Angel drainer a notorious drainer that has drained over $100m from Metamask users is bypassing phishing detection by changing their c2 domain every 5 minutes to avoid detection by the eth-phishing-detect module as the interval is 5 minutes.
You should ban workers.dev url's completely as no actual legit website uses it and there are many patterns which they're using while sending these URL's.
Expected behavior
The eth-phishing detect is already detecting these url's but they're not being blocked yet because of the url's dynamically refreshing! Do this immediately.
Screenshots/Recordings
No response
Steps to reproduce
Visit a phishing site such as event-eigenfoundation.org and you will see that their c2 domains are not flagged as they should be, this is because they bypass this by launching a new domain each time the c2 block list is refreshed.
Error messages or log output
No response
Detection stage
In production (default)
Version
ANY
Build type
None
Browser
Chrome, Firefox, Microsoft Edge, Brave, Other (please elaborate in the "Additional Context" section)
Operating system
Windows, MacOS, Linux
Hardware wallet
No response
Additional context
No response
Severity
This is highly severe as it makes users lose millions of dollars daily.
Describe the bug
Angel drainer a notorious drainer that has drained over $100m from Metamask users is bypassing phishing detection by changing their c2 domain every 5 minutes to avoid detection by the eth-phishing-detect module as the interval is 5 minutes.
You can see here their contract that calls "Change Data" every 5 minutes as soon as their workers.dev Cloudflare free domain ends up on the block list which typically happens in minutes. https://bscscan.com/address/0xd24aeC3254652B0ab565E41A945b491e98Bb5FFC
https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/refs/heads/main/src/config.json This whole list is just full of workers.dev domains which are used to proxy the malicious drainer software.
You should ban workers.dev url's completely as no actual legit website uses it and there are many patterns which they're using while sending these URL's.
Expected behavior
The eth-phishing detect is already detecting these url's but they're not being blocked yet because of the url's dynamically refreshing! Do this immediately.
Screenshots/Recordings
No response
Steps to reproduce
Visit a phishing site such as event-eigenfoundation.org and you will see that their c2 domains are not flagged as they should be, this is because they bypass this by launching a new domain each time the c2 block list is refreshed.
Error messages or log output
No response
Detection stage
In production (default)
Version
ANY
Build type
None
Browser
Chrome, Firefox, Microsoft Edge, Brave, Other (please elaborate in the "Additional Context" section)
Operating system
Windows, MacOS, Linux
Hardware wallet
No response
Additional context
No response
Severity