.Look for subtle differences in spelling or domain names that may indicate a phishing site.
  • Verify Contract Addresses: Before interacting with any smart contract, carefully verify its address on reputable sources like Etherscan or CoinGecko.Compare the address to known legitimate contracts and be wary of any discrepancies.
  • Read Transaction Details Carefully: Pay close attention to the details of every transaction you are asked to sign. According to Cointelegraph: Infamous phishing group Angel Drainer has reportedly employed a new malicious Safe contract attack to CBD steal $403K from 128 cryptocurrency wallets.Understand what assets are being transferred, who is receiving them, and what permissions you are granting.
  • Use Hardware Wallets: Hardware wallets provide an extra layer of security by storing your private keys offline.This makes it much more difficult for hackers to access your funds, even if your computer is compromised.
  • Enable Two-Factor Authentication (2FA): Enable 2FA on all your cryptocurrency accounts, including exchanges, wallets, and email addresses.This adds an additional layer of security that requires a second verification method, such as a code sent to your phone.
  • Be Wary of Social Media and Email Scams: Be cautious of unsolicited messages or emails offering free tokens, airdrops, or other promotions. In a recent attack, the notorious phishing group Angel Drainer managed to pilfer over $400,000 from 128 crypto wallets. Employing a new tactic, the group deployed a malicious Safe vault contract, exploiting Etherscan s verification tool to cloak the contract s nefarious nature.These are often used to lure victims into phishing scams or malicious websites.
  • Keep Your Software Updated: Regularly update your operating system, browser, and antivirus software to patch security vulnerabilities that could be exploited by hackers.
  • Use a Reputable VPN: A VPN can mask your IP address and encrypt your internet traffic, making it more difficult for hackers to track your online activity and target you with phishing attacks.
  • Educate Yourself: Stay informed about the latest phishing techniques and security best practices.The more you know, the better equipped you will be to protect yourself.

Key Takeaways and Future Implications

The Angel Drainer attack serves as a crucial lesson for the cryptocurrency community.It highlights the increasing sophistication of phishing attacks and the importance of vigilance in protecting digital assets.Here are some key takeaways:

  • Trust No One: Always be skeptical of websites and smart contracts, even if they appear legitimate.Verify everything before interacting with them.
  • Security is Paramount: Implement robust security measures, including hardware wallets, 2FA, and regular software updates.
  • Education is Key: Stay informed about the latest threats and best practices for staying safe in the crypto space.
  • Community Collaboration is Essential: Exchanges, wallet providers, and blockchain security firms must work together to develop more effective defenses against phishing attacks.

Looking ahead, it is likely that phishing attacks will continue to evolve in sophistication.Malicious actors will continue to seek new ways to exploit vulnerabilities and deceive users.Therefore, it is essential to remain vigilant and adapt to the changing threat landscape.

The industry needs to develop better tools and technologies to detect and prevent phishing attacks.This includes improved contract verification processes, real-time threat intelligence sharing, and user-friendly security solutions.

Frequently Asked Questions (FAQs)

frequently asked questions
frequently asked questions

Here are some frequently asked questions about phishing attacks and how to protect yourself:

What is a phishing attack?

A phishing attack is a type of cybercrime in which attackers attempt to deceive individuals into revealing sensitive information, such as usernames, passwords, credit card details, or private keys.They often do this by disguising themselves as a trustworthy entity, such as a bank, social media platform, or government agency.

How can I identify a phishing email or website?

Look for the following red flags:

  • Suspicious sender addresses
  • Poor grammar and spelling
  • Urgent or threatening language
  • Requests for personal information
  • Links that don't match the displayed text

What should I do if I suspect I've been targeted by a phishing attack?

If you suspect you've been targeted, take the following steps:

  • Do not click on any links or open any attachments.
  • Report the incident to the relevant authorities, such as the Internet Crime Complaint Center (IC3).
  • Change your passwords on all your important accounts.
  • Monitor your accounts for any unauthorized activity.

What are the best practices for securing my cryptocurrency wallets?

Follow these best practices:

  • Use a hardware wallet for long-term storage.
  • Enable 2FA on all your accounts.
  • Keep your software updated.
  • Be cautious of phishing scams.
  • Never share your private keys with anyone.

Conclusion: Staying Safe in the Crypto World

The Angel Drainer incident is a wake-up call for the cryptocurrency community.The sophistication of this attack, which leveraged a malicious Safe contract and exploited Etherscan's verification tool, demonstrates the constant need for vigilance.Protecting your digital assets requires a proactive approach, including careful verification of websites and smart contracts, the use of hardware wallets, and a healthy dose of skepticism.

By staying informed about the latest threats and implementing robust security measures, you can significantly reduce your risk of falling victim to phishing attacks.The cryptocurrency world offers exciting opportunities, but it also demands responsibility and a commitment to security.Remember to always double-check, verify, and protect your assets.Your diligence is the first and strongest line of defense against the ever-evolving threats in the digital landscape.

Take action today!Review your security practices, update your software, and educate yourself about the latest phishing techniques.The future of your digital assets depends on it.

Malik Everen can be reached at [email protected].

Comments