Inferno Drainer Malware Steals $87M By Posing As Coinbase
In a startling cybercrime saga that unfolded between November 2022 and November 2023, the notorious Inferno Drainer, operating under a scam-as-a-service model, managed to amass illicit profits exceeding $87 million. The sophisticated Inferno Drainer malware scheme involved the creation of over 16,000 malicious domains, employing advanced tactics to deceive unsuspecting users.
The Elaborate Scheme of Inferno Drainer Malware
The perpetrators behind Inferno Drainer leveraged high-quality phishing pages to entice users into connecting their cryptocurrency wallets with the attackers’ infrastructure. This setup spoofed Web3 protocols and deceived victims into unknowingly authorizing transactions. According to a report by Singapore-headquartered Group-IB, the malware was active during the aforementioned period and targeted more than 137,000 victims.
Operating under the scam-as-a-service model, Inferno Drainer offered its malicious toolkit to affiliates in exchange for a 20% cut of their ill-gotten gains. Customers could either upload the malware to their own phishing sites or utilize the developer’s service for creating and hosting phishing websites, with some instances charging 30% of the stolen assets.
Post-Monkey Drainer Landscape
The popularity of the Drainer-as-a-Service tool surged after the shutdown of Monkey Drainer in March 2023, leading to the emergence of another short-lived drainer service called Venom Drainer. Scam Sniffer’s data indicates that cryptocurrency phishing scams associated with drainer kits collectively siphoned off $295.4 million from around 320,000 users in 2023.
Web of Deceit
Phishing websites affiliated with Inferno Drainer exhibited a distinctive feature – users were unable to open the website source code using hotkeys or right-clicking. This deliberate effort to conceal scripts and illegal activities aimed to keep victims in the dark about the ongoing fraudulent transactions.
The attackers cleverly used the names seaport.js, coinbase.js, and wallet-connect.js to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase. The phishing websites were propagated on platforms like Discord and X, enticing victims with promises of free tokens (airdrops) and prompting them to connect their wallets. Once the victims approved the transactions, their assets were swiftly drained.
Compromised Accounts and Future Threats
Notably, Google-owned Mandiant’s X account was compromised to distribute links to a phishing page hosting a cryptocurrency drainer known as CLINKSINK. This Rainbow Drainer variant has managed to pilfer nearly $4.17 million from 3,947 Solana users in the past month alone.
The ‘X as a Service’ Model
Experts believe that the ‘X as a service’ model will persist, providing opportunities for less technically competent individuals to venture into cybercrime. For developers, it represents a highly profitable avenue to boost revenues. The compromise of official accounts, with posts seemingly authored by authoritative voices, is expected to increase, as it tends to instill trust in potential victims, making them more likely to follow malicious links and connect their accounts.
The Impending Surge
Group-IB warns that the success of Inferno Drainer might give rise to new drainers and an uptick in websites containing malicious scripts spoofing Web3 protocols. The year 2024 could potentially be labeled the “year of the drainer,” posing heightened risks to cryptocurrency holders.