Crypto Assets Phishing threats are becoming increasingly severe, with Drainer malware becoming the new favorite of scammers.

With the rapid development of the Crypto Assets industry, Phishing links have sprung up on social media like mushrooms after rain. The sheer number and rapid iteration of these phishing attacks are largely attributed to the "hero" behind the scam gangs — Drainer. Drainer is a type of malware specifically designed to illegally empty Crypto Assets wallets, and its developers allow anyone to pay to use this malicious tool through a rental model.

This article will demonstrate how several representative Drainer cases assist criminals in activities such as fraud, theft, and extortion by analyzing them. Through the analysis of real victim cases, we hope to help users deepen their understanding of Phishing threats.

Operation Mode of Drainer

Although there are many types of Drainers, their basic forms are quite similar - primarily utilizing social engineering techniques, such as forging official announcements or airdrop activities, to lure users into falling for scams.

Airdrop Claim Phishing

A certain gang promotes its services through Telegram channels, adopting an "scam as a service" operating model. Developers provide scammers with the necessary phishing websites to support their fraudulent activities. Once victims scan the QR code on the phishing website and connect their wallets, the Drainer checks and locks the most valuable and easily transferable assets in the wallet, then initiates malicious transactions. When the victims confirm these transactions, the assets are transferred to the criminals' accounts. 20% of the stolen assets go to the Drainer's developers, while 80% goes to the scammers.

The scam gang purchasing this malware service primarily lures potential victims into fraudulent transactions by impersonating well-known Crypto Assets projects through phishing websites. They take advantage of high-quality fake Twitter accounts to post numerous false airdrop claim links in the comments section of the official Twitter accounts, enticing users to enter the website. Once users let their guard down, they may suffer financial losses.

social media attack

In addition to selling malware, social engineering attacks are also one of the common methods used by Drainers. They steal high-traffic individuals' or projects' Discord and Twitter accounts to post false information containing phishing links in order to steal user assets. Hackers often steal permissions by tricking Discord administrators into opening malicious verification bots or adding bookmarks that contain malicious code. After successfully gaining access, hackers will also take measures such as deleting other administrators, setting malicious accounts as administrators, and causing the main account to violate rules, in order to prolong the duration of the entire attack process.

Hackers use stolen Discord accounts to send phishing links, luring users to open malicious websites and sign malicious signatures, thereby stealing user assets. According to statistics, as of now, a certain Drainer has stolen from over 20,000 users, involving amounts as high as over 85 million dollars.

Ransomware Services

A certain ransomware service organization provides services such as domain names and the development and maintenance of malware, retaining 20% of the ransom from victims infected by its code; users of the ransomware service are responsible for finding ransom targets and receive 80% of the final ransom amount paid to the organization.

According to the U.S. Department of Justice, the gang has attacked thousands of victims worldwide since its first appearance in September 2019, extorting over $120 million in ransom. The U.S. recently charged a Russian man as the leader of the ransomware group and froze over 200 cryptocurrency accounts believed to be related to the gang's activities, while also sanctioning the organization.

The Dangers of Drainers

Taking a case of a victim related to Drainer recorded by a certain security platform as an example, the victim authorized a phishing website and had Crypto Assets worth $287,000 stolen. The phishing website differs from the official website of a well-known project on a public chain by only one letter, making it easy for users to confuse.

According to the stolen transaction hash provided by the victim, we found that the initiator of the stolen transaction was a certain Drainer. After succeeding, 36,200 certain tokens entered Drainer's fund aggregation address, and 144,900 entered the hacker's address. It can be seen that the two criminal groups completed a profit-sharing of 80/20. According to data from security platforms, the flow of funds at the Drainer's aggregation address involved in this case reached as high as 8,143.44 ETH and 910,000 USDT.

Statistics show that in 2023, Drainers have stolen nearly $295 million in assets from 324,000 victims. Most Drainers only became active last year, but they have already caused significant economic losses. Just a few major Drainers have stolen hundreds of millions of dollars, highlighting their widespread prevalence and significant threat.

Conclusion

Recently, a well-known Drainer gang announced its retirement, while another gang announced the restart of its activities. Whenever one Drainer exits, a new Drainer takes its place, with phishing activities rising and falling.

In the face of rampant criminal groups, building a secure encryption environment requires joint efforts from multiple parties. Security agencies will continue to focus on the scam methods, fund tracing, and preventive measures related to new Crypto Assets cases, in order to raise users' awareness of fraud prevention. If you unfortunately suffer losses, please seek professional help in a timely manner.