The most prolific known crypto drainer of 2023 impersonated over 100 cryptocurrency brands across 16,000 phishing domains to trick victims into authorizing fraudulent transactions, according to Group-IB.
The threat intelligence vendor revealed details of the scam-as-a-service operation in a new blog post this morning.
It cited figures from Scam Sniffer claiming Inferno Drainer had stolen nearly $88m from over 137,000 victims during its lifespan from November 2022 to November 2023.
First, Inferno Drainer affiliates would lure victims to phishing sites impersonating crypto brands. On the sites, they would spoof popular Web3 protocols like Seaport, WalletConnect and Coinbase in a bid to initiate a fraudulent transaction.
Seaport is a Web3 marketplace for NFT trading while WalletConnect and Coinbase are protocols that allow “self-custody” crypto wallets to connect to decentralized applications (DApp) in Web3 via a QR code. If a user approves a connection request from a DApp via WalletConnect, the DApp can send transaction requests to their wallet, which must then be approved manually by the user in the wallet.
The fraudsters used classic social engineering tactics to trick their victims into doing so.
“Once the connection with the wallet is secured, Inferno Drainer spoofed these protocols under the guise of various DApps for the purpose of initializing malicious transactions. Users are requested to link their accounts and accept a transaction in order to claim a prize or other financial reward, but in doing so, they open themselves up to receiving fraudulent transaction requests from the drainer’s operators,” explained Group-IB analyst, Viacheslav Shevchenko.
“The allure of potential riches, which forms a key part of the content presented to victims on phishing websites, makes users connect their wallets to the attacker’s infrastructure. The malware was placed on sites that are disguised as official crypto token projects and spread on X (formerly Twitter) and Discord.”
Read more on crypto drainers: Crypto Drainer Steals $59m Via Google and X Ads
Among the lures used by the scammers were phishing sites promising to give away free tokens (airdrops) or offering rewards if the victim mints new NFTs. In some cases, the scammers offered non-existent rewards as ‘compensation’ for made-up disruption experienced by the spoofed company such as a cyber-incident.
Scam-as-a-Service
Inferno Drainer operated mainly as a service for cybercriminals unable or unwilling to create and host the phishing sites themselves, but who instead funneled victims to those sites. Some 20% of takings went to the developers while 80% went to the affiliates, according to the report.
Affiliates were given access to a user panel, Telegram channel and phishing websites/software to manage their campaigns. They would place the drainer malware on the phishing website and then publicize the scam via X (formerly Twitter), Discord and other social media.
Once connected to the victim’s crypto wallet, the drainer checked for their most valuable and easiest to transfer assets. Anything below $100 was apparently ignored.
Group-IB urged users to stay vigilant.
“The dangers will only get worse,” Shevchenko concluded. “In-depth investigations and bringing criminals to justice are the only way to prevent future attacks. It is crucial that victims file cases about the attacks they experienced with the relevant law enforcement agencies.”