Close this search box.

Axie Infinity Player Wallets Targeted by Poisoned Google Ads Content

The top NFT Ethereum-based game Axie infinity, is a Pokemon-like play-to-earn game that lets its users earn SLP (Smooth Love Potion). This potion can be traded as a crypto currency and has recently reached its all-time high value of $0.40+. Many people are trying to get into this hot crypto game, and with that comes the risk of getting targeted by threat actors.

Here we encountered some google ads when trying to search for “Ronin Wallet”. Ronin is the digital wallet used in the game if you want start playing.

Ronin Wallet search

Figure 1. Search results for “Ronin Wallet”.

Ronin Wallet search ad

Figure 2. Top ad result points to hxxp://account.roninwallet[.]us

Once you click the link on the ad, it will redirect you to hxxps://roninwallet[.]net/app/. The landing page looks exactly like the legitimate Ronin wallet browser extension page.

Fake Ronin Wallet page

Figure 3. Fake Ronin Wallet page.

Legitimate Ronin Wallet page

Figure 4. Legitimate Ronin Wallet Chrome extension page.

  Since the phishing page mimics the functionality of the legitimate ronin wallet, the process of creating and importing a wallet is just like the legitimate one. If a victim tries to create a new wallet, a wallet will be created on the legitimate website. We tried to create a wallet on the fake page and verify it on the legitimate site and it indeed created one. Fake Ronin Wallet create page

Figure 5. Fake Create a New Wallet page

Creating a new wallet will require the account owner to transfer funds from their own cryptocurrency accounts, which means there is less of a chance for the threat actor to steal cryptocurrency immediately. Crypto currency wallets are locked using a seed/secret phrase, allowing wallet owners to import their wallets from other devices, such as a mobile phone, or another computer using either a mobile app version of the wallet or a browser extension. This feature, though very convenient, makes the wallet owners more vulnerable because importing an existing wallet may mean that the wallet already contains crypto currencies that the threat actors can steal.

Understand what it takes to detect and respond to targeted phishing attacks on Office 365 in real-time.

Read the Playbook  
Like the wallet creation page, the wallet import functionality was mimicked by the threat actor and looks exactly like the legitimate Ronin wallet page. Looking through the phishing page html source shows embedded JavaScript code that is not present in the legitimate extension page. Below is the screenshot of the comparison of the source codes: Legitimate Ronin Wallet code

Figure 6. Inspection view of the Legitimate Ronin Wallet extension page.

Fake Ronin Wallet page code

Figure 7. Inspection view of the fake Ronin wallet seed import page.

  Below is an excerpt of the script used in the fake page for importing a ronin wallet, which redirects the victim to once the ronin wallet seed phrase has been successfully entered. This tricks the user into believing that the form in use is from the legitimate Ronin developer. Ronin Wallet seed phrase stealing code

Figure 8. Embedded JavaScript code, which steals imported wallet seed phrase.

Cyren detects these phishing pages as JS/Ronphish.A!Eldorado.

Best Practice and Recommendations

Since writing this blog, the phishing pages have already been suspended, but we highly advise players to only open links to the Ronin installation binaries from the official Axie Infinity site to avoid being a victim of threat actors that are abusing ad contents.

Indicators of Compromise

hxxp://account[.]roninwallet[.]us hxxp://www[.]ronin-wallet[.]com

Find out how to investigate targeted phishing incidents.

Read the Playbook