Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Crypto-Seeking Drainer Scam-as-a-Service Operations Thrive

$295 Million in Digital Assets Lost Last Year to Wallet Drainers, Researchers Warn
Crypto-Seeking Drainer Scam-as-a-Service Operations Thrive
Image: Shutterstock

A flurry of phishing attacks driven by cryptocurrency fraud highlights criminals' ongoing quest to separate digital money holders from their coins.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Criminals in recent weeks compromised a trio of high-profile social media accounts - including for the U.S. Securities and Exchange Commission, threat intelligence firm Mandiant and crypto platform CoinGecko - to spread links to cryptocurrency phishing sites (see: Cryptohack Roundup: It's Raining Phishing Scams on X).

As with so many things involving online crime, these attacks relied on a variety of hosted services to help.

Many cryptocurrency-targeting thieves tap scam-as-a-service operations such as MS Drainer, Angel Drainer and Chick Drainer, experts say. Such services provide malware and sometimes create and host phishing pages for users in return for a cut of all crypto assets stolen. Customers of such services typically circulate links via social networks such as X - formerly known as Twitter - and Discord that lead to phishing sites designed to drain users' wallets.

Last year, phishing scams collectively stole nearly $300 million in digital assets from more than 324,000 cryptocurrency users, reported blockchain security platform Scam Sniffer.

Using on-demand drainers to steal cryptocurrency can be very lucrative. Scam Sniffer said the largest single known heist tied to drainers last year involved the September theft of assets worth $24 million. In that case, the firm said, the victim had fallen for an "increase allowance" phishing attack, in which they agreed to give an allowance to another address, permitting them to retrieve ethereum tokens. The ability to increase allowance is a feature of ERC-20 token smart contracts, which is the standard for ethereum blockchains, although the ethereum project warns that the feature is regularly abused by attackers.

Such scams typically begin with attackers attempting to trick a victim into scanning a QR code that connects their wallet to a phishing site, after which the malware identifies the most valuable assets and attempts to create a malicious transaction, although this might unfold over days or weeks, says a new report from cybersecurity firm Group-IB.

Inferno Multichain Drainer

Scam-as-a-service phishing operations continue to thrive, as attackers in 2023 created more than 16,000 unique domains where they spoofed more than 100 different cryptocurrency brands, Group-IB said.

One of the best-known drainer scam-as-a-service operations was Inferno Multichain Drainer. Its creators announced it in November 2022, but it didn't take off until March 2023. It operated until November 2023, and during that time Scam Sniffer said it was used to steal assets worth about $81 million from 134,000 victims.

Many Inferno phishing pages offered the ability to mint new tokens and keep the rewards, compensation for outages, or free tokens via what's known as an known as an airdrop, oftentimes using malicious JavaScript that pretended to be a legitimate Web3 protocol such as Seaport, WalletConnect or Coinbase, Group-IB said.

"It is important to note that the victim's consent was required for every chain change and transaction initiated by the drainer," Viacheslav Shevchenko, a Group-IB security researcher, wrote in the report. "In some cases, the drainer's operators could wait for an extended period of time before initiating the first fraudulent transaction."

The waiting game may have been a ruse to trick cryptocurrency owners who first connected a wallet with a small balance to see if the offer was legitimate. "After verifying, they may connect a wallet with larger funds," Shevchenko said. "This method lets the drainer catch a more valuable account."

Inferno was the successor to Monkey Drainer, which closed shop in March 2023, Group-IB said. After that, most users turned to rival Venom Drainer until it closed up shop in April 2023 and they migrated to Angel Drainer.

When Monkey Drainer died, a number of other services launched or ramped up, including MS Drainer, Inferno, as well as the Angel and Pink drainers, Scam Sniffer said. Other major players include Chick Drainer and Rainbow Drainer.

"Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further," said Andrey Kolmakov, head of Group-IB's High-Tech Crime Investigation Department.

How Profits Are Split

Services such as Inferno provide users with access to a dedicated Telegram channel as well as customer portal, where they can "customize features of the malware and detailed key statistics such as the number of victims that had connected their wallets on a specific phishing website, the number of confirmed transactions and the value of the stolen assets," Group-IB said.

The developers behind Inferno Drainer advertised the following usage terms: They would keep 20% of all assets stolen using their malware, and the other 80% would be routed to users.

While users could load the malware onto phishing sites they created, the developers also offered a "service for creating and hosting phishing sites," which they sometimes offered as a free add-on and in other cases offered in exchange for a 30% cut of stolen assets, Group-IB reported.

The developers behind some services, such as MS Drainer, also "sell the source code and additional value-added modules" allowing scammers to further customize their attacks, also for an additional fee, Scam Sniffer said.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.