Crypto Wallet Drainers: All About The New and Fast-Growing Threat to the Crypto Industry

Introduction

For many regular internet users, cryptocurrency remains a complex area of investment. However, the financial gains it offers have attracted millions globally. Unfortunately, this also draws in cybercriminals eager to exploit people’s lack of experience and awareness. With thousands of cryptocurrencies available, there are countless opportunities for cybercriminals to exploit legitimate users and businesses. One prevalent and widely-used technique is employing crypto-related phishing scams involving malware known as crypto wallet drainers. These malicious tools drain users’ crypto wallets by deceiving them into authorizing fraudulent transactions.

What Is a Crypto Wallet Drainer?

Crypto drainers are phishing tools in the Web3 space that impersonate legitimate crypto businesses to trick users into authorizing fraudulent transactions. These malicious tools deceive users, leading them to authorize transactions that drain their crypto wallets unknowingly. Typically, this happens when users click on malicious links embedded in phishing scams disguised as legitimate advertisements. Once authorized, the drainer operators gain complete control over the funds in the victim’s wallet.

Phishing scammers employ these drainers through various methods, including:

• Phishing ads
• Supply chain attacks
• Discord and Telegram phishing
• Twitter spam comments and mentions
• Airdrop scams
• SIM swap attacks
• DNS attacks
• Email phishing, and more.

The disruption is only rising—

• Crypto drainers and Drainers-as-a-Service (DaaS)* have largely escaped the radar of security researchers despite their emergence as early as 2021. This article aims to expand on these threats and their impact on organizations.
• Late 2021: Crypto drainers began to surface, initially causing financial losses of millions of dollars.
• 2023: The threat evolved rapidly, with these scams stealing nearly $300 million from approximately 320,000 users. The success of early attacks spurred widespread adoption of these tactics among cybercriminals.
• Early 2024: In just the first two months of the year, crypto drainers have already amassed $104 million in stolen funds. This sharp increase underscores the escalating sophistication and frequency of these attacks.

Drainers-as-a-Service (DaaS)*: refers to a malicious service model where wallet-draining tools are rented out to less skilled attackers. This works just like RaaS, where operators on the dark web sell services offer user-friendly dashboards with customized options and customer support, making it easier for non-technical criminals to execute attacks.

How Do Crypto Wallet Drainers Work?

Phishing or Impersonation Phase

Attackers seek access to a victim’s private key by using phishing techniques. They set up a fraudulent website miming a legitimate wallet site with SSL certificates and familiar features.

Victims enter their mnemonic phrase on the fake site, often encountering a fake error message like “an error occurred, try again later.” By the time the victim receives the fake error message, the attacker has already progressed to the next stage.

Wallet Drainer Phase

The crypto drainer is activated using the stolen mnemonic phrase.

The drainer simulates a real wallet by generating HD keys and multiple addresses under the master private key’s control.

The drainer uses blockchain explorers to check these addresses for assets. For each asset found, the drainer immediately creates and signs a transaction to transfer the asset to a new wallet.

Experienced scammers often create new wallets for each theft, making it challenging to trace the stolen funds.

Common Tactics Used by Crypto Wallet Drainers

These tactics are common methods used by attackers to drain cryptocurrency wallets.

Fake Airdrops and Giveaways: Fraudsters post announcements about fake airdrops or giveaways, enticing users to connect their wallets to claim free tokens. In reality, these sites are designed to capture wallet details for theft.

Example: A fake social media account impersonating a famous cryptocurrency project announces a free token giveaway. They instruct users to visit a website and link their wallets to receive free tokens. Once users connect their wallets, their funds are drained by the scammers.

Bait-and-Switch Phishing Attacks: Scammers create fake versions of popular crypto exchanges or decentralized finance (DeFi) platforms. These sites appear legitimate but are set up to steal users’ funds.

Example: Receiving an email claiming to be from a well-known crypto exchange stating that you need to verify your account due to suspicious activity. The email links to a site that looks similar to the Binance interface. When you log in, the scammers capture your credentials and drain your account.

Malicious Browser Extensions: Cybercriminals offer fake browser extensions that promise enhanced crypto trading features or improved security. Instead, these extensions are designed to steal wallet credentials and other sensitive information.

Example: You install a browser extension that advertises helping you track your crypto portfolio and manage trades more efficiently. After installing it, you notice unusual transactions in your wallet. The extension secretly steals and sends your private keys to the attacker.

