Hackers Exploit Thousands of Compromised WordPress Sites for Crypto Scams

Cyber Attack

In a concerning development, nearly 2,000 hacked WordPress websites have fallen victim to a sophisticated scheme involving fake NFT and discount pop-ups. The goal is to deceive unsuspecting visitors into linking their wallets to crypto drainers that automatically siphon funds.

Website security firm Sucuri recently revealed that approximately 1,000 WordPress sites had been compromised to promote these crypto drainers through malvertising and YouTube advertisements. Despite an initial setback with this campaign, the attackers pivoted to a new strategy—deploying malicious scripts on the compromised sites to convert visitors' browsers into tools for brute-forcing admin passwords on other platforms.

This concerted effort led to the establishment of around 1,700 brute-forcing sites, including notable targets like Ecuador's Association of Private Banks website. The objective was to amass a significant pool of compromised sites for a larger, more lucrative campaign.

According to cybersecurity researchers, the threat actors have now begun leveraging this network of compromised sites to display pop-ups featuring fake NFT offers and crypto discounts.

While the exact number of compromised sites hosting these crypto drainers remains uncertain, a recent Urlscan search revealed that over 2,000 websites had loaded the malicious scripts over the past week. Although not all of these sites are currently displaying deceptive pop-ups, this could change at any moment.

The malicious scripts are sourced from the domain dynamic-linx[.]com, the same URL identified by Sucuri in their earlier report. Upon execution, these scripts check for a specific cookie ("haw") and inject malicious content into the webpage if the cookie is absent.

The injected code triggers random pop-ups enticing visitors to connect their wallets to mint promising NFTs or claim discounts on the site. BleepingComputer conducted tests on several affected sites and confirmed that the pop-ups, initially glitchy, eventually resumed functioning as intended.

When users click the "connect" button on these pop-ups, they are prompted to select their preferred wallet, with support extended to MetaMask, Safe Wallet, Coinbase, Ledger, Trust Wallet, and WalletConnect. However, this support for various wallets significantly widens the scope of potential targets.

Once a visitor connects their wallet to the compromised site, the crypto drainer stealthily siphons all funds and NFTs from the account, diverting them to the threat actors.

It's important to note that platforms like MetaMask issue warnings when visiting websites infected with these malicious scripts.

Crypto drainers represent a growing threat to the cryptocurrency community, with threat actors exploiting high-profile accounts and leveraging AI-generated videos and malicious advertising to propagate their schemes.

To safeguard digital assets from crypto drainers and other cyber threats, users should only connect their wallets to trusted platforms. Vigilance is key, especially when encountering unexpected pop-ups that deviate from a website's usual content or design.