The operators behind the now deceased Hell Drainerwhich is one of the most popular kits for theft of cryptocurrencies, they created more than 16,000 unique malicious domains over the course of a year between 2022 and 2023.
How Inferno Drainer Stole $87 Million in Cryptocurrencies
The scheme “exploited high-quality phishing pages to lure unwitting users into connecting their cryptocurrency wallets with attackers' infrastructure spoofed Web3 protocols to trick victims into authorizing transactions“, has declared Singapore-based Group-IB in a report.
Hell Drainer, active from November 2022 to November 2023, he is estimated to have earned more than that 87 million dollars in illicit profits by defrauding more than 137,000 victims.
The malware is part of a larger set of similar offers available to affiliates under the “scam-as-a-service” (or “drainer-as-a-service”) model in exchange for a 20% share of their earnings.
Additionally, Inferno Drainer customers could upload the malware to their own phishing sites or use the developer's service to create and host phishing sitesboth at no additional cost and with a 30% charge of stolen assets in some cases.
According to Group-IB, the business counterfeited over 100 cryptocurrency brands via specially created pages hosted on more than 16,000 unique domains.
Further analysis of 500 of these domains revealed that the JavaScript-based drainer was initially hosted on a GitHub repository (kuzdaz.github[.]io/seaport/seaport.js) before being embedded directly into websites; the user “kuzdaz” does not currently exist.
Similarly, another set of 350 sites included a JavaScript file, “coinbase-wallet-sdk.js,” on a different GitHub repository, “kasrlorcian.github[.]I.”
These sites were then spread across platforms like Discord and X (formerly known as Twitter), enticing potential victims to click on them under the guise of offering free tokens (also known as airdrops). and to connect their wallets, at which time their assets were emptied once transactions were approved.
Using the names seaport.js, coinbase.js and wallet-connect.js, the idea was to masquerade as popular Web3 protocols like Seaport, WalletConnect and Coinbase to complete unauthorized transactions; the oldest website containing one of these scripts dates back to May 15, 2023.
“Another typical feature of phishing sites belonging to Inferno Drainer was that users could not open the site's source code using hotkeys or by right clicking on the mouse“Group-IB analyst Viacheslav Shevchenko said. “This means that the criminals tried to hide their scripts and illegal activities from their victims.”
It is important to note that Mandiant's X account, owned by Google, was compromised earlier this month to distribute links to a phishing page hosting a cryptocurrency drainer identified as CLINKSINK.
“We believe the 'X as a service' model will continue to thrive, not least because it creates more opportunities for less technically competent individuals seeking to become cybercriminals, and for developers it is a highly profitable way to increase their earnings“, the company said, adding “Additionally, we expect to see an increase in attempts to hack official accounts, as posts supposedly written by an authoritative voice are likely to inspire trust in the eyes of viewers and could make potential victims more likely to follow links and connect their accounts .”
Additionally, Group-IB said the success of Inferno Drainer could fuel the development of new drainers and lead to an increase in sites containing malicious scripts that spoof Web3 protocols, noting that 2024 could become the “year of the drainer.”
“Inferno Drainer may have ceased its activity, but its relevance during 2023 highlights the serious risks for cryptocurrency holders as drainers continue to develop further“, said Andrey Kolmakov, head of the High-Tech Cyber Crime Investigation Department of Group-IB.
A concrete example for right-clicking in JavaScript
The operators behind Inferno Drainer have used a JavaScript script (or rather a series of scripts), the following example, inevitably, will not be malware, but it shows how easy it is to make something happen with a right mouse button, although in the example it will only be an alert.
viewport” content=”width=device-width, initial-scale=1.0“>
myImage” src=”path_all_image.jpg” alt=”image_name“>
With this script, in addition to creating a page saved in HTML format, you also create simple only an Alert window appears.
Imagine instead that, instead of making a simple alert, redirected you to an external site with some malicious PHP script that infects your digital wallet.
#Inferno #Dialer #million #cryptocurrencies #stolen
