A malicious campaign that targeted cryptocurrency users with fake Coinbase websites has been revealed by cybersecurity firm Group-IB. Here’s what we know about him.
Inferno Drainer is a new, sophisticated scam that, as the name suggests, is capable of drain all funds found in people’s cryptocurrency wallets, including fungible and non-fungible tokens (NFTs).
It uses high-quality phishing pages to trick users into connect their cryptocurrency wallets to attackers’ servers. These then spoofed Web3 protocols to authorize fraudulent transactions. Web3 protocols are interfaces that allow users to interact with decentralized applications (DApps) on the blockchain.
Also read – Suspected of scam, he asks the FBI to return his seized cryptocurrencies
Who is behind this new malicious campaign?
The scam was carried out by a group of cybercriminals who offered their malware as a service to other affiliates, who could either host their own phishing sites or use the group’s hosting service for a fee. The group created 16,000+ unique domains mimicking 100+ platforms, such as Coinbase, Metamask, Uniswap, and Binance.
Group-IB analyzed 500 of these domains and found that they contained a JavaScript-based drainer that was initially hosted on a GitHub repository (kuzdaz.github[.]io/seaport/seaport.js) before being integrated directly into websites. The user “kuzdaz” no longer exists on GitHub. Another 350 domains contained a similar script, “coinbase-wallet-sdk.js”, on another GitHub repository, “kasrlorcian.github[.]io”.
The group then spread its phishing links on platforms such as Discord and X (formerly Twitter), where it lured users into promising them free tokens (called “airdrops”) and asking them to connect their wallet. Once users did so, the drainer would spoof Web3 protocols such as Seaport, WalletConnect, and Coinbase, and execute unauthorized transactions that drained users’ funds.
Instead of receiving the airdrop, once victims connected their wallets and approved the transactions, the drainer would simply withdraw all funds from the accounts and, given the nature of blockchain, the funds were lost for good.
Malware brings millions of euros to hackers
According to Viacheslav Shevchenko, analyst at Group-IB, the group also tried to conceal malicious activities by preventing users from viewing the website’s source code using hotkeys or right-clicking.
The Inferno Drainer