The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023. The scheme leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers' infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions. A crypto drainer is a malicious tool or script specially designed to transfer or redirect cryptocurrency from a victim’s wallet to that under the control of an attacker. Drainers targeting MetaMask first appeared around 2021, openly marketed in underground forums and marketplaces.
Inferno Drainer, active from November 2022 to November 2023, is estimated to have reaped over $87 million in illicit profits by scamming more than 137,000 victims. The malware is part of a broader set of similar offerings available to affiliates under the Scam-as-a-Service (or Drainer-as-a-Service) model in exchange for a 20% cut of their earnings.[1]
See: https://redskyalliance.org/xindustry/scam-as-a-service-now-available
Customers of Inferno Drainer could either upload the malware to their own phishing sites or use the developer's service for creating and hosting phishing websites, either at no extra cost or charging 30% of the stolen assets in some cases. According to investigators, the activity spoofed over 100 cryptocurrency brands via specially crafted pages hosted on over 16,000 unique domains.
An analysis of 500 of these domains has revealed that the JavaScript-based drainer was hosted initially on a GitHub repository (kuzdaz.github[.]io/seaport/seaport.js) before incorporating them directly on the websites. The user "kuzdaz" currently does not exist. Similarly, another set of 350 sites included a JavaScript file, "coinbase-wallet-sdk.js," on a different GitHub repository, "kasrlorcian. github[.]io." These sites were then propagated on sites like Discord and X (formerly Twitter), enticing potential victims into clicking them under the guise of offering free tokens (aka airdrops) and connecting their wallets, at which point their assets are drained once the transactions are approved.
Using the names seaport.js, coinbase.js, and wallet-connect.js, the idea was to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase to complete the unauthorized transactions. The earliest website containing one of these scripts dates back to 15 May 2023. Another typical feature of phishing websites belonging to Inferno Drainer is that users cannot open website source code by using hotkeys or right-clicking on the mouse. This means that the criminals attempted to hide their scripts and illegal activity from their victims.
The Google-owned Mandiant's X account was compromised earlier this month to distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK. “We believe that the ‘X as a service’ model will continue to thrive, not least because it creates greater opportunities for less technically competent individuals from trying their hand at becoming cybercriminals, and for developers, it is a highly profitable way to bolster their revenues,” the company reported. “We also expect to see increased attempts at hacking official accounts, as posts purportedly authored by an authoritative voice are likely to inspire trust in the eyes of viewers and may make potential victims more likely to follow links and connect their accounts.”
The success of Inferno Drainer could fuel the development of new drainers as well as lead to a surge in websites containing malicious scripts spoofing Web3 protocols, noting 2024 could become the “year of the drainer.” Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers develop further.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2024/01/inferno-malware-masqueraded-as-coinbase.html
Comments