The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains over a one-year period between 2022 and 2023.
The scheme “employed high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets to the attackers’ infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions,” Singapore-headquartered Group-IB said. , said in a report shared with The Hacker News. .
Inferno Drainer, which was active from November 2022 to November 2023, is estimated to have collected more than $87 million in illegal profits by defrauding more than 137,000 victims.
The malware is part of a broader set of similar offers available to affiliates under the scam-as-a-service (or drain-as-a-service) model in exchange for a 20% cut of their earnings .
What’s more, customers of Inferno Drainer can either upload the malware to their own phishing sites, or use the developer’s service to create and host phishing sites, either at no extra cost or 30% of the stolen assets in some cases charge
The DaaS tool became popular in the wake of the closure of Monkey Drainer in March 2023, which also paved the way for the emergence of another short-lived drainer service called Venom Drainer.
Data compiled by Scam Sniffer shows that crypto-phishing scams that distributed the drain kits cumulatively stole $295.4 million in assets from around 320,000 users in 2023.
According to Group-IB, the activity defrauded more than 100 cryptocurrency brands via specially crafted pages hosted on more than 16,000 unique domains.
Further analysis of 500 of these domains revealed that the JavaScript-based drainer was initially hosted on a GitHub repository (kuzdaz.github)[.]io/seaport/seaport.js) before being included directly on the websites. The user “kuzdaz” does not currently exist.
In a similar fashion, another set of 350 sites included a JavaScript file, “coinbase-wallet-sdk.js,” in another GitHub repository, “kasrlorcian.github”[.]yes.”
These sites were then propagated on sites such as Discord and X (formerly Twitter), enticing potential victims to click on them under the guise of offering free tokens (aka airdrops) and connecting their wallets, after which their assets were drained once the transactions have been approved. .
Using the names seaport.js, coinbase.js and wallet-connect.js, the idea was to impersonate popular Web3 protocols such as Seaport, WalletConnect and Coinbase to complete the unauthorized transactions. The earliest site containing one of these scripts dates back to May 15, 2023.
“Another typical feature of phishing websites belonging to Inferno Drainer was that users could not open website source code using hotkeys or right-clicking the mouse,” said Group-IB analyst Viacheslav Shevchenko. “This means the criminals tried to hide their writings and illegal activities from their victims.”
It is worth noting that Mandiant’s Google-owned X account was compromised earlier this month to distribute links to a phishing page that a cryptocurrency drainer is tracking as CLINKSINK, a variant of which known as Rainbow Drainer nearly stole $4.17 million worth of assets from 3,947 Solana users. the past month.
“We believe that the ‘X as a service’ model will continue to thrive, not least because it creates greater opportunities for less technically skilled individuals to try their hand at becoming cybercriminals, and for developers it is a highly profitable way to their income,” the company told The Hacker News.
“We also expect to see more attempts to hack official accounts, as posts purporting to be written by an authoritative voice are likely to instill trust in the eyes of viewers, and may make potential victims more likely to follow links and connect their accounts.”
In addition, Group-IB said that the success of Inferno Drainer could fuel the development of new drainers and also lead to an increase in websites containing malicious scripts that cheat Web3 protocols, noting that 2024 is the “year of the drainer ” can be.
“Inferno Drainer may have stopped its activity, but its prominence throughout 2023 highlights the serious risks for cryptocurrency holders as drainers continue to evolve,” said Andrey Kolmakov, head of Group-IB’s high-tech crime investigation department.
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news
