Goodbye Inferno Drainer? How the scam service stole millions of dollars and why it’s still dangerous
In November 2023, a scam vendor called Inferno Drainer reportedly stopped operating after having stolen tens of millions of US dollars from cryptocurrency wallet owners. Viacheslav Shevchenko, Analyst at Group-IB’s High-Tech Crime Investigation Department, delved into the crypto scam gang’s deceptively simple scheme. He explains his key findings below.
Long story short
A new type of scam software called “drainers” recently appeared in the wild. The first attacks involving this malware made headlines in late 2022. The damage they caused accounted for a “petty” few dozen million US dollars. However, in just a few months, the situation changed drastically: spurred on by their initial successes, threat actors behind wallet drainers stole almost USD 300 million in 2023. Much of that can be attributed to a player called Inferno Drainer, whose activity, ScamSniffer estimates, led to more than USD 80 million being stolen — the biggest sum siphoned by one drainer so far.
The Inferno Drainer developers created their Telegram channel in November 2022. From December 2022 to February of the following year, Inferno Drainer launched a major advertising campaign on Telegram. Although the gang announced that Inferno Drainer was shutting down operations in November 2023, the user panel related to the software developers is still available to past clients, who continue to attack crypto wallet owners to this day.
The Inferno Drainer phenomenon: What do we know?
The threat actors used a two-layer approach to deceive victims. First, they created high-quality phishing pages to lure users into connecting their wallets to the attackers’ infrastructure. Our specialists identified more than 16,000 unique domains linked to Inferno Drainer’s phishing operations, with at least 100 different cryptocurrency brands impersonated.
The second layer involved JavaScript codes, which spoofed well-known Web3 protocols such as Seaport, WalletConnect, and Coinbase and tricked victims into authorizing transactions. The original protocols serve as bridges between various parts of the crypto chain, helping users to trade tokens (including NFT) or connect wallets to DApps (such as Uniswap and PancakeSwap).
The developers followed a typical “scam-as-a-service” scheme. They offered their customers a phishing kit and related infrastructure in exchange for 20% (in some cases 30%) of any stolen assets.
Why was Inferno Drainer so effective and lucrative? The reason the scam service broke the record as regards the amount of stolen money was the mass nature of its activity. The multichain drainer siphoned assets across many crypto networks and its customers attacked users through compromised social media accounts and promotion campaigns more aggressively than all its predecessors: there were more than 134,000 victims. By comparison, the second most notable drainer, called MS Drainer, affected half as many victims.
So how did the scheme work?
Inferno Drainer developers gave customers access to the user panel with instructions and Telegram channels. In the Telegram channel, clients could receive such information as successful connections, successful drains, and malware updates. The panel’s home page showed customers their common statistics and the price of the stolen assets.
Screenshot of Inferno Drainer’s panel
Apart from that, the panel allowed Inferno Drainer customers to compile a custom JavaScript that set out the drainer’s settings. The unique names of these scripts allow researchers to distinguish between affiliates. The developers would also provide their customers with phishing websites for free, though the latter was not always the case. After compiling, customers obtained a link to a ZIP file containing the main scripts that mimicked popular Web3 protocols.
The affiliates placed customized drainer scripts on phishing resources and spread these websites through X (formerly Twitter), Discord, and other social media by leveraging hacked legitimate accounts. Intrigued by offers of free tokens (airdrops) and attractive NFT mints, victims connected their wallets by scanning a QR code contained on the phishing websites.
The drainer would then check the minimum wallet value. If the assets amounted to less than $100, a transaction was not initiated until the wallet was recharged. Once a sufficient amount was available, the drainer selected the victim’s most valuable and easiest to transfer assets and initialized a transaction. If the victim confirmed the transfer manually, their assets were sent to criminals’ addresses and split 20/80 between the developer and the customer.
Inferno Drainer’s workflow
What makes users fall into traps set by crypto criminals and confirm transactions that they never intended to perform in the first place?
- A “free lunch” is a hard-to-resist offer. Inferno Drainer’s phishing pages enticed victims with offers of free tokens (airdrops) and rewards, the opportunity to mint NFTs, or “compensation” for cybercriminal-caused outages.
- The phishing websites were sophisticated, imitated popular crypto brands, and looked convincing.
- The software spoofed popular Web3 protocols using malicious JavaScript code embedded on phishing websites, which made the transactions look legitimate.
Although the service was shut down, the Inferno Drainer scheme continues to pose a threat because its former users are likely to have shifted to new fraudulent activities. Its customers have access to the Inferno Drainer infrastructure and are hungry for easy money. The success that the criminal developers have enjoyed is expected to inspire future waves of similar tools.
Group-IB investigators urge cryptocurrency holders to remain vigilant and exercise caution when encountering websites promoting free digital assets or airdrops (ideally by avoiding them!). There could be a scenario in which 2024 becomes the year of crypto wallet drainers, and we can expect to see an increase in the number of drainers, phishing pages, and, unfortunately, financial damages. As a result, we recommend that users be especially attentive to any signs of suspicious activity. You can find a comprehensive description of the drainer infrastructure and recommendations on how to protect yourself from this growing threat in the blog post on our website.
If you enjoyed this, don’t forget to give a clap, share with your peers, and leave your thoughts in the comments. Let’s search the future of computing together! Published with Coded Conversations 🔐💬
