How FreeDrain Works
The operation is a coordinated effort by cybercriminals to manipulate search engine results and lure users into phishing traps. When unsuspecting victims search for terms like “Trezor wallet balance” on platforms such as Google, Bing, or DuckDuckGo, they are led to fake high-ranking results.
These results take them to lure pages hosted on free-tier platforms such as gitbook.io, webflow.io, and github.io. From there, victims are either:
- Redirected to a legitimate website
- Sent through intermediary redirection layers
- Tricked into entering their seed phrases on a fake crypto wallet interface
Once entered, funds are drained within minutes using automated infrastructure.
Scope of the Threat
According to SentinelOne and Validin researchers, over 38,000 subdomains have been linked to this phishing campaign. These fake pages are hosted using cloud infrastructure like Amazon S3 and Azure Web Apps, often mimicking interfaces of popular wallets like MetaMask, Phantom, Trezor, and Coinbase.
The campaign appears to originate from actors in the Indian Standard Time (IST) zone, as revealed by GitHub commit patterns. The phishing pages often show a static screenshot of a legitimate wallet interface to build trust, then prompt users to click through — leading to credential theft.
Use of AI & Spamdexing
Security experts say the campaign content is likely generated using AI models like OpenAI GPT-4o, enabling attackers to rapidly scale and update their lure pages. The group also utilizes spamdexing—posting thousands of spam comments on outdated sites to boost their phishing pages in search rankings.
Related Attacks: Inferno Drainer & Malvertising
This discovery follows revelations about other advanced crypto-targeted campaigns:
- Inferno Drainer: A Drainer-as-a-Service (DaaS) tool that hijacks Discord vanity links and OAuth2 flows to phish crypto wallets. Between September 2024 and March 2025, it reportedly drained funds from over 30,000 unique wallets, totaling over $9 million in losses.
- Facebook Malvertising: Fake ads for platforms like Binance, Bybit, and TradingView lead users to malware-laced pages. These sites use clever tricks to detect sandboxes and security scans, showing benign content to evade detection.
Key Takeaways
- 🔐 Always access wallet platforms via official websites.
- ❌ Never enter your seed phrase on unfamiliar or redirected URLs.
- 🧠 Be skeptical of search results promoting free crypto tools or balance checkers.
- 📌 Bookmark and use trusted sources when handling digital assets.
Final Thoughts
FreeDrain demonstrates the growing threat posed by cybercriminals weaponizing AI, SEO, and cloud services to build scalable phishing operations. As long as free-tier platforms lack proper safeguards, such phishing ecosystems will continue to thrive — deceiving victims and evading traditional security tools.