New Threats in the Encryption World: The Rise and Dangers of Drainer Software

The cryptocurrency sector is facing a new threat - Drainer software. This malicious program is specifically designed to illegally empty cryptocurrency wallets, and its developers offer the service for rent, allowing anyone to pay to use this dangerous tool.

This article will explore several representative Drainer software, analyze their operating modes and the harm they cause to users, aiming to raise awareness of phishing threats.

The Operation Model of Drainer

Although there are many types of Drainers, their basic principle is largely the same—using social engineering techniques, such as forging official announcements or airdrop events, to deceive users.

airdrop claim scam

Some gangs promote services through Telegram channels, operating under a "scam-as-a-service" model. They provide phishing websites for scammers to support their illegal activities. Once the victim scans the QR code on the phishing website and connects their wallet, the Drainer software detects and locks the most valuable and easily transferable assets in the wallet, initiating malicious transactions. When the victim confirms these transactions, the assets are transferred to the criminals' accounts. Typically, 20% of the stolen assets go to the developers of the Drainer software, while 80% belong to the scammers.

Fraudulent groups purchasing this type of malware service mainly lure potential victims through phishing websites impersonating well-known encryption projects. They utilize highly imitated Twitter accounts to post a large number of fake airdrop claim links in the comments section of official Twitter accounts, enticing users to enter the website. Once users let their guard down, they may suffer financial losses.

social media attack

In addition to selling malware, social engineering attacks are also commonly used by Drainers. Hackers steal high-traffic individuals' or projects' Discord and Twitter accounts to post false information containing phishing links to steal user assets. They often induce Discord administrators to open malicious verification bots or add bookmarks containing malicious code to steal permissions.

After successfully gaining access, hackers will also take a series of measures to prolong the duration of the attack, such as deleting other administrators, setting malicious accounts as administrators, and causing the main account to violate terms. Hackers use stolen social media accounts to send phishing links, tricking users into opening malicious websites and signing malicious signatures, thereby implementing asset theft.

ransomware service

Some Russian ransomware service organizations provide services such as domain name registration, malware development, and maintenance, and retain 20% of the ransom paid by victims infected with their code. Users of ransomware services are responsible for identifying ransomware targets and receive 80% of the ransom amount ultimately paid to the organization.

According to reports, these gangs have attacked thousands of victims worldwide since they first appeared in September 2019, extorting over $120 million in ransom. Recently, the U.S. Department of Justice charged a Russian man as the leader of a ransomware group and froze over 200 cryptocurrency accounts believed to be related to the gang's activities.

The Harm Level of Drainer

Taking a case of a Drainer-related victim recorded by a certain platform as an example, the victim authorized a phishing site and had $287,000 worth of encryption stolen. The phishing site was promoted on social media during the early launch of a certain public chain, luring users to claim airdrops. The phishing site differs from the official website by only one letter, making it very easy for users to confuse.

According to the transaction hash of the stolen transaction provided by the victim, it can be found that the initiator of the stolen transaction was the Drainer software. After succeeding, 36,200 certain tokens entered the Drainer's fund aggregation address, and 144,900 entered the hacker's address, completing a 20/80 split of the profit funds. According to statistics, the transaction volume of the Drainer's fund aggregation address involved in this case has reached as high as 8,143.44 ETH and 910,000 USDT since March 2023.

Data shows that in 2023, Drainer software has stolen nearly $295 million in assets from 324,000 victims. Most Drainers started to become active only last year, but they have already caused significant economic losses. Just a few major Drainers have stolen hundreds of millions of dollars, highlighting their widespread prevalence and the magnitude of the threat.

Conclusion

As some well-known Drainer groups announce their withdrawal, new Drainer teams are quickly rising, and phishing activities show a trend of ebb and flow. In the face of rampant criminal groups, building a secure encryption environment requires joint efforts from multiple parties. Users should remain vigilant and enhance their fraud awareness to avoid becoming the next victim. At the same time, relevant platforms and institutions should also strengthen regulatory and protective measures to jointly maintain the security of the cryptocurrency ecosystem.