In a perfect example of there being no honor among thieves, a threat actor named ‘Water Labbu’ is hacking into cryptocurrency scam sites to inject malicious JavaScript that steals funds from the scammer’s victims. In July, the FBI warned of scam ‘dApps’ (decentralized applications) that impersonated cryptocurrency liquidity mining services but, in reality, stole a victim’s crypto investments. Liquidity mining is when an investor lends their crypto to a decentralized exchange in exchange for high rewards, commonly generated through trading fees. However, instead of creating their own scam sites, Water Labbu hacks into these types of fake dApp sites and injects JavaScript code into site’s HTML. The hackers do not engage with the victims and instead leave all the social engineering work to the scammers. When an investor connects to their wallet to the dApp, Water Labbu’s script will detect if it contains a lot of crypto holdings, and if so, attempts to steal it using multiple methods described below. According to the analysts, Water Labbu has compromised at least 45 scam websites, most following the “lossless mining liquidity pledge” theme. Trend Micro says the profit made by Water Labbu is estimated to be at least $316,728 based on transaction records from nine identified victims.
Read more : Hackers are breaching scam sites to hijack crypto transactions.