The operator behind the now-defunct Hell Drainer More than 16,000 unique malicious domains were created in a one-year period from 2022 to 2023.
Singapore-based Group-IB said in a report shared with The Hacker News that the scheme “utilizes high-quality phishing pages to lure unsuspecting users into linking their cryptocurrency wallets to the attacker’s infrastructure.” Connected, the attacker’s infrastructure deceives the Web3 protocol and tricks victims into authorizing transactions.” .
Inferno Drainer was active from November 2022 to November 2023 and is estimated to have made more than $87 million in illicit profits by defrauding more than 137,000 victims.
The malware is part of a wider series of similar products that are offered to affiliates in a scam-as-a-service (or drain-as-a-service) model in exchange for a 20% revenue share.
What’s more, Inferno Drainer’s customers can upload malware to their own phishing sites, or utilize the developer’s services to build and host phishing sites, at no additional cost and in some cases can charge 30% of the stolen assets. %.
According to Group-IB, the campaign defrauded more than 100 cryptocurrency brands through specially crafted pages hosted on more than 16,000 unique domains.
Further analysis of 500 of these domains revealed that the JavaScript-based Drainer was originally hosted on a GitHub repository (kuzdaz.github)[.]io/seaport/seaport.js) and merge them directly into the website. User “kuzdaz” does not currently exist.
In a similar manner, another set of 350 websites contains a JavaScript archive “coinbase-wallet-sdk.js” located on a different GitHub repository “kasrlorcian.github”[.]io. “
These sites then spread on sites like Discord and assets will be exhausted.
The purpose of using names such as Seaport.js, coinbase.js, and wallet-connect.js is to complete unauthorized transactions by masquerading as popular Web3 protocols such as Seaport, WalletConnect, and Coinbase. The earliest website containing one of these scripts dates back to May 15, 2023.
“Another typical feature of Inferno Drainer phishing websites is that users cannot open the source code of the website by using hotkeys or right-clicking the mouse,” said Group-IB analyst Viacheslav Shevchenko. “This means that criminals are trying to trick victims into Hide their scripts and illegal activities.”
Notably, Google-owned Mandiant’s X account was compromised earlier this month and the account was distributed with a link to a phishing page hosting a cryptocurrency spender traced as CLINKSINK.
Andrey Kolmakov, head of Group-IB’s high-tech crime investigation department, said: “Inferno Drainer may have ceased its activities, but its prominence in 2023 highlights the serious risks facing cryptocurrency holders as Drainer continues to develop further.”
