Researchers from Group-IB shared anti-achievements of experienced cybercriminals.
The international cybersecurity company Group-IB reported on the activities of the now-defunct Inferno Drainer operation, which created more than 16 thousand fraudulent domains in the period from 2022 to 2023.
The attackers used high-quality phishing pages to attract users to connect their cryptocurrency wallets to the fraudsters ' infrastructure. Fake Web3 protocols were used to trick victims into authorizing transactions.
Inferno Drainer, active from November 2022 to November 2023, illegally earned more than $87 million by defrauding over 137,000 victims. This malicious software package is part of a wide range of similar products available under the "Drainer-as-a-service" (DaaS) model with deductions of 20% of affiliate revenue.
Inferno Drainer clients could upload malware to their phishing sites or use developer services to create and host such sites-sometimes for as little as 30% of the stolen assets.
An analysis of 500 such malicious domains showed that JavaScript-based malware was initially hosted on GitHub, and then integrated directly into websites. These sites were then distributed through platforms such as Discord and X *, offering victims free tokens (so-called "airdrops") and connecting their wallets, after which assets were leaked when transactions were approved.
It is with such free tokens that scammers recently lured subscribers of the information security company Mandiant, whose profile was hacked in early January and used by intruders for mercenary purposes.
It is expected that attempts to hack official accounts will become more frequent, as messages allegedly written by reputable individuals can inspire confidence and force victims to click on links, giving their savings to attackers.
In their attacks, scammers used script names such as "seaport.js", "coinbаse.js" and " wallet-connect.js" to disguise them as the popular Web3 protocols of Seaport, Coinbase, and WalletConnect for performing unauthorized transactions.
Group-IB analysts note that a typical feature of Inferno Drainer phishing sites is the inability to open the site's source code using hot keys or right-clicking the mouse. This indicates that criminals are trying to hide their scripts and illegal activities from victims.
Group-IB also suggests that the success of Inferno Drainer may trigger the creation of new drainers and an increase in the number of sites with fraudulent scripts that mimic Web3 protocols.
Experts also stressed that, despite the cessation of Inferno Drainer activity, the impact of this malicious operation carries serious risks for cryptocurrency owners, since such attack methods only continue to improve.
The international cybersecurity company Group-IB reported on the activities of the now-defunct Inferno Drainer operation, which created more than 16 thousand fraudulent domains in the period from 2022 to 2023.
The attackers used high-quality phishing pages to attract users to connect their cryptocurrency wallets to the fraudsters ' infrastructure. Fake Web3 protocols were used to trick victims into authorizing transactions.
Inferno Drainer, active from November 2022 to November 2023, illegally earned more than $87 million by defrauding over 137,000 victims. This malicious software package is part of a wide range of similar products available under the "Drainer-as-a-service" (DaaS) model with deductions of 20% of affiliate revenue.
Inferno Drainer clients could upload malware to their phishing sites or use developer services to create and host such sites-sometimes for as little as 30% of the stolen assets.
An analysis of 500 such malicious domains showed that JavaScript-based malware was initially hosted on GitHub, and then integrated directly into websites. These sites were then distributed through platforms such as Discord and X *, offering victims free tokens (so-called "airdrops") and connecting their wallets, after which assets were leaked when transactions were approved.
It is with such free tokens that scammers recently lured subscribers of the information security company Mandiant, whose profile was hacked in early January and used by intruders for mercenary purposes.
It is expected that attempts to hack official accounts will become more frequent, as messages allegedly written by reputable individuals can inspire confidence and force victims to click on links, giving their savings to attackers.
In their attacks, scammers used script names such as "seaport.js", "coinbаse.js" and " wallet-connect.js" to disguise them as the popular Web3 protocols of Seaport, Coinbase, and WalletConnect for performing unauthorized transactions.
Group-IB analysts note that a typical feature of Inferno Drainer phishing sites is the inability to open the site's source code using hot keys or right-clicking the mouse. This indicates that criminals are trying to hide their scripts and illegal activities from victims.
Group-IB also suggests that the success of Inferno Drainer may trigger the creation of new drainers and an increase in the number of sites with fraudulent scripts that mimic Web3 protocols.
Experts also stressed that, despite the cessation of Inferno Drainer activity, the impact of this malicious operation carries serious risks for cryptocurrency owners, since such attack methods only continue to improve.
