Group-IB Finds 16,000 Fraudulent Sites for Inferno Drainer Crypto Scam

Highlights:

• Inferno Drainer targeted over 100 cryptocurrency brands using 16,000 unique domains.
• Inferno Drainer mimicked Web3 protocols for secure trading, enabling self-custody crypto wallets to link with decentralized applications.

A recent report by Group-IB Global Pvt. Ltd., a cybersecurity services company, reveals the discovery of over 16,000 malicious domains established during the Inferno Drainer crypto scam last year.

Although the Inferno Drainer group declared in November that it was closing, the report delves deeply into the active group that ran a scam-as-a-service scheme and used credible phishing pages to trick unsuspecting users. The group is the most well-known cryptocurrency drainer in 2023, as it has been connected to the theft of over USD 80 million in digital assets.

Using more than 16,000 distinct domains, Inferno Drainer was found to have targeted more than 100 cryptocurrency brands during its 12-month existence. In this scheme, perpetrators stole the digital assets of victims who were misled into connecting their cryptocurrency wallets to counterfeit sites and endorsing unauthorized transactions.

In the context of affiliates, the group functioned much like a ransomware-as-a-service provider, furnishing tools usable by other hackers in exchange for a share of the proceeds. Inferno Drainer provided affiliates with a customer panel, enabling the customization of malware features and presenting vital statistics. These statistics included the count of victims linking their wallets to specific phishing websites, confirmed transactions, and the value of the pilfered assets. Despite the group’s assertion of closure in November, the control panel remained operational in December.

Affiliates were generously rewarded in this scheme. The creators of Inferno Drainer claimed a fixed 20% share of the stolen assets, leaving the hackers with 80% of their gains. Hackers could choose between uploading the malware to their own sites or utilizing the developer’s service, providing a convenient turn-key solution for creating and hosting websites.

Social media platforms like X—a former Twitter account—and Discord were used to advertise the phishing pages developed by Inferno Drainer. Offers of free tokens known as airdrops, the chance to mint nonfungible tokens and earn rewards, or payment for outages were some of the ways they tried to entice victims. The next step of the scam was then initiated by prompting the victim to link their wallets to the phishing websites.

Inferno Drainer was discovered to mimic well-known Web3 protocols created for secure and efficient digital asset trading. This involved enabling self-custody crypto wallets to link with decentralized applications.

Andrey Kolmakov, Head of Group-IB’s High-Tech Crime Investigation Department, said “Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further. The ever-growing sophistication of phishing attacks are leaving increasing numbers of people vulnerable to falling victim, and we urge cryptocurrency holders to remain vigilant and be wary of any website promoting free digital assets or airdrops.”