“Crypto drainer” template facilitates theft

This sort of thing is as old as crypto itself - see e.g. &quot;How to steal Bitcoins&quot; with some excellent HN comments (including from one of the thieves referenced in the original article) from 8 years ago: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7365663" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7365663</a>

&gt; Victim connects their wallet to “mint”.<p>It&#x27;s not clear exactly what&#x27;s going on here. The word &quot;connect&quot; by itself implies two modes: (1) present public keys; or (2) present private keys. But the loss of property suggests it&#x27;s (2). If so, then the people falling for this are hopelessly incompetent.<p>Of course, this has been a problem from the start of Bitcoin. Users &quot;buy&quot; something they have no clue how to secure. They don&#x27;t understand at all how public key cryptography works, or worse, they bring truly bad mental models from their experience with their online bank or Facebook. Then they get burned. Nothing new here.<p>It&#x27;s for this reason that central bank digital currencies are one the the worst ideas ever to come out of central banks. The average person is in no position to even think about managing cryptographic material let alone securing life-changing amounts of money with it. Idiot-proofing CBDC will mean that the central bank just becomes an actual, central, bank. No crypto required. A real one where people actually keep their money. So long to private banks.

I am honestly mind blown that a scam tool like this isn’t minified and uglified to obfuscate reverse engineering. The process also strips comments, which I imagine would’ve been a preference of the perpetrator.<p>I assume the example from the author [of the blog post] must’ve been a deployment by someone without much experience with the javascript ecosystem or extremely lazy. Pretending this assumption is correct, what does it tell us? Is it a reflection of the environment’s lack of regulation (even industry&#x2F;market led, like PCI) and a deluge of unsophisticated (ignorant) users&#x2F;consumers?

Others in the thread have mentioned that the MetaMask wallet provides a warning prior to allowing a site like this to access the wallet.<p>For reference, this appears to be an example of that warning: <a href="https:&#x2F;&#x2F;github.com&#x2F;MetaMask&#x2F;metamask-extension&#x2F;issues&#x2F;11337" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;MetaMask&#x2F;metamask-extension&#x2F;issues&#x2F;11337</a><p>Transcript: &quot;Signing this message can have dangerous side effects. Only sign messages from sites you fully trust with your entire account. This dangerous method will be removed in a future version.&quot;<p>Presumably part of the issue is that a legitimate &quot;NFT mint&quot; transaction might also carry the same warning.

When a scam is nearly indistinguishable from another scam, something else is inherently wrong.

Absolutely baffling that the crypto community normalized this process of connecting your wallet to a random website and letting it access all of your money.<p>I see a lot of victim-blaming suggestions that it&#x27;s the fault of the person who didn&#x27;t set up a new crypto wallet for every interaction they might want to make and then transfer enough money into said wallet to cover unpredictable gas fees (while also paying gas fees to transfer the money) and then, presumably pay even more gas fees to transfer everything back out of the wallet if it turns out to not be a scam. It&#x27;s incredible that crypto has reached a point where some people seem to think this is all totally reasonable and natural to expect the average user to know.

Best way to make money from crypto.

Regulation can be bad, but it can also be good.<p>People think of history like it was wonderful, but it was full of cons and scams. Reputation matters, and people with reputations charge a premium for it.<p>Some of the best aspects of regulations is exactly to remove the reputation tax by mandating everyone follow the same practices as the trusted institution.<p>The real sad aspect is that the crypto-libertarians of today are repeating some of the exact same <i>clear</i> scams from the wildcatting era, and when it&#x27;s brought up, it&#x27;s just mocked because, honestly, who is going to read a book about 19th century finance when you can just watch the new star wars show instead.

I absolutely despise crypto scammers, but looking at those asinine graphics they use to lure in their suckers, it make it VERY VERY VERY difficult to have any empathy for their victims.<p>If that whole &quot;Amazing Pandaverse&quot; theme template appeals to your aesthetic sensibilities and primal urge to get rich quick and screw everyone else and the environment while wearing kewl sunglasses and dollar sign bitcoin logo bling jewelry, you&#x27;re probably a huge narcissistic douchebag who actually deserves to get the fuck scammed out of you, not a poor innocent senior citizen living on a pension.<p>It kind of makes me nostalgic for the good old fashioned robot insurance scams targeting seniors, when you could actually feel sorry for the victims.<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=g4Gh_IcK8UM" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=g4Gh_IcK8UM</a>

Thanks to MATT DUNHAM. i was able to recover all my lost bitcoin from forex trading guys, when it comes to recovery of funds either from binary options, crypto, forex and Ponzi schemes. ( MATTDUNHAM928 at gmail dot com ) His the best recovery expert i have ever seen all my life. He recovered my funds and also funds of my friends, colleagues who were in similar situation as i was...

Thanks to MATT DUNHAM. i was able to recover all my lost bitcoin from forex trading guys, when it comes to recovery of funds either from binary options, crypto, forex and Ponzi schemes. ( MATTDUNHAM928 at gmail dot com ) His the best recovery expert i have ever seen all my life. He recovered my funds and also funds of my friends, colleagues who were in similar situation as i was.

I sometimes wonder what people behind these actually do (or used to do) and how they got into it. It takes real work to build these things, deploy, sell, and maintain these things, doesn&#x27;t seem to be the sort of thing that grew from a weekend side-project in my opinion. They could spend that time working on something more legal.

&quot;Connecting a wallet&quot; makes it vulnerable to Javascript from a web site? Who designed that?

My next billion dollar apps will be disposable crypto wallets and currently obscure website accreditation.

Soon to be millions, and then hundreds of thousands if the crypto market continues to spiral.

am I a bad person if I think that people buying the latest hyped NFT deserve to have their &#x27;crypto&#x27; drained?<p>NFTs of art images are such an absurdity.

So let me get this straight. You just connect your Wallet to a random website and let them run arbitrary smart contracts? That&#x27;s wild, man. Surely there&#x27;s gotta be some concern here that someone could take your shit.<p>I&#x27;m just surprised there isn&#x27;t a privacy.com equivalent for this, like a limited-view wallet that lets you create sub-wallets for interaction with various services. Or if there is, perhaps it&#x27;s not famous yet. Worthwhile product, I think, but hard to build because you&#x27;ll be the target of everything. I think it would be easy for me to make a mistake somewhere while building it.