Malicious actors exploit smart contracts to siphon over $900,000 from user cryptocurrency wallets.

In early 2024, a sophisticated campaign emerged, revealing that cybercriminals were distributing malicious Ethereum smart contracts disguised as lucrative trading bots. These weaponised contracts utilised Web3 development platforms like Remix to lure victims into deploying code that ostensibly executed arbitrage strategies, only to redirect deposited funds into wallets controlled by attackers. Rather than conducting legitimate trades, the contracts employed advanced obfuscation techniques to conceal the true beneficiary address, complicating detection for both end users and automated security tools. The scams proliferated primarily through YouTube channels featuring aged accounts with curated playlists and artificially managed comment sections. Videos provided step-by-step guides encouraging a minimum deposit of 0.5 ETH, purportedly to cover gas fees and initiate arbitrage operations, while failing to disclose that the smart contract’s owner list included an anonymous attacker Externally Owned Account (EOA).

By August 2025, one campaign attributed to the user “Jazz_Braze” had reportedly netted over 244.9 ETH, approximately $902,000 AUD, from victims deploying the counterfeit trading bot. Researchers from SentinelOne identified a common pattern among these contracts: dual ownership was established at deployment, designating both the victim’s wallet and the attacker’s obscured EOA as owners. Once funded, a simple invocation of a function, typically named Start() or StartNative(), triggered the transfer of all contract-held ETH to the hidden attacker address. Even if the victim neglected to invoke the designated function, a fallback withdrawal mechanism embedded within the contract allowed the attacker to drain any funds sent to it. The most advanced versions of these drainer contracts utilised XOR-based obfuscation to derive both the decentralised exchange router address and the attacker’s wallet address from two 32-byte constants, effectively hiding the outbound EOA within the contract bytecode and evading detection by signature-based scanners.