Cybersecurity researchers have found that a crypto wallet drainer, supposedly shut down in 2023, is still operational and is now hard to detect, thanks to its upgrades.
Experts at Check Point Research (CPR) claim that in the last six months, Inferno stole at least $9 million worth of cryptoassets from more than 30,000 wallets.
According to CPR, the "shutdown" of the drainer "was only a diversionary tactic," as it has continued to operate while its old smart contracts are still being used today, and the criminals behind the software keep refining their methods to bypass security defenses.
For example, the researchers have found that command server addresses are now encrypted and stored within a blockchain, while communication with these servers is offloaded to proxy servers installed by service customers.
It makes it "nearly impossible" to trace the Inferno infrastructure. Moreover, other solutions, such as single-use smart contracts and frequent rotation of blockchain addresses, help the drainer bypass anti-phishing protections built into wallet applications.
Meanwhile, per the researchers, the drainer's users are said to frequently rotate domain names, use intermediate servers for conditional redirection, and implement security tokens that hinder automatic detection of malicious websites.
Besides technical solutions, scammers are testing new social engineering and phishing methods, including fake token distribution, to trick their victims.
For example, in January 2025, users attempting to access a Discord support server from a legitimate Web3 project’s website were sent to a phishing site pretending to be the popular Collab.Land service and hosting a cryptoasset drainer.
The researchers have emphasized that the most critical distinguishing factor is the absence of a "Verified App" checkmark on the fake bot. While in the real bot, when a user clicks on the "Let’s go" button, it provides clear instructions regarding the next steps.
Meanwhile, the drainer bot only warns that it will gain access to the user’s Discord username, avatar, and banner before redirecting a potential victim to the malicious website.
Once the victim is tricked into signing the malicious transaction, they either directly transfer funds to the attackers or grant unlimited permission to their wallet.
"Note that the legitimate Collab.Land service genuinely requires wallet signature verification. Consequently, even experienced cryptocurrency users may lower their guard. As they expect the service to request a wallet signature, they may instinctively click 'Approve' without careful inspection, falling into the trap," CPR warned.
Your email address will not be published. Required fields are markedmarked