Computer code on a screen with a skull showing crypto drainer malware

$87 Million Lost to Crypto Drainer as Inferno Malware Fools Customers With Coinbase, Seaport Connection Protocols

The Inferno Drainer malware that plagued the crypto world throughout 2023 ultimately compromised about 130,000 victims and stole about $87 million in total, according to a new report from Group-IB. It was part of a broader movement of “crypto drainer” services that some security experts believe is poised to become the next big thing in cybercrime in 2024.

The Inferno crypto drainer was in action from November 2022 to November 2023, with the operators publicly retiring it with a message posted to the group’s Telegram channel. The malware was among those serving as an effective proof-of-concept (and profitability) for offering drainers as a service in a manner similar to ransomware, and helped to create a market that other cyber criminals have been quick to move into.

Drainer malware could be an even bigger headache in 2024

Crypto drainer malware is already a substantial headache, but Group-IB believes it could very well get worse in 2024. It has already taken root as an “as a service” offering in the criminal underworld, but has an even lower technical barrier of entry than ransomware services do. With ransomware a criminal group will at least need to hack an organization and gain some sort of foothold on their own, but drainers-as-a-service simply requires them to get victims to fall for a phishing page that takes their crypto wallet credentials. As soon as the credentials are captured, the money is likely gone forever.

During its run, the operators of the Inferno crypto drainer set up around 16,000 bogus domains to support the criminal enterprise. The operators simply split any stolen funds with the clients, taking a 20% cut for handling the back end of the scheme. That amount included phishing site templates described as “high quality” and hosting for them offered for an extra 10% of the stolen crypto.

Much like the ransomware services have had a chain of “big names” that go up and down over time, the crypto drainer scene has had various operators rotate in and out of the top spot. These services started getting big with Venom Drainer in 2022, which was followed by Monkey Drainer. That went out of business in March 2023, which is when Inferno Drainer shot to prominence and became the go-to source of malware for these crimes. All told, about 320,000 people are known to have been scammed by these services in 2023, losing a collective $295 million in various coins and assets.

Crypto drainers spoof major exchanges and brands to steal from victims

The usual approach of a crypto drainer’s phishing page is to spoof a well-known exchange or brand with a quality copy, tricking customers into providing credentials. A lookalike of the Coinbase protocol appears to have been particularly commonly used by scammers, but spoofs of over 100 different brands in total were deployed by Inferno and its clients during the yearlong run. The most common approach was to list bogus offerings of free “airdrops” or coin giveaways on X or on popular Discord crypto channels, enticing victims into clicking through to phishing pages hosted by the scammers.

The rise of crypto drainers overlaps somewhat with a recent rash of account hacks on X. High-profile accounts, including those of security firms Mandiant and CertiK as well as Netgear, have been used to push links to drainer malware (in the guise of crypto giveaways) in recent months.

The phishing component of these operations is clearly skillful and effective, as the scheme cannot possibly work unless the victims willingly enter their credentials. Sean McNee, VP of Research and Data at DomainTools, notes that this is part of the inherent “Wild West” nature of the crypto ecosystem as it currently exists: “This unfortunate set of attacks leverages one of the strengths of cryptocurrency as a weakness: a fully distributed financial system means anyone can trick anyone else directly to take their cryptocurrency. Because crypto isn’t beholden to traditional banking regulations also means there’s less protection when someone hacks your account. These transfers are permanent and cannot be revoked. These attacks also signify a change in how crypto drainers operate. Because of the amount of money potentially involved, the attackers have moved to an affiliate model with drainers-as-a-service offerings allowing more groups to enter the space quickly. Expect rapid iteration on the types and quality of the lures used. As crypto gains momentum and popularity, it becomes a larger target. This campaign was nuanced, sophisticated, and targeted. By masquerading as known crypto tools these kinds of attacks can fool anyone. It’s important to establish good practices now to prevent possible future attacks–users need to protect their crypto assets.”

While the crypto drainers most often promise free airdrops or giveaways to lure in victims, some have become even more sophisticated. Some that have been seen recently have leveraged known incidents of downtime at exchanges, pretending to offer compensation for outage periods. Security experts also warn that Inferno Drainer remains a threat even though the operators have retired, as they left client panels operational and those (and the malware) are still functioning as of mid-January. Other groups, such as Pink Drainer and CLINKSINK, are already picking up the slack in recruiting new affiliates.

Crypto drainer schemes are very likely to get even more sophisticated, and to expand onto platforms and outlets where crypto scams are not yet as common (X and Discord have been plagued with them for years now). The low barrier of entry is what worries many security researchers, as it is possible for would-be criminals who would find ransomware operations too complex to get into the game.

McNee offers the following points of advice for protection going forward: “Set up multi-factor authentication for online cryptocurrency services. Be skeptical of new services offering free coins or other ‘too good to be true’ promises, and double-check such offers purporting to be from known services. Even though crypto is relatively young when compared to traditional banking, you probably still shouldn’t trust a service or promotion running off an extremely young domain name. Keep an offline backup of the blockchain addresses you use, your private keys, and your passphrase. Encrypt your wallet, or, even better, use a hardware wallet. Finally, keep your software up-to-date, and only accept updates from known sources. And remember, if it sounds too good to be true, it probably is.”