$80M in Crypto Disappears Into Drainer-as-a-Service Malware Hell

"Inferno Drainer" campaign represents a dangerous evolution in crypto-drainers, credibly spoofing Coinbase and maintaining a vast infrastructure-for-rent biz.

The rich man in hell 1624 Südniederländischer Meister South Dutch Master
Source: Peter Horree via Alamy Stock Photo

A sophisticated phishing campaign dubbed "Inferno Drainer" has managed to siphon more than $80 million in cryptocurrency from 137,000 unwitting victims over the course of a year, using 100 different cryptocurrency brands in an impersonation gambit.

According to Group-IB, the attackers hosted the phishing pages using more than 16,000 unique domains over the course of the campaign, which ran between November 2022 and November 2023, after which it was disrupted. According to crypto-drainer data from ScamSniffer, Inferno Drainer was the most prominent crypto drainer in 2023 in terms of financial damages, gaining its scale from an innovative "drainer-as-a-service" model.

And while Inferno Drainer may have ceased its activity for now, its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainer malware continues to develop further, Group-IB's team tells Dark Reading (requesting specific researcher anonymity).

"Its success with regards to the funds it was able to steal will likely fuel an emergence in the development of new drainers, an increase in websites containing malicious scripts spoofing Web3 protocols, and new sophisticated methods of delivering these scripts, such as the recent cyberattack on Ledger," they say. "There could be a scenario in which 2024 becomes the year of the drainer."

Anatomy of a Crypto-Spoofing Campaign

During the course of the Inferno Drainer onslaught, the attackers used two levels of brand impersonation.

First, they created malicious webpages that spoofed brands like Coinbase, Seaport, and WalletConnect, which are used to connect crypto wallets to decentralized trading platforms and other applications. The idea was to "lure unsuspecting users into connecting their cryptocurrency wallets with the attackers' infrastructure," to the Group-IB analysis on Inferno Drainer.

In other words, marks believed they were using the legitimate services, but in reality they were unwittingly authorizing the malicious siphoning of funds.

Worryingly, the scripts the cyberattackers used for the Web3 impersonation are available in GitHub repositories or as a separate .ZIP file hosted on a file-sharing site, the researchers noted.

Meanwhile, to attract targets to the sites in the first place, the adversaries promoted the pages on social media sites, including X (formerly Twitter), and various Discord servers. As lures, they promised free "airdrops" (crypto-tokens), an opportunity to mint non-fungible tokens (NFTs), or, ironically, compensation for outages caused by cybercriminal activity. In all, the Inferno Drainer assailants here spoofed dozens of companies that offer specific coins, tokens, or exchange services.

Inferno Drainer's Scam-as-a-Service Model

One notable aspect of the campaign is the fact that the Inferno Drainer heists weren't the work of a single cybercrime group; rather, the infrastructure was available to rent.

"The drainer's developers promoted their malware on a Telegram channel, the first post on which was published on November 5, 2022," explained Group-IB researchers in the analysis. "Cybercriminals leveraging Inferno Drainer had access to a customer panel, which was still live as of the first week of December, that allowed them to customize features of the malware and detailed key statistics such as the number of victims that had connected their wallets on a specific phishing website, the number of confirmed transactions, and the value of the stolen assets."

The rental model featured a flat rate for the developers of 20% of stolen assets in exchange for use of the drainer. Cybercriminals could either upload the malware to their own phishing sites; or also rent the phishing infrastructure from the developers for a total of 30% of the stolen assets, Group-IB experts found.

"Other forms of malware, i.e., ransomware, have been offered under the 'x-as-a-service' model before, but now we are seeing the growing popularity of drainers that operate according to this framework as well," the research team tells Dark Reading.

In terms of cyber defense, cryptocurrency holders should remain vigilant and be wary of any website promoting free digital assets or airdrops. For their part, cryptocurrency brands have a set of tasks ahead of them to thwart what Group-IB believes will soon be an onslaught of new drainer activity.

"First of all, it is necessary to pass on all relevant information, such as phishing website URLs, to law enforcement agencies," the researchers say. "Secondly, businesses in the crypto sphere have options to fight against phishing websites. Cybersecurity solutions … can monitor for signs of brand abuse on the Internet in real time and promptly detect and block any threats that could lead to scams."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights