"It's time for hell to return," Crypto Drainer rises and falls

Author: Bitrace

Cryptocurrency phishing links are flooding social media like a tide, with their sheer volume and rapid iteration "benefiting" from the profit-sharing scheme behind the scam groups known as Drainers. A Drainer is a type of malware specifically designed to illegally empty or "drain" cryptocurrency wallets, and this software is rented out by its developers, meaning anyone can pay to use this malicious tool.

This article will list some representative cases of how Drainers assist criminals in scams, theft, extortion, and other activities, helping users deepen their understanding of phishing threats through the analysis of real Drainer victim cases.

Operation Mode of Drainers

Although there are many categories of Drainers, their forms are largely similar—utilizing social engineering techniques, such as impersonating official announcements or airdrop activities, to deceive users.

InfernoDrainer Airdrop Claim

This group promotes its services through Telegram channels, operating on a scam-as-a-service model, providing phishing websites needed by scammers to support their fraudulent activities. Once a victim scans the QR code on the phishing website and connects their wallet, Inferno Drainer checks and locates the most valuable and easily transferable assets in the wallet, initiating a malicious transaction. After the victim confirms these transactions, the assets are transferred to the criminals' accounts. 20% of the stolen assets go to the developers of Inferno Drainer, while 80% goes to the scammers.

Source: Group-B

Scam groups purchasing this malware service mainly lure potential victims into fraudulent transactions by impersonating well-known cryptocurrency projects' phishing websites—using high-fidelity Twitter accounts to post numerous fake airdrop claim links in the comments of official Twitter accounts, enticing users to enter the website. If users are careless, they may suffer financial losses. (Imitation account @BlasqtL2, official account @BlastL2)

PinkDrainer Social Media Attacks

In addition to selling malware mentioned above, social engineering attacks are also a common tactic used by Drainers—by stealing high-traffic individuals' or projects' Discord and Twitter accounts to post false information containing phishing links to steal user assets. Hackers guide Discord administrators to open malicious Carl verification bots and add bookmarks containing malicious code to steal permissions. After successfully obtaining permissions, hackers may delete other administrators, set malicious accounts as administrators, and violate main account rules to prolong the entire attack process.

"DragMe" actually contains malicious JS code that can steal users' Discord Tokens

Hackers send phishing links through stolen Discord accounts, tricking users into opening malicious websites and signing malicious signatures, thereby stealing users' assets. As of the writing of this article, Pink Drainer has targeted 21,131 users, with amounts reaching up to $85,297,091.

LockBit Ransomware Services

LockBit is a Russian ransomware service organization that provides domain names, malware development, and maintenance, retaining 20% of the ransom from victims infected by its code; users of the ransomware service are responsible for finding targets, receiving 80% of the final ransom paid to the organization.

According to the U.S. Department of Justice, this group first appeared in September 2019 and has attacked thousands of victims worldwide, extorting over $120 million in ransom. Recently, the U.S. charged a Russian man as the leader of the LockBit ransomware group, freezing over 200 cryptocurrency accounts believed to be related to the group's activities and sanctioning the organization.

The Great Harm of Drainers

Taking a case related to Pink Drainer recorded by Bitrace as an example, the victim was robbed of $287,000 worth of cryptocurrency after clicking on a phishing website and granting authorization. The phishing website was pacnoon.io, which was promoted on social media during the early launch of the Blast public chain, luring users to claim airdrops. It is only one letter different from the official website pacmoon.io (pacmoon is a well-known project on Blast that uses token distribution airdrops for a hot start), making it easy for users to confuse.

Based on the stolen hash provided by the victim, we found that the initiator of the stolen transaction was Pink Drainer. After succeeding, 36,200 $RBN entered Pink Drainer's fund aggregation address, while 144,900 $RBN went to the hacker's address. It can be seen that the two criminal groups completed a profit-sharing scheme. According to Bitrace platform data, from March 2023 to now, the fund aggregation address involved in this case has a transaction volume of up to 8,143.44 $ETH and 910,000 $USDT.

Statistics show that in 2023, Drainers have stolen nearly $295 million in assets from 324,000 victims. As shown in the figure below, most Drainers only became active last year, yet they have caused significant economic losses. The seven types of Drainers listed in the figure below have stolen hundreds of millions of dollars, highlighting their widespread prevalence and significant threat.

Source: Scam Sniffer

Conclusion

The notorious group Pink Drainer announced its retirement on May 17, 2024. Four days later, the Inferno Drainer team posted, "We decided it's time for hell to return." With Pink Drainer ceasing operations, Inferno Drainer has taken over; whenever one Drainer exits, a new Drainer emerges, and phishing activities continue to rise and fall.

With criminal groups rampant, a secure cryptocurrency environment requires joint efforts from all parties. Bitrace will continue to expose new cryptocurrency scam techniques, fund tracing, prevention measures, and more to cultivate users' fraud awareness. If you unfortunately suffer losses, feel free to contact us for assistance.

Reference Links

https://drops.scamsniffer.io/post/pink-drainer-steals-3m-from-multiple-hack-events-including-openai-cto-orbiter-finance/

https://www.group-ib.com/blog/inferno-drainer/

https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/