IOK Rules: cryptocurrency

Ethereum Wallet Drainer (Monkey Drainer)

Detects the "Monkey Drainer" phishing script kit

Fake crypto mining - ReceiveVoucher

Detects a malicious DApp that pretends to be a cloud mining platform while presenting fake audit reports.

Fake crypto mining - inviteRequired

Detects a malicious DApp that requires injected Web3 and invitation code to gain access to the fake mining offer.

Fake crypto mining - ReceiveVoucher3

Detects a malicious DApp that pretends to be a liquidity mining platform while presenting fake audit reports. Older version of the fake-crypto-mining-noChrome rule.

Solana cryptocurrency wallet drainer - tokenup

Detects a Solana cryptocurrency wallet drainer that fakes the number of minted NFTs to initiate Fear of Missing Out (FOMO) against the victim.

Fake crypto trading - yuebaoIndex

Detects a malicious DApp that pretends to be a trading platform that offers AI bots, lending, and mining.

Vitalik Buterin fake crypto giveaway cbn4xt8m

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. It asks you to send coins to a wallet to have them doubled.

Asli Crypto Drainer ea8f67e

Detects a family of crypto drainers that utilises a similarly structured landing page.

crew3 Crypto Drainer 0827f6e1

Detects the crypto drainer created by a Chinese threat actor that is hidden within the file named `main.69e3e80e.js` commonly hosted on a subdomain with the apex domain being either `server-crew3.xyz` or `web3-crew3.xyz`

Amazon Token Cryptocurrency Scam SHFXgk

Detects a cyptocurrency phishing kit targeting Amazon. It claims to offer an Amazon (AMZ) token pre-sale and leads to an exchange where you can swap cryptocurrencies for this fake token. This was found as a result of this kit being deployed on Replit.

hardteam Crypto Drainer f42d93a4

Detects the crypto drainer named 'hardteam' that uses the domain `hardteam.site` to exfiltrate it's logs called from within the drainer script located in the file `drainer_v4.js`

finesse Crypto Drainer 9c933ae7

Detects a crypto drainer that usually appears on websites that impersonate the Discord Bots `MEE6` and `Dyno`.

trkrsrvrdb Crypto Drainer 14658cf1

Detects the crypto drainer named 'trkrsrvrdb' that uses the domain `trkrsrvrdb.com` to exfiltrate it's logs called from within the drainer script

Fake crypto mining - MiningPool

Detects a malicious DApp that pretends to be a cloud mining platform.

Fake crypto trading - warmReminder

Detects a malicious DApp that requires injected Web3 to gain access to the fake trading and mining offers.

Cryptocurrency Giveaway wjUTKJ

Detects a fake cryptocurrency giveaway impersonating Elon Musk and promising to send back dobule (BTC, ETH, DOGE) that you send to the attacker's wallet. Distributed through Twitter phishing accounts.

Fake crypto mining - DeFi_Mining

Detects a malicious DApp that pretends to be a mining platform.

Ark Investment Crypto Phishing Kit 3465f6c

Detects a crypto phishing kit using Ark Investment as proof of the giveaway being legitmate, this kit also uses people like Elon Musk to lure victims.

Fake crypto giveaway coin selection b791myo4

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. Sometimes the scammer will pick a specific cryptocurrency to target, but in this case they decided to add a menu where the user can select a specific coin.

OpenSea Phishing 389-9bec97c22fa2e411

Detects OpenSea wallet drainers - mystery box scam. Often hosted on Vercel (https://vercel.com/).

Elon Musk fake crypto giveaway xfve5qjx

Detects a scam giveaway landing page which claims to host a large cryptocurrency event. It asks you to send coins to a wallet to have them doubled.

ToastrJS Crypto Drainer 0d0f9db

Detects a crypto drainer.

SettingsJS Crypto Drainer d810a56

Detects a crypto drainer that has its own configuration file called settings.js.

Coinbase Phishing zG3nVT0g

Detects Coinbase recovery phrase scam websites. Often hosted on Glitch (https://glitch.com/).

Fake crypto mining - arbitrageProducts

Detects a malicious DApp that pretends to be a cloud mining operator and an AI arbitrage trading platform.

FauxMoralis Crypto Drainer 6a3cac21

Sites that contact this domain are websites that will drain a user's crypto wallet using a piece of javascript code known as a 'crypto drainer'. Due to this domain imitating the real Moralis API it has been named FauxMoralis to reflect this.

Fake crypto mining - ReceiveVoucher2

Detects a malicious DApp that requires a mobile browser UA and offers fake liquidity mining while presenting fake audit reports.

Fake crypto mining - noChromium

Detects a malicious DApp that force redirects when it detects the use of a Chromium based browser. Pretends to be a liquidity mining platform while presenting fake audit reports.

rusc Crypto Drainer f4180c6

Detects a crypto drainer that supports English & Russian in its logging messages. It also has its own configuration file called `import_main.js` and its main draining functionality in a file called `main.js`

Fake crypto mining - ReceiveVoucher4

Detects a malicious DApp that pretends to be a liquidity mining platform while presenting fake audit reports and partners. AJAX call to receive other contents.

SMU Crypto Drainer d9da4dc1

Detects a crypto drainer that hides commonly within the file named `utils.js` and has a seperate `showMess.js` file with functions used to send window alerts.

Ethereum cryptocurrency wallet drainer - Iil1ililIl1iIl1ill1Ilii

Detects an Ethereum cryptocurrency wallet drainer that has a constant variable named Iil1ililIl1iIl1ill1Ilii.