The operators behind it are now defunct Drying hell They created more than 16,000 unique malicious domains over the course of one year between 2022 and 2023.
The scheme “exploited high-quality phishing pages to lure unsuspecting users into linking their cryptocurrency wallets to attackers’ infrastructure that spoofed Web3 protocols to trick victims into allowing transactions,” Singapore-based Group-IB said in a report shared with The Hacker News. .
Inferno Drainer, which was active from November 2022 to November 2023, is estimated to have reaped more than $87 million in illicit profits by defrauding more than 137,000 victims.
The malware is part of a wide range of similar offers available to affiliates under the fraud-as-a-service (or attrition-as-a-service) model in exchange for a 20% cut of their earnings.
Furthermore, Inferno Drainer customers can either upload malware to their phishing sites, or utilize the developer’s service to create and host phishing sites, either at no additional cost or collecting 30% of the stolen assets in some cases.
According to Group-IB, the activity impersonated up to 100 cryptocurrency brands via specially designed pages hosted on more than 16,000 unique domains.
Further analysis of 500 of these domains revealed that the JavaScript-based dryer was initially hosted on a GitHub repository (kuzdaz.github(.)io/seaport/seaport.js) before being integrated directly onto websites. User “kuzdaz” is currently offline.
In a similar manner, another group of 350 sites included a JavaScript file, “coinbase-wallet-sdk.js,” in a different GitHub repository, “kasrlorcian.github(.)io.”
These were then posted on sites such as Discord and
Using the names seaport.js, coinbase.js, and wallet-connect.js, the idea was to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase to complete unauthorized transactions. The oldest website containing one of these texts dates back to May 15, 2023.
“Another typical feature of Inferno Drainer phishing sites is that users cannot open the website’s source code using hotkeys or right-clicking on the mouse,” said Vyacheslav Shevchenko, a Group-IB analyst. “This means that criminals tried to hide their texts and illegal activity from their victims.”
It is worth noting that Mandiant’s
“We believe the ‘X as a Service’ model will continue to thrive, not least because it creates greater opportunities for less technically proficient individuals to try and become cybercriminals, and for developers, it is a highly lucrative way to enhance their capabilities.” “Revenue,” the company told The Hacker News.
“We also expect to see increased attempts to hack official accounts, as posts purportedly written by an authoritative voice are more likely to inspire trust in the eyes of viewers, and may make potential victims more likely to follow links and connect their accounts.”
Furthermore, Group-IB said the success of the Inferno Drainer could lead to the development of new drying tools as well as lead to an increase in websites containing malicious scripts that spoof Web3 protocols, noting that 2024 could become the “Year of the Dryer.” .
“Inferno Drainer may have ceased to be active, but its prominence throughout 2023 highlights the extreme risks facing cryptocurrency holders as draining operations continue to develop further,” said Andrei Kolmakov, Head of High-Tech Crime Investigation at Group-IB. .