ClickCease Inferno Drainer Malware Steals $87M By Posing As Coinbase

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Inferno Drainer Malware Steals $87M By Posing As Coinbase

Wajahat Raja

January 29, 2024 - TuxCare expert team

In a startling cybercrime saga that unfolded between November 2022 and November 2023, the notorious Inferno Drainer, operating under a scam-as-a-service model, managed to amass illicit profits exceeding $87 million. The sophisticated Inferno Drainer malware scheme involved the creation of over 16,000 malicious domains, employing advanced tactics to deceive unsuspecting users.

The Elaborate Scheme of Inferno Drainer Malware

The perpetrators behind Inferno Drainer leveraged high-quality phishing pages to entice users into connecting their cryptocurrency wallets with the attackers’ infrastructure. This setup spoofed Web3 protocols and deceived victims into unknowingly authorizing transactions. According to a report by Singapore-headquartered Group-IB, the malware was active during the aforementioned period and targeted more than 137,000 victims.

Scam-as-a-Service Model

Operating under the scam-as-a-service model, Inferno Drainer offered its malicious toolkit to affiliates in exchange for a 20% cut of their ill-gotten gains. Customers could either upload the malware to their own phishing sites or utilize the developer’s service for creating and hosting phishing websites, with some instances charging 30% of the stolen assets.

Post-Monkey Drainer Landscape

The popularity of the Drainer-as-a-Service tool surged after the shutdown of Monkey Drainer in March 2023, leading to the emergence of another short-lived drainer service called Venom Drainer. Scam Sniffer’s data indicates that cryptocurrency phishing scams associated with drainer kits collectively siphoned off $295.4 million from around 320,000 users in 2023.

Web of Deceit

Group-IB’s analysis reveals that the activity spoofed over 100 cryptocurrency brands through specially crafted pages hosted on more than 16,000 unique domains. The JavaScript-based drainer initially resided on a GitHub repository before being directly incorporated into websites. Notably, the usernames associated with these repositories, such as “kuzdaz” and “kasrlorcian,” are non-existent, adding an extra layer of anonymity to the malicious activities.

Ingenious Deception

Phishing websites affiliated with Inferno Drainer exhibited a distinctive feature – users were unable to open the website source code using hotkeys or right-clicking. This deliberate effort to conceal scripts and illegal activities aimed to keep victims in the dark about the ongoing fraudulent transactions.

Modus Operandi

The attackers cleverly used the names seaport.js, coinbase.js, and wallet-connect.js to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase. The phishing websites were propagated on platforms like Discord and X, enticing victims with promises of free tokens (airdrops) and prompting them to connect their wallets. Once the victims approved the transactions, their assets were swiftly drained.

Compromised Accounts and Future Threats

Notably, Google-owned Mandiant’s X account was compromised to distribute links to a phishing page hosting a cryptocurrency drainer known as CLINKSINK. This Rainbow Drainer variant has managed to pilfer nearly $4.17 million from 3,947 Solana users in the past month alone.

The ‘X as a Service’ Model

Experts believe that the ‘X as a service’ model will persist, providing opportunities for less technically competent individuals to venture into cybercrime. For developers, it represents a highly profitable avenue to boost revenues. The compromise of official accounts, with posts seemingly authored by authoritative voices, is expected to increase, as it tends to instill trust in potential victims, making them more likely to follow malicious links and connect their accounts.

The Impending Surge

Group-IB warns that the success of Inferno Drainer might give rise to new drainers and an uptick in websites containing malicious scripts spoofing Web3 protocols. The year 2024 could potentially be labeled the “year of the drainer,” posing heightened risks to cryptocurrency holders.


While this JavaScript-based drainer may have ceased its malicious activities, the events of 2023 underscore the severe risks to cryptocurrency holders as drainers evolve. Andrey Kolmakov, head of Group-IB’s High-Tech Crime Investigation Department, emphasizes the need for continued vigilance in the ever-evolving landscape of crypto phishing scams and cyber threats. Vigilant cybersecurity practices and awareness are paramount in safeguarding against the persistent ingenuity of cybercriminals.


The sources for this piece include articles in The Hacker News and CoinMarketCap

Inferno Drainer Malware Steals $87M By Posing As Coinbase
Article Name
Inferno Drainer Malware Steals $87M By Posing As Coinbase
Discover the threat of Inferno Drainer malware posing as Coinbase. Uncover the $87 million scam and learn to safeguard your assets today.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter