Arbitrum WETH Phishing Campaign Exploits Protocol Freeze Narrative

A coordinated phishing campaign on Arbitrum exploited the current WETH freeze to drain $23,373 from Aave V3 suppliers using forged transaction permits. The attack's split ratio and drainer-as-a-service infrastructure suggest a commoditized operation targeting multiple victims.

An active drainer campaign has emerged on Arbitrum, targeting Aave V3 users who supply WETH by exploiting the current freeze on the rsETH/WETH reserve. On April 21, a sophisticated phishing attack drained approximately $23,373 in aArbWETH from a single victim wallet, with on-chain evidence suggesting this represents part of a larger, coordinated operation rather than an isolated incident. The attack itself did not exploit any vulnerability in Aave's core contracts—instead, attackers leveraged a classic off-chain signature exploit to gain unauthorized access to user funds.

The mechanics of this campaign reveal a textbook modern phishing vector. Victims were tricked into signing what appeared to be routine transaction permits—likely leveraging either the Permit2 standard or the older EIP-2612 specification—which granted a malicious contract approval to transfer aArbWETH holdings directly from their wallets. Once signed, the attacker's contract executed the transfer without requiring further user interaction or confirmation. The drainer contract then immediately split stolen assets between two addresses in a consistent 15/85 ratio, a pattern synonymous with drainer-as-a-service kits like Inferno Drainer, Angel Drainer, and Pink Drainer. This distribution split typically allocates the smaller portion to the kit developer and the larger share to the operator, suggesting a commoditized attack infrastructure rather than ad-hoc theft.

What makes this campaign particularly cunning is its timing relative to the WETH freeze. By targeting suppliers during a period of heightened uncertainty around the reserve's status, attackers capitalized on widespread attention and anxiety within the community. The stolen aArbWETH cannot currently be redeemed for WETH due to the Protocol Guardian's freeze on the Arbitrum WETH reserve, effectively trapping the attacker's proceeds—at least temporarily. This constraint may have been deliberate on the attacker's part, banking on eventual reserve unfreezing to liquidate holdings, or it may simply reflect opportunistic timing. Either way, the frozen state creates a visible, traceable window for security teams and community members to identify other potential victims and coordinate defensive responses.

The broader lesson here extends beyond this single incident. Sophisticated phishing campaigns no longer require protocol flaws; they exploit user behavior, regulatory uncertainty, and the friction inherent in Web3's cryptographic approval model. Aave users should verify that they have not approved unfamiliar contracts via Etherscan or Revoke.cash, and the community should remain vigilant as drainer-as-a-service tools continue to evolve their social engineering tactics. Whether the Protocol Guardian unfreezes the WETH reserve will likely determine whether these attackers can successfully exit their positions.