A recent report by Singapore-based cybersecurity firm Group-IB sheds light on the Inferno Drainer operation, a sophisticated scam campaign that successfully impersonated over a hundred cryptocurrency brands, resulting in the theft of at least $80 million in digital assets from victims’ wallets.
The Inferno Drainer, a “crypto drainer” operation that blended phishing techniques with infrastructure designed to siphon off stolen digital currency, operated for a year before its developers shut it down in November 2023, making it one of the largest such scams globally.
Operating under a scam-as-a-service model, the affiliates of Inferno Drainer retained 80 percent of each theft, while the organizers claimed 20 percent. Despite the shutdown, the Group-IB report warns that both the software and its users still pose a significant threat to cryptocurrency owners worldwide.
As of mid-January, Group-IB discovered that the Inferno Drainer user panel for cybercriminals remained active, and its affiliates were still operational. The researchers express concern that the appetite for stealing tokens and non-fungible tokens (NFTs) among these actors has not diminished.
The phishing scheme employed by Inferno Drainer involved tricking victims with sophisticated phishing websites, where they unknowingly connected their cryptocurrency wallets to the attackers’ infrastructure. Cybercriminals deployed malware on websites posing as official crypto token projects, advertising them on platforms like X (formerly Twitter) and Discord.
The scammers went a step further by spoofing popular Web3 protocols such as Seaport, WalletConnect, and Coinbase on these websites to initiate fraudulent transactions. Victims, enticed by promises of financial gains through free tokens (airdrops) or rewards for minting NFTs, willingly linked their accounts to the fake protocols.
Each fraudulent transaction initiated by the drainer required the victim’s consent. Once connected to the victim’s crypto wallet, the drainer identified and targeted the most valuable assets, with assets below $100 being ignored.
Group-IB identified over 16,000 unique domains associated with Inferno Drainer’s phishing operations, impersonating at least 100 individual crypto brands. The cybercriminals promoted their services through an English-language Telegram channel called “Inferno Multichain Drainer,” boasting more than 10,000 subscribers.
The report emphasizes that while it remains unclear who is behind the development of Inferno Drainer, its impact on the crypto industry has been substantial. The prevalence of such scams over the past year has raised concerns about the increasing threat landscape, with the potential for new drainer malware inspired by Inferno Drainer’s success. The researchers conclude that the dangers facing the crypto industry are likely to intensify in the future.
