IOK Rules: cryptocurrency

Ethereum Wallet Drainer (Monkey Drainer)

Detects the "Monkey Drainer" phishing script kit

Fake crypto trading - warmReminder

Detects a malicious DApp that requires injected Web3 to gain access to the fake trading and mining offers.

Ark Investment Crypto Phishing Kit 3465f6c

Detects a crypto phishing kit using Ark Investment as proof of the giveaway being legitmate, this kit also uses people like Elon Musk to lure victims.

Ethereum cryptocurrency wallet drainer - Iil1ililIl1iIl1ill1Ilii

Detects an Ethereum cryptocurrency wallet drainer that has a constant variable named Iil1ililIl1iIl1ill1Ilii.

Elon Musk fake crypto giveaway xfve5qjx

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. It asks you to send coins to a wallet to have them doubled.

Coinbase Phishing zG3nVT0g

Detects Coinbase recovery phrase scam websites. Often hosted on Glitch (https://glitch.com/).

Fake crypto mining - ReceiveVoucher3

Detects a malicious DApp that pretends to be a liquidity mining platform while presenting fake audit reports. Older version of the fake-crypto-mining-noChrome rule.

Fake crypto mining - MiningPool

Detects a malicious DApp that pretends to be a cloud mining platform.

Fake crypto mining - ReceiveVoucher2

Detects a malicious DApp that requires a mobile browser UA and offers fake liquidity mining while presenting fake audit reports.

Fake crypto mining - ReceiveVoucher

Detects a malicious DApp that pretends to be a cloud mining platform while presenting fake audit reports.

SettingsJS Crypto Drainer d810a56

Detects a crypto drainer that has its own configuration file called settings.js.

hardteam Crypto Drainer f42d93a4

Detects the crypto drainer named 'hardteam' that uses the domain `hardteam.site` to exfiltrate it's logs called from within the drainer script located in the file `drainer_v4.js`

crew3 Crypto Drainer 0827f6e1

Detects the crypto drainer created by a Chinese threat actor that is hidden within the file named `main.69e3e80e.js` commonly hosted on a subdomain with the apex domain being either `server-crew3.xyz` or `web3-crew3.xyz`

FauxMoralis Crypto Drainer 6a3cac21

Sites that contact this domain are websites that will drain a user's crypto wallet using a piece of javascript code known as a 'crypto drainer'. Due to this domain imitating the real Moralis API it has been named FauxMoralis to reflect this.

ToastrJS Crypto Drainer 0d0f9db

Detects a crypto drainer.

SMU Crypto Drainer d9da4dc1

Detects a crypto drainer that hides commonly within the file named `utils.js` and has a seperate `showMess.js` file with functions used to send window alerts.

Solana cryptocurrency wallet drainer - tokenup

Detects a Solana cryptocurrency wallet drainer that fakes the number of minted NFTs to initiate Fear of Missing Out (FOMO) against the victim.

Fake crypto trading - yuebaoIndex

Detects a malicious DApp that pretends to be a trading platform that offers AI bots, lending, and mining.

Fake crypto mining - noChromium

Detects a malicious DApp that force redirects when it detects the use of a Chromium based browser. Pretends to be a liquidity mining platform while presenting fake audit reports.

Cryptocurrency Giveaway wjUTKJ

Detects a fake cryptocurrency giveaway impersonating Elon Musk and promising to send back dobule (BTC, ETH, DOGE) that you send to the attacker's wallet. Distributed through Twitter phishing accounts.

Fake crypto giveaway coin selection b791myo4

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. Sometimes the scammer will pick a specific cryptocurrency to target, but in this case they decided to add a menu where the user can select a specific coin.

rusc Crypto Drainer f4180c6

Detects a crypto drainer that supports English & Russian in its logging messages. It also has its own configuration file called `import_main.js` and its main draining functionality in a file called `main.js`

Fake crypto mining - inviteRequired

Detects a malicious DApp that requires injected Web3 and invitation code to gain access to the fake mining offer.

finesse Crypto Drainer 9c933ae7

Detects a crypto drainer that usually appears on websites that impersonate the Discord Bots `MEE6` and `Dyno`.

Fake crypto mining - ReceiveVoucher4

Detects a malicious DApp that pretends to be a liquidity mining platform while presenting fake audit reports and partners. AJAX call to receive other contents.

Asli Crypto Drainer ea8f67e

Detects a family of crypto drainers that utilises a similarly structured landing page.

Fake crypto mining - DeFi_Mining

Detects a malicious DApp that pretends to be a mining platform.

Vitalik Buterin fake crypto giveaway cbn4xt8m

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. It asks you to send coins to a wallet to have them doubled.

OpenSea Phishing 389-9bec97c22fa2e411

Detects OpenSea wallet drainers - mystery box scam. Often hosted on Vercel (https://vercel.com/).

trkrsrvrdb Crypto Drainer 14658cf1

Detects the crypto drainer named 'trkrsrvrdb' that uses the domain `trkrsrvrdb.com` to exfiltrate it's logs called from within the drainer script

Fake crypto mining - arbitrageProducts

Detects a malicious DApp that pretends to be a cloud mining operator and an AI arbitrage trading platform.

Amazon Token Cryptocurrency Scam SHFXgk

Detects a cyptocurrency phishing kit targeting Amazon. It claims to offer an Amazon (AMZ) token pre-sale and leads to an exchange where you can swap cryptocurrencies for this fake token. This was found as a result of this kit being deployed on Replit.