BleepingComputer reports that more than 2,000 WordPress websites were discovered by MalwareHunterTeam to have been injected with crypto drainers to facilitate automated fund exfiltration a month after nearly a thousand hacked sites were found by Sucuri to have been used to enable brute-force attacks against other sites.
WordPress sites without the "haw" cookie were injected with malicious scripts from the same domain used in the campaign discovered by Sucuri that would prompt pop-up cryptocurrency scam ads, which when clicked would show support for the Coinbase, Ledger, MetaMask, Trust Wallet, and Safe Wallet wallets. All cryptocurrency wallet assets are then exfiltrated by crypto drainers once targets establish a connection between their wallets and the Web3 site.
Such a development comes amid the increasing use of cryptocurrency drainers among threat actors, some of which have exploited artificial intelligence videos and accounts on X, formerly Twitter, to facilitate the distribution of malicious scripts.