How a ‘crypto drainer’ tricked people into handing over $80 million in assets worldwide

Researchers have detailed how a scam campaign spoofed over a hundred cryptocurrency brands in the past year, stealing at least $80 million in assets from its victims' digital wallets.

The Inferno Drainer operation, which combined phishing efforts with infrastructure designed to collect stolen digital currency, was deployed in the wild for a year and became one of the biggest “crypto drainers” worldwide before its developers shut it down in November 2023, according to a report by Singapore-based cyber firm Group-IB.

Inferno Drainer operated under the scam-as-a-service model, with affiliates keeping 80 percent of each theft and the organizers taking 20 percent. The researchers warn that the software and those users still pose a danger to cryptocurrency owners everywhere.

Group-IB found that the Inferno Drainer user panel for cybercriminals was still active as of mid-January, despite the shutdown. Besides, its affiliates “are still around,” and there is nothing to suggest “that their appetite for stealing tokens and NFTs has waned,” the researchers said.

Inferno Drainer's track record also may serve as inspiration for a wave of new drainer malware, researchers said.

How it works

“Victims were tricked on sophisticated phishing websites into connecting their cryptocurrency wallets with the attackers’ infrastructure,” the Group-IB researchers said.

In particular, the cybercriminals placed the malware on websites disguised as official crypto token projects and promoted them on X (formerly Twitter) and Discord.

On those websites, they also spoofed popular Web3 protocols such as Seaport, WalletConnect, and Coinbase to initiate fraudulent transactions.

Users who fell for these scams were willing to link their accounts to fake protocols because cybercriminals promised them financial gains — free tokens (also known as airdrops) or rewards for minting non-fungible tokens (NFTs), Group-IB said.

The lures seemed to be convincing, since every fraudulent transaction initiated by the drainer required the victim’s consent. Once connected to the victim’s crypto wallet, the drainer checked for their most valuable assets — assets below $100 were ignored.

Group-IB detected over 16,000 unique domains linked to Inferno Drainer’s phishing operations, with at least 100 individual crypto brands impersonated. The scammers promoted their services through an English-language Telegram channel called Inferno Multichain Drainer, which has more than 10,000 subscribers as of this week.

It is not clear who is behind the development of this software, but Inferno Drainer has “placed a heavy toll on the crypto industry,” while its prominence over the past year “has opened up a wide range of possibilities for criminals to get rich.” And the dangers will only get worse, researchers said.