It lasted for just one year – but what a year it was. During its 12-month stint on the cybercrime scene, a malware program called Inferno Drainer managed to steal $80 million in digital assets by impersonating 100 cryptocurrency brands across thousands of portals.
The online crime spree, tracked by cybersecurity analyst Group-IB, began in November 2022 and is thought to have terminated in the same month of the following year.
Group-IB described the Inferno Drainer campaign as a “sophisticated scam-as-a-service scheme, which leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure.”
The dummy pages spoofed Web3 safety protocols to allay suspicions and were hosted on more than 16,000 unique phishing domains, tricking victims into authorizing transactions that essentially put their digital money into the pockets of the criminals who were conning them.
Group-IB says that it notified legitimate brands that were spoofed by the Inferno Drainer thieves – but that doesn’t appear to have prevented them from enjoying a very good run at their victims’ collective expense.
It cited fellow cyber watchdog Scam Sniffer’s estimate of $80 million for Inferno’s ill-gotten gains, “making it the most prominent crypto drainer of 2023.”
Fraudsters for hire
Inferno Drainer benefited from being hired out to other cybercriminals by its original masterminds, a process known as “scam-as-a-service,” in return for a 20% cut of the eventual criminal proceeds.
Cybercriminal ‘customers’ of Inferno Drainer were given access to a control panel that allowed them to customize features of the malware and also detailed key statistics such as the number of victims connecting their wallets via a specific phishing website, confirmed transactions, and the value of stolen assets.
Additionally, fraudsters using Inferno Drainer could either upload it to their own phishing sites, or make use of the developer’s service for creating and hosting these. In some cases, this service was provided for free, while in others, the administrators took 30% of stolen assets.
Phishing sites created in-house by the Inferno Drainer gang were promoted on social media platforms X, aka Twitter, and Discord, where they purported to offer potential victims the chance to mint their own digital art tokens (NFTs).
The devil in the detail
Malicious JavaScript coding masquerading as popular Web3 protocols such as Seaport, WalletConnect, and Coinbase was embedded into the phishing sites to facilitate the fraudulent transactions.
“Some phishing websites contained multiple scripts impersonating different Web3 protocols,” added Group-IB. “These scripts were accessible to scammers via [coding developer platform] GitHub repositories or as a separate ZIP file hosted on a file-sharing site.”
Commenting on his team’s findings, Group-IB high-tech crime investigation leader Andrey Kolmakov said: “Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further.”
He added: “The ever-growing sophistication of phishing attacks is leaving increasing numbers of people vulnerable, and we urge cryptocurrency holders to remain vigilant and be wary of any website promoting free digital assets.”
Your email address will not be published. Required fields are markedmarked