Search Engine and Social Media Advertisement Scams: Scammers create deceptive advertisements on various platforms that promote fake cryptocurrency investment opportunities or services. These ads often feature unrealistic promises of high returns or exclusive deals. Clicking on these ads can lead users to phishing sites or fraudulent services designed to steal wallet information or investments.

Example: While browsing social media, you see an ad for a new crypto investment platform offering lucrative returns on investments. You click on the ad and sign up, only to realize later that the platform is fake and your funds are drained.

Malicious Smart Contracts: These contracts are designed to perform unauthorized actions, such as transferring funds without the user’s consent, by exploiting vulnerabilities in smart contract code.

Example: You join a new DeFi project and interact with their smart contract to stake your tokens for high returns. However, the contract has hidden code that transfers a percentage of your tokens to the scammer’s wallet every time you make a transaction.

A look at Inferno Drainer: The largest crypto scam-as-a-service platform that Group-IB helped uncover

Inferno Drainer is one of the most notorious crypto drainers. It’s estimated to have stolen over $80 million, making it the largest contributor to crypto drainer losses. The research, produced by Group-IB’s High-Tech Crime Investigation unit, uncovered their sophisticated scam-as-a-service scheme, which leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions. Inferno Drainer was active from November 2022 until an announced shutdown in November 2023, but user may still be susceptible to the risk.

Key Findings

• Operational Period: Inferno Drainer operated under a scam-as-a-service model from November 2022 to November 2023.
• Phishing Tactics: Through sophisticated phishing websites, victims were deceived into connecting their wallets with the attackers’ infrastructure.
• The scale of Operations: Group-IB identified over 16,000 unique domains linked to Inferno Drainer, impersonating at least 100 crypto brands.
• Malicious Scripts: The drainer used scripts to spoof popular Web3 protocols, tricking users into authorizing fraudulent transactions.
• Revenue Model: Under the scam-as-a-service framework, Inferno Drainer’s organizers took 20% of stolen assets, with the remaining 80% going to the user.
• Current Status: Although Inferno Drainer announced closing operations in November 2023, Group-IB found that its user panel remained active until January 2024. Many past users may have shifted to new schemes, potentially inspiring future drainer malware.

How to Protect Against Crypto Wallet Drainers?

Staying Vigilant:

• Be Cautious with Wallet Connections: Avoid connecting your wallet to unfamiliar sites or chasing free tokens and NFT giveaways, as these are often phishing scams.
• Verify Token Sources: Trust only official websites for tokens and check them at CoinMarketCap.

If You Fall Victim:

• Transfer Remaining Assets: Move any remaining assets to another wallet.
• Document Evidence: Save the phishing URL, take screenshots, and record your browsing history related to the attack.
• Report the Incident: Contact your local law enforcement agency.
• Seek Professional Help: Contact Group-IB Cyber Investigations for a preliminary assessment of your case. This free assessment helps determine the potential for a successful investigation.

Before Connecting Your Wallet:

• Check Website Registration: Use whois.com to see when the website was registered. New sites (less than six months old) are often fraudulent.
• Verify with Official Sources: Check the mentioned token’s official website and social media to confirm legitimacy.
• Protect Your Private Keys: Never share your private keys or seed phrases.
• Be Cautious with Permissions: Avoid granting broad or unnecessary wallet permissions.
• Inspect Website Source Code: Look for suspicious scripts. If you find unfamiliar code, such as seaport.js, wallet-connect.js, or similar, exit the site immediately.

Drainers pose significant risks to cryptocurrency holders, and their continued evolution heightens these dangers. The increasing sophistication of phishing attacks is making more people susceptible to scams. Group-IB investigation team urges cryptocurrency holders to remain cautious when encountering websites promoting free digital assets or airdrops (ideally by avoiding them!). There could be a scenario in which 2024 and forward become years of crypto wallet drainers, and we can expect to see an increase in the number of drainers, phishing pages, and, unfortunately, financial damages. As a result, we recommend that users be especially attentive to any signs of suspicious activity.

For end-to-end cybersecurity solutions to comprehensively secure your crypto platform from emerging risks like smart contract manipulations, ICO scams, drainers, wallet scams, and more, visit our dedicated page or contact our cybersecurity experts.