A new report today from cybersecurity services company Group-IB Global Pvt. Ltd. details the uncovering of more than 16,000 malicious domains created during the Inferno Drainercrypto scam last year.

Although the Inferno Drainer group announced in November it was shutting down, the report does a deep dive into the prolific group, which operated a scam-as-a-service scheme while leveraging high-quality phishing pages to lure unsuspected users. The group has been linked to the theft of over $80 million in digital assets, making it the most prominent crypto drainer in 2023.

In the 12 months it was in operation, Inferno Drainer was found to have targeted upwards of 100 cryptocurrency brands through more than 16,000 unique domains. The scam involved stealing the digital assets of victims fooled into connecting their cryptocurrency wallets to fake sites and authorizing transactions.

For affiliates — the group operated similarly to a ransomware-as-a-service provider in providing tools that could be used by other hackers in return for a cut of the action — Inferno Drainer offered a customer panel that allowed them to customize features of the malware and detailed key statistics such as the number of victims that had connected their wallets on a specific phishing website, the number of confirmed transactions and the value of the stolen assets. Despite the group claiming to have shut down in November, the control panel was still active in December. 

The rewards for affiliates were also healthy. The developers of Inferno Drainer took a flat rate of 20% of stolen assets, with the hackers retaining 80% of their ill-gotten gains. Hackers had the option of uploading the malware to their own sites or using the developer’s service for creating and hosting websites, a turn-key solution.

The phishing pages created by Internal Drainer were promoted on social media sites such as X, formerly Twitter, and Discord. They attempted to attract victims with offers for free tokens called airdrops, the opportunity for the victim to mint nonfungible tokens and receive rewards, or receive compensation for outages. The victim was then prompted to connect their wallets to the phishing sites to initialize the next stage of the scam.

Inferno Drainer was also found to spoof popular Web3 protocols designed for the safe and efficient trading of digital assets by allowing self-custody crypto wallets to connect to decentralized applications.

“Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further,” noted Andrey Kolmakov, head of Group-IB’s High-Tech Crime Investigation Department. “The ever-growing sophistication of phishing attacks are leaving increasing numbers of people vulnerable to falling victim, and we urge cryptocurrency holders to remain vigilant and be wary of any website promoting free digital assets or airdrops.”

Image: DALL-E 3