In a sophisticated campaign uncovered in early 2024, cybercriminals have begun distributing malicious Ethereum smart contracts masquerading as lucrative trading bots.
These weaponized contracts leverage Web3 development platforms such as Remix to entice victims into deploying code that appears to execute arbitrage strategies, only to siphon deposited funds into attacker-controlled wallets.
Instead of conducting legitimate trades, the contracts employ obfuscation techniques that conceal the true beneficiary address, making detection difficult for both end users and automated security tools.
The scams proliferate primarily through YouTube channels featuring aged accounts with curated playlists and artificially managed comment sections.
Videos present step-by-step guides encouraging a minimum deposit of 0.5 ETH—ostensibly to cover gas fees and seed arbitrage operations—while omitting any indication that the smart contract’s owner list includes an anonymous attacker EOA.
.webp "Threat Actors Weaponize Smart Contracts to Drain User Crypto Wallets of More Than $900k 3")
As of August 2025, one such campaign attributed to user “Jazz_Braze” has netted over 244.9 ETH (approximately $902,000 US) from victims deploying the counterfeit trading bot.
SentinelOne researchers identified that the contracts share a common pattern: dual ownership is defined at deployment, setting both the victim’s wallet and the attacker’s obscured EOA as owners.
.
Once funded, a simple invocation of a function—commonly named Start() or StartNative()—triggers the transfer of all contract-held ETH to the hidden attacker address.
Even if the victim neglects to invoke the designated function, a fallback withdrawal mechanism is embedded within the contract, enabling the attacker to drain any funds sent to the contract.
SentinelOne analysts noted that the most advanced versions of these drainer contracts employ XOR-based obfuscation to derive both the decentralized exchange router address and the attacker’s wallet address from two 32-byte constants.
In the DexInterface declaration, constants labeled apiKey and apiSignature are XORed in the following Solidity snippet to yield the attacker EOA:-
address attacker = address(uint160(uint256(apiKey) ^ uint256(apiSignature)));This technique hides the outbound EOA within the contract bytecode, preventing static analysis and simple string searches for known malicious addresses.
Obfuscation Mechanism and Evasion
The XOR obfuscation method represents a significant evolution in smart contract-based scams, combining cryptographic primitives with Solidity’s type conversions to cloak attacker infrastructure.
By storing two seemingly innocuous constants and calculating the true wallet only at runtime, the contract evades detection by signature-based scanners.
The use of uint256 to perform the XOR operation followed by casting to uint160 ensures compatibility with Ethereum addresses while stripping away extraneous high-order bytes.
.webp "Threat Actors Weaponize Smart Contracts to Drain User Crypto Wallets of More Than $900k 4")
Moreover, the contracts incorporate alternative obfuscation variants—string concatenation of address fragments and large decimal-to-hex conversions—all serving the same purpose of hiding the attacker EOA.
These layered tactics complicate reverse engineering, requiring defenders to decompile bytecode, identify obfuscation patterns, and reconstruct the runtime logic in order to extract the malicious wallet address.
As this threat landscape evolves, cybersecurity teams must integrate dynamic analysis and deobfuscation tooling into their Web3 security frameworks to detect and mitigate similar smart contract scams.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
