Water Labbu Malware is targeting scammers, Here’s what you need to know


  • Recent news stories have described how one guy found bitcoin thieves and stole their ill-gotten gains.
  • A similar method was reportedly employed by the fraudster’s robber, going by the moniker of Water Labbu, to steal cryptocurrencies by gaining access to his victims’ wallets.
  • According to the analysts, 45 scam websites with a “lossless mining liquidity commitment” theme have been compromised by Water Labbu.

For cryptocurrency scammers, it’s a world of one-upmanship. Recent headlines have shown how one person tracked down cryptocurrency criminals to steal their fraudulently obtained money.

Social engineering tactics are frequently used by cryptocurrency scammers to communicate with their victims and persuade them to part with their hard-earned cash. Scammers accomplish this by either delivering money directly to fraudsters or by granting the access necessary to wallets.

According to reports, the fraudster’s robber, going by the name of Water Labbu, used a similar technique to steal cryptocurrency by securing access to the wallets of his victims. However, they avoided any form of social engineering and instead let the original fraudsters handle the grubby work.

The hackers don’t interact with the victims; instead, they leave the scammers to handle all social engineering tasks. When a user joins their wallet to the dApp, Water Labbu’s script checks to see whether it includes a significant amount of cryptocurrency holdings and if it does, it makes several theft attempts using the methods mentioned below.

The analysts claim that Water Labbu has compromised 45 scam websites, the majority of which have a “lossless mining liquidity commitment” theme.

Based on the transaction histories of nine identified victims, Trend Micro estimates that Water Labbu generated at least $316,728 in profit.

Water Labbu placed malicious JavaScript code onto other scammers’ websites that were masquerading as real dApps rather than building their fraudulent websites from scratch.

Before inserting a JavaScript payload into that page to steal the money, Water Labbu diligently waited for high-value victims to connect their wallets to a fake dApp.

For the victims of the first con artist, nothing changed; they continued to be defrauded. The only distinction is that Water Labbu started stealing cryptocurrency from scammers and transferring the money to their accounts.

In one case, the malicious script swapped the USDT from two addresses on the Uniswap exchange, first to the USDC stablecoin and then to ETH, and then sent the ETH funds to the Tornado Cash mixer.