Helping to steal crypto assets is increasingly becoming a "business" model for criminals, who are selling malicious software to wannabe thieves.
This was the conclusion of an investigation by crypto compliance solution provider AMLBot, which also examined the Medusa drainer more closely.
According to the company, the drainer-as-a-service (DaaS) model and the broader drainer ecosystem have evolved significantly, as many drainer operators are now adopting this approach.
It allows criminal developers to reduce risks by avoiding direct interaction with victims, provides consistent revenue streams, and enables fraudsters to bypass all the programming work by simply buying malware via Telegram groups, Discord servers, or Clearnet and Darknet forums.
The malicious code is then distributed via fake applications, social engineering, fake airdrops, or the distribution of digital tokens.
"Newcomers gain access to a complete fraud toolkit, while developers benefit from an expanding client base and industry connections," AMLBot said.
The "fraud toolkit" includes access to domain rentals for crypto schemes, proxy purchases to obscure online activities, identity verification data, and hacked or new accounts on platforms like Telegram, Discord, and X.
For example, according to AMLBot, the Medusa drainer used Telegram as its main communication channel. It had 1,500 subscribers in February 2024 and has been inactive since August of the same year, after peaking in May. Back then, up to 200 phishing domains linked to the drainer were registered.
In their DaaS model, Medusa criminals asked for upfront payment, while other drainers, such as Angel Drainer, charged a percentage of stolen funds. However, it seems their "clients" weren’t happy with the "service," as users "frequently complained about unprofessional and unresponsive customer service," and the Medusa team itself was accused of defrauding its own clients.
To protect oneself from crypto drainers, AMLBot emphasizes the importance of staying vigilant while interacting online, double-checking suspicious links, and using crypto-specific precautions such as storing assets in multiple wallets, using hardware wallets, and employing multisignature setups that require more than one signature to approve a transaction.
Your email address will not be published. Required fields are markedmarked