2 min

A threat actor named ‘Water Labbu’ is hacking scam websites to inject malicious JavaScript code and steal cryptocurrency from victims.

In July, the FBI published a warning regarding scams of decentralized applications (dApps) where hackers impersonated cryptocurrency liquidity mining services, but ultimately ended up stealing victims’ cryptocurrency investments.

Liquidity mining is when investors agree to lend their cryptocurrency to a decentralized exchange to receive rewards generated from trading fees. Water Labbu, a recently discovered threat actor, hacks into fake dApp webpages and introduces malicious JavaScript code within the HTML code.

Water Labbu never engages with its victims. The threat actor leaves the social engineering work to the scammers. When a potential investor connects their wallet with a decentralized application, Water Labbu’s malicious script comes into action. It starts detecting information containing crypto transactions and ends up stealing investments.

According to analysts, Water Labbu has compromised at least 45 dApp scam sites, most based on the ‘lossless mining liquidity pledge’ pattern.

No fear

The threat actor locates cryptocurrency scam sites and inserts the decentralized application with suspicious scripts that effortlessly blend with HTML coding.

“In one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64- encoded JavaScript payload using the ‘onerror’ event, in what is known as an XSS evasion technique, to bypass Cross-Site Scripting (XSS) filters”, security firm Trend Micro said in a report. “The injected payload then creates another script element that loads another script from the delivery server tmpmeta[.]com.”

The script keeps an eye on all the wallets connected to the scammed dApp websites and retrieves the victims’ sensitive information such as names, addresses, digital currency balance and credentials to Ethereum wallets.

Water Labbu targets individuals who have more than 22,000 USDT or 0.005 ETH. The malicious script monitors crypto transactions to ensure the target meets the criteria. Once it’s sure, Water Labbu determines if the victim is using Windows or a mobile OS. In the case of a mobile OS, the malicious script sends transaction approval requests through the decentralized application. Once the victim agrees, the attacker ends up stealing all the funds and automatically sends them to an address owned by Water Labbu.

On the other hand, victims using Windows will encounter a fake Flash Player update notice on the scam website. The Flash installer is a backdoor fetched directly from GitHub. Hackers use the backdoor to steal cryptocurrency wallets and cookies. As a result, the victim loses everything.

Prior research is advisable before connecting to any dApp, including liquidity mining platforms. Also, regularly review your digital wallet’s allowed websites to ensure you haven’t allowed any suspicious connections.

Tip: Group-IB tracks down massive investment fraud network