The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains between 2022 and 2023 over one year.
The scheme “leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions,” Singapore-headquartered Group-IB said in a report shared with The Hacker News.
Inferno Drainer, active from November 2022 to November 2023, is estimated to have reaped over $87 million in illicit profits by scamming more than 137,000 victims.
The malware is part of a broader set of similar offerings available to affiliates under the scam-as-a-service (or drainer-as-a-service) model in exchange for a 20% cut of their earnings.
What’s more, customers of Inferno Drainer could either upload the malware to their phishing sites or use the developer’s service to create and host phishing websites, either at no extra cost or charging 30% of the stolen assets in some cases.
According to Group-IB, the activity spoofed over 100 cryptocurrency brands via specially crafted pages hosted on over 16,000 unique domains.
Further analysis of 500 of these domains has revealed that the JavaScript-based drainer was hosted initially on a GitHub repository (kuzdaz. github[.]io/seaport/seaport.js) before incorporating them directly on the websites. The user “kuzdaz” currently does not exist.
Similarly, another set of 350 sites included a JavaScript file, “coinbase-wallet-sdk.js,” on a different GitHub repository, “kasrlorcian. github[.]io.”
These sites were then propagated on sites like Discord and X (formerly Twitter), enticing potential victims into clicking them under the guise of offering free tokens (aka airdrops) and connecting their wallets, at which point their assets are drained once the transactions are approved.
Using the names seaport.js, coinbase.js, and wallet-connect.js, the idea was to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase to complete the unauthorized transactions. The earliest website containing one of these scripts dates back to May 15, 2023.
“Another typical feature of phishing websites belonging to Inferno Drainer was that users cannot open website source code by using hotkeys or right-clicking on the mouse,” Group-IB analyst Viacheslav Shevchenko said. “This means that the criminals attempted to hide their scripts and illegal activity from their victims.”
It’s worth noting that Google-owned Mandiant’s X account was compromised earlier this month to distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK.
“Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further,” Andrey Kolmakov, head of Group-IB’s High-Tech Crime Investigation Department, said.