O Water Labbu is a hacker group that has been acting in recent weeks to steal cryptocurrencies. But the most striking detail in this story is that the group’s targets are websites that were created by other scammers. We are facing a case of “thief who steals thief”.
Have you ever heard of dApps? They resemble conventional applications, but work in a decentralized way, based on blockchain. That means there are no servers behind your operation.
dApps can be useful in many legitimate applications, but they can also be used for malicious purposes. That’s the case here. O BleepingComputer explains that in July, the FBI issued a warning about dApps posing as cryptocurrency liquidity mining services, but actually capturing victims’ assets.
Fake websites to lure victims
To make victims, scammers create fake dApp websites. Typically, they lure investors with the promise of attractive rewards on operations that involve mining liquidity.
What is it? To facilitate understanding, imagine that you have contracted a CDB (Certificado de Depósito Bancário). With this type of investment, you lend money to a bank, which in turn uses that amount as credit for other customers. The bank then passes on part of the interest earned to you.
Liquidity mining operations work more or less this way. Earnings can really be interesting, but in the case of scam pages, investors are misled. They do not recover your cryptocurrencies.
This is where the Water Labbu comes into play
When a victim links their wallet to the malicious dApp, the Water Labbu code identifies the assets there and then attempts to capture them.
The capture method depends on a few factors. The process only starts if the wallet balance is above 0.005 ETH (Ethereum) or 22,000 USDT (Tether), for example. Afterwards, the script checks if the victim is using a Windows PC or a cell phone (Android or iPhone).
If the victim is on a cell phone, the script sends a transaction approval request from the fake website. If the user agrees, their balance will be sent to a Water Labbu address.
Now, if the victim is on a Windows computer, a Flash Player update notice (seriously!) overlays the deceptive website. If the user downloads the fake update, it will install a backdoor whose function is — guess what — to capture cryptocurrencies.
It’s funny but it’s sad
The fun part of this story is that the scammers who created the fake sites end up getting nothing. However, there are real victims, who can lose considerable values with this ruse.
That’s why it’s important to be careful, always. Avoiding transactions with cryptocurrencies on unknown platforms, being suspicious of very advantageous proposals (on social networks, for example) and regularly reviewing services linked to your wallet are a good start.