From November 2022 to November 2023, the notorious Inferno Drainer orchestrated a massive crypto scam, stealing over $87 million and victimizing more than 137,000 individuals.
This malware, operating under the scam-as-a-service model, allowed affiliates a piece of the illicit pie, taking a 20% cut of their ill-gotten gains.
The Scam-as-a-Service Model Unveiled
Under the scam-as-a-service model, affiliates could leverage Inferno Drainer by either deploying the malware on their phishing sites or utilizing the developer's service for crafting and hosting phishing websites.
According to The Hacker News, the latter option came with either no extra cost or a charge of 30% of the stolen assets in some instances.
Crafty Spoofing of Cryptocurrency Brands
Inferno Drainer's craftiness extended to its methodology, with the malware creating spoofed pages imitating over 100 cryptocurrency brands. These deceptive pages were distributed across a staggering 16,000 unique domains.
Upon deeper scrutiny, it was discovered that the JavaScript-based drainer initially found its home in a GitHub repository, specifically at kuzdaz.github[.]io/seaport/seaport.js. Another variant, utilizing the JavaScript file "coinbase-wallet-sdk.js," resided in a separate GitHub repository, kasrlorcian.github[.]io.
These malicious scripts were then disseminated through platforms like Discord and X (formerly Twitter). They enticed unsuspecting victims with promises of free tokens (airdrops) and wallet connections, ultimately draining their assets once the transactions gained approval.
Impersonating Web3 Protocols
To heighten the deception, Inferno Drainer adopted names like seaport.js, coinbase.js, and wallet-connect.js, posing as popular Web3 protocols such as Seaport, WalletConnect, and Coinbase.
The objective was to camouflage unauthorized transactions under the guise of legitimate protocols, with the earliest website housing one of these scripts dating back to May 15, 2023.
The 'X as a Service' Model's Ominous Future
Security experts anticipate the continued success of the 'X as a service' model, providing opportunities for less technically skilled individuals to venture into cybercrime. Additionally, developers find it a lucrative avenue to boost their revenues.
The compromise of Google-owned Mandiant's X account earlier this month, distributing links to a phishing page hosting a cryptocurrency drainer (CLINKSINK), underscores the potential for this model's prevalence.
Inferno Drainer's Impact is Still Felt
While Inferno Drainer may have ceased its operations, its impact reverberates, signaling the persistence of cryptocurrency threats.
"Another typical feature of phishing websites belonging to Inferno Drainer was that users cannot open website source code by using hotkeys or right-clicking on the mouse. This means that the criminals attempted to hide their scripts and illegal activity from their victims," Group-IB analyst Viacheslav Shevchenko said.
Experts warn of potential developments in new drainers and a surge in websites hosting malicious scripts masquerading as Web3 protocols, hinting that 2024 could be deemed the "year of the drainer."
Andrey Kolmakov, head of Group-IB's High-Tech Crime Investigation Department, shares the lingering risks to cryptocurrency holders and the evolving landscape of crypto scams.
The aftermath of Inferno Drainer serves as a stark reminder of the ever-present dangers in crypto space.