π΅οΈ FAKE UNISWAP / ANGELFERNO DRAINER CAMPAIGN β FORENSIC TRACE
May 26, 2026
π΅οΈ FAKE UNISWAP / ANGELFERNO DRAINER CAMPAIGN β FORENSIC TRACE REPORT
Date of Analysis: May 26, 2026 | Case Ref: CASE-20260526-AFDR
SUMMARY
A live, actively draining phishing campaign is targeting Uniswap users via sponsored Google Ads. The operation deploys the AngelFerno drainer-as-a-service kit β a scam-as-a-service platform previously linked to front-end attacks against OpenEden and Curvance. Two primary collector wallets have aggregated $400,000+ in stolen assets, with the broader campaign responsible for $1.27M+ since March 2026 according to Security Alliance (SEAL).
Attack vector: Victims search "Uniswap" on Google β click sponsored ad β land on a pixel-perfect phishing clone β connect wallet β sign a malicious approval transaction β all tokens/ETH are swept instantly by the drainer contract.
Critical finding: Both drainer wallets remain active as of May 25β26, 2026, with the largest movements occurring within the past 48 hours.
ON-CHAIN TRACE
π΄ Drainer Wallet #1
0x37925684BA178821b4436E06e67f5dBD6cfA49Bb Primary ETH aggregator β most active of the two
Activity window: May 12 β May 25, 2026 (34 traced transactions, 109 total analyzed)
Date | TX Hash | From β To | Amount | Notes |
|---|---|---|---|---|
May 12 |
| Victim | 0.759 ETH | Drain event |
May 12 |
| Drainer #1 β | 3.845 ETH | Layering hop |
May 12 |
| Drainer #1 β Relay.link | 1.201 ETH | Cross-chain bridge (Base β ETH) |
May 12 |
| Stargate Finance β chain | 5,098 USDT | Stablecoin bridge-out |
May 12 |
| Drainer #1 β 0x Protocol | 5,098 USDT | Token swap/laundering |
May 16 |
| Feeder | 1.286 ETH | ETH consolidation |
May 24 |
| Drainer #1 β 0x Protocol | 18,082 USDC | Swap out USDC |
May 24 |
| Drainer #1 β | 12.9B Mog | Meme token dump |
May 25 |
| Drainer #1 β | 4.65 PAXG | Gold-backed token drained from victim |
May 25 |
| Relay.link Relayer β Drainer #1 | 4.680 ETH | Inbound bridge receipt |
May 25 |
| Relay.link Relayer β Drainer #1 | 3.127 ETH | Inbound bridge receipt |
May 25 |
| Relay.link Relayer β Drainer #1 | 1.830 ETH | Inbound bridge receipt |
May 25 |
| Drainer #1 β Relay.link | 0.001 ETH | Test/probe tx |
May 25 |
| Drainer #1 (Base) β Relay.link | 3.135 ETH | Cross-chain bridge BaseβEthereum confirmed |
May 25 |
| Feeder | 0.892 ETH | Fund consolidation |
Cross-chain bridge confirmed (Relay protocol):
- TX
0x76bb7ae7360056f16774c58201fc844a4aa75dd1d15dfc28fd96c17e7a00365f(Base) bridges 3.135 ETH β Ethereum main drainer, destination TX0xad3ee71e425192734ade50a40ca26d2140f66cf33cf9d06ad29167a5ccec79cc
NEAR Intents bridge detected:
- Two NEAR Intents inbound deliveries totaling 2.260 ETH (
0x39a85b...ef79+0xec85c5...2c8b), suggesting funds were laundered through the NEAR protocol ecosystem before being returned to Ethereum.
π΄ Drainer Wallet #2
0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2 High-volume batch collector β 51 inbound transactions in 72 hours
Activity window: May 23 β May 25, 2026 (51 traced transactions β most recent activity: May 25, 2026)
This wallet's transaction profile is highly abnormal: the vast majority of inbound txs originate from 0xca11bde05977b3631167028862be2a173976ca11, which is the canonical Multicall3 contract deployed at the same address across all EVM chains. This is a hallmark of the AngelFerno drainer kit β it batches victim asset sweeps using Multicall3 to maximize throughput per block and reduce per-victim gas costs.
Date | TX Hash | Amount | Notes |
|---|---|---|---|
May 24 |
| 17.58 ETH | Largest single Multicall3 sweep |
May 24 |
| 11.43 ETH | Multicall3 batch drain |
May 24 |
| 11.40 ETH | Multicall3 batch drain |
May 23 |
| 617B KISHU tokens | Meme token sweep |
May 25 |
| 170K ORX tokens | Token sweep |
The 30+ additional inbound transactions from 0xca11 across May 24β25 represent a rolling wave of victim drains occurring in near real-time.
π‘ Key Intermediary / Hop Addresses
Address | Role | Evidence |
|---|---|---|
| Layering hop wallet | Received 3.845 ETH from Drainer #1 (TX: |
| Token dump aggregator | Receives PAXG, Mog, XEN, PERP, NMT, SPCX, sato β likely sells via OTC or DEX |
| Feeder wallet A | Consolidates ETH to Drainer #1: 0.892 ETH + 0.290 ETH |
| Feeder wallet B | Minor ETH top-up to Drainer #1 (0.035 ETH) |
| Relay.link bridge | Confirmed cross-chain movement Base β Ethereum |
| NEAR Intents bridge | Routed 2.26 ETH through NEAR protocol ecosystem |
CURRENT STATUS OF FUNDS (as of May 26, 2026)
Drainer #1 β 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb
Total current portfolio: ~$169,268
Chain | Asset | Balance | Est. USD |
|---|---|---|---|
Ethereum | ETH (native) | ~62 ETH equivalent | $162,138 |
Base | USDC | 6,577.83 USDC | ~$6,578 |
Base | aBasWETH (Aave) | 0.2599 WETH | ~$544 |
Base | AERO | 0.0795 | ~$0.08 |
Ethereum | KISHU Inu | 108.9B | ~trace |
Ethereum | ORX | 30,016 | β |
Polygon | MATIC | ~$4.40 | dust |
BNB Chain | BNB | ~$3.91 | dust |
β οΈ ACTIVE: ~$6,578 USDC still parked on Base chain + ~$162K ETH value on Ethereum. No CEX deposit detected yet for these funds β the attacker is holding or continuing to launder.
Drainer #2 β 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2
Total current portfolio: ~$228 (Polygon MATIC) + tokens
Chain | Asset | Balance | Notes |
|---|---|---|---|
Polygon | MATIC | ~$227.93 | |
Ethereum | KISHU Inu | 617B | Meme token β low liquidity |
Ethereum | ORX | 170,092 | Illiquid |
Avalanche | AVAX | $0.00 | Swept/emptied |
Arbitrum | ETH | $0.00 | Swept/emptied |
Finding: Drainer #2 has been nearly fully swept outbound β ETH was consolidated and moved. The Multicall3 batch operations flooding this address represent the actual drain engine; the real ETH value has been passed through and laundered onward. The residual KISHU/ORX tokens are likely to be OTC-sold or simply abandoned.
ANALYSIS & RECOMMENDATIONS
Laundering Architecture β Confirmed Techniques
The AngelFerno campaign employs a 4-layer laundering stack:
Layer 1 β Victim Drain (via Malicious Approval): Victims sign an approve() transaction on the phishing site, granting the drainer contract unlimited allowance. AngelFerno uses the Multicall3 contract (0xca11bde05977b3631167028862be2a173976ca11) to batch-sweep all victim assets in a single block β ETH, ERC-20 stablecoins, LP tokens, and NFTs simultaneously.
Layer 2 β Token Conversion (via DEX aggregators): Stolen tokens (USDC, USDT, PAXG, meme tokens) are routed through 0x Protocol (0x0000000000001ff3684f28c67538d4d072c22734) and Uniswap V2 Router to convert into ETH or USDC β a standard "dirty β clean native" laundering step.
Layer 3 β Cross-Chain Layering (Relay + NEAR Intents): Proceeds are bridged across chains to break the on-chain trace:
- Relay.link bridge confirmed (Base β Ethereum): TX
0x76bb7ae7360056f16774c58201fc844a4aa75dd1d15dfc28fd96c17e7a00365f - NEAR Intents bridge: 2.26 ETH routed through NEAR ecosystem and returned to Ethereum
- Stargate Finance USDT bridge: 5,098 USDT bridged outbound (May 12)
Layer 4 β Consolidation & Off-ramp (Pending): No confirmed CEX deposit detected yet. Current holding pattern (~$169K on Drainer #1) suggests the operator is either waiting for Google to remove the ads and then bulk cashing out, or has a private OTC arrangement. The token dump address 0x02e5be68d46dac0b524905bff209cf47ee6db2a9 receives illiquid tokens and is the likely OTC/DEX liquidation point.
Phishing Infrastructure Patterns (OSINT-confirmed)
Technique | Details |
|---|---|
Punycode / Cyrillic domains | URLs using Cyrillic homoglyph substitution (e.g., |
Hidden iframes | Malicious approval payload embedded in hidden iframes to evade Google's ad review crawlers |
Compromised advertiser accounts | Operators buy/steal aged Google Ads accounts with established reputation to pass automated review |
Cloaking | Serves different content to Google's review bots vs. real users (real users get drainer, bots get legit Uniswap clone) |
GraphQL proxy | Proxies Uniswap's own GraphQL endpoint to display victim's real wallet balance inside the phishing UI β reinforces legitimacy and enables targeted draining of the highest-value positions |
Scam-as-a-Service | AngelFerno is a commercial kit β operators pay a % of stolen funds to the AngelFerno developers |
Risk Score
Metric | Score |
|---|---|
Overall Risk Score | π΄ 98/100 β CRITICAL |
Money Laundering Probability | 97% |
Cross-chain obfuscation | β Confirmed (Relay + NEAR Intents + Stargate) |
DEX laundering | β Confirmed (0x Protocol, Uniswap V2) |
Mixer usage | β Not detected (yet) |
CEX deposit (KYC exposure) | β οΈ Not yet confirmed β funds still held |
Active campaign status | π΄ LIVE β last drain May 25, 2026 (β€24h ago) |
Attribution to AngelFerno family | β High confidence (Multicall3 batch pattern, SEAL/Protos confirmation) |
Recommended Actions
Immediate (0β24 hours):
- Relay.link cooperation request β Relay bridge confirmed funds movement between Base and Ethereum. Contact Relay.link security team with TX
0x76bb7ae...365fand0xad3ee71...79ccto identify any linked KYC data or IP logs. - NEAR Intents / NEAR Foundation cooperation β Two NEAR Intents bridge deliveries totaling 2.26 ETH. The NEAR-side source address may be traceable and may be linked to a NEAR-registered entity.
- Google Ads abuse report escalation β File formal abuse reports with Google's Trust & Safety team citing both drainer wallet addresses, the Multicall3 drain pattern, and SEAL's documented campaign tracking. Uniswap Labs and ZachXBT have already applied public pressure; a formal legal hold request from law enforcement would be more effective.
- Victim alert distribution β Broadcast both drainer addresses (
0x37925684BA178821b4436E06e67f5dBD6cfA49Bband0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2) and the hop wallet (0xe245f57734ef7f2a868cc549ca1003e658781b3a) to all major CEXs for pre-emptive freeze requests. If the operator attempts to cash out via Binance, Coinbase, Kraken, OKX, or Bybit, these flags will trigger compliance review. - Revoke emergency advisory β Victims who interacted with any Uniswap-lookalike site in the past 30 days should immediately check and revoke all token approvals via
revoke.cashor[filtered].io/tokenapprovalchecker.
Follow-up (24β72 hours):
- Trace
0x02e5be68d46dac0b524905bff209cf47ee6db2a9β This token dump aggregator receives all illiquid stolen tokens (PAXG, Mog, XEN, PERP, NMT, SPCX). It may interact with a known OTC desk or NFT marketplace that has KYC. - Trace
0xe245f57734ef7f2a868cc549ca1003e658781b3aβ The 3.845 ETH hop from Drainer #1 is parked here with minimal outbound activity. This wallet may be staged for a future CEX deposit. Monitor urgently. - SEAL coordination β Security Alliance is actively tracking this campaign (356+ malicious ads blocked). Share this trace with SEAL radar at
radar.securityalliance.org. - Base chain follow-up β Drainer #1 holds 6,577 USDC and 0.26 WETH deposited into Aave (
aBasWETH) on Base. This Aave position may be unwound in coming days; monitor the Base chain activity of0x37925684BA178821b4436E06e67f5dBD6cfA49Bbclosely.
Fund Recovery Feasibility: MODERATE-LOW. The ~$169K currently held by Drainer #1 has not yet been deposited to a regulated CEX β this is the window for a freeze request. However, if the operator off-ramps via OTC or DEX, recovery becomes effectively impossible. Time is critical.
0
06 reads
Become an Investigator
