Emerging Threat of Crypto Drainers: Inferno Malware Stole $87 Million From 130,000 Victims

by | Jan 19, 2024

According to security researchers with Group-IB, the hottest form of malware in 2024 may well be crypto drainers. A case study of the “Inferno” drainer, the most successful of these operations to date, demonstrates how easy it is for criminals to use and how much profit is potentially available.

Crypto drainers are a new “as a service” offering, akin to ransomware in that this is now the most popular model for the most dangerous (and profitable) groups. That opens the field up to lower-skill affiliates, who can simply choose to give up a little more of their own profit to have nearly all of the hosting and phishing design done for them. Their end is simply to dupe victims via social media, texts or emails, something that becomes easier by the day as AI tools develop.

The most popular crypto drainer of 2023 reached nearly $100 million in theft

Crypto drainers in an “as a service” model burst onto the scene in 2022, but 2023 was the year that they ascended to “major threat” status. Group-IB examines the “Inferno” malware, a drainer that officially operated from November 2022 to November 2023 and is thus far the most successful example in terms of victim count (about 130,000) and stolen assets (about $87 million worth).

Those numbers are of course still below the annual hauls that the biggest ransomware gangs collect, but crypto drainers are also much easier to operate for the affiliate. They don’t really have to have any hacking knowledge at all, with the approach being one of advertising and text-based social engineering instead. Thus far most of the successful efforts have spammed X and Discord with promises of free token giveaways, sometimes employing hacked accounts (which can be bought or obtained by crude credential stuffing) for added legitimacy.

Targets that click through these messages are taken to a phishing page mocked up to look like some sort of legitimate crypto brand, frequently using a JavaScript protocol also named to look like one of the big trusted names of the industry (such as Coinbase or Seaport). The victim is encouraged to connect their crypto wallet to receive the supposed free goodies, at which point their account is totally drained. In the Inferno model, the malware operator takes 20%; for an optional added 10% the affiliate can have the operators provide them with page templates and host them.

A victim of crypto malware or scams has little recourse once the money is gone, since it is a direct wallet-to-wallet transfer. Their best hope is that the funds eventually pass through an exchange based in the US or some other friendly country where they might be frozen and at least partially recovered. However, the most likely outcome is that the criminals will take the funds straight to a mixing service or some Russia-based exchange where they will be beyond reach.

Will crypto drainer malware break out in 2024?

Group-IB, along with a number of other security researchers, believes that crypto drainers are going to be the big malware trend of the coming year. The “as a service” model will spur tremendous growth and invite numerous players that were previously put off by the technical complexities of ransomware or data extortion.

Inferno Drainer essentially got away with it. No members of the group have been identified as of yet, and they rode off into retirement with their cash. The malware is apparently still operational, with security researchers reporting that existing clients were still able to make use of their affiliate panels into January. That will not go unnoticed by other criminals, who will flock to a space perceived as low-risk and high-reward.

All of the crypto drainers in total took in an estimated $295 million in 2023. That’s still far from ransomware money, and these groups do not pose the same risk to critical infrastructure. They also attack people who have deliberately placed assets outside of regulated government banking systems. All of that could add up to international law enforcement making them a low priority even if they are continually stealing larger amounts of money.

Security researchers also expect sophistication of these schemes to increase. Promising fake airdrops on Twitter/X and Discord has been going on for years now, and there is increased general wariness. That will push players in the market to evolve and to seek new hunting grounds.

All of this points to substantial crypto drainer growth in the near term. Crypto holders need to be especially cautious of any promised free giveaways or requests to connect to their wallets, and may consider switching to use of a hardware or encrypted wallet wherever feasible. But the main advice is what already applies to phishing schemes – be vigilant about URLs, especially from unsolicited messages, and potential lookalike assets that are spoofed.

Recent Posts

How can we help?

8 + 13 =

× How can I help you?