In July, the FBI published a warning regarding scams of decentralized applications (dApps) where hackers impersonated cryptocurrency liquidity mining services, but ultimately ended up stealing victims’ cryptocurrency investments.
Water Labbu never engages with its victims. The threat actor leaves the social engineering work to the scammers. When a potential investor connects their wallet with a decentralized application, Water Labbu’s malicious script comes into action. It starts detecting information containing crypto transactions and ends up stealing investments.
According to analysts, Water Labbu has compromised at least 45 dApp scam sites, most based on the ‘lossless mining liquidity pledge’ pattern.
The threat actor locates cryptocurrency scam sites and inserts the decentralized application with suspicious scripts that effortlessly blend with HTML coding.
The script keeps an eye on all the wallets connected to the scammed dApp websites and retrieves the victims’ sensitive information such as names, addresses, digital currency balance and credentials to Ethereum wallets.
Water Labbu targets individuals who have more than 22,000 USDT or 0.005 ETH. The malicious script monitors crypto transactions to ensure the target meets the criteria. Once it’s sure, Water Labbu determines if the victim is using Windows or a mobile OS. In the case of a mobile OS, the malicious script sends transaction approval requests through the decentralized application. Once the victim agrees, the attacker ends up stealing all the funds and automatically sends them to an address owned by Water Labbu.
On the other hand, victims using Windows will encounter a fake Flash Player update notice on the scam website. The Flash installer is a backdoor fetched directly from GitHub. Hackers use the backdoor to steal cryptocurrency wallets and cookies. As a result, the victim loses everything.
Prior research is advisable before connecting to any dApp, including liquidity mining platforms. Also, regularly review your digital wallet’s allowed websites to ensure you haven’t allowed any suspicious connections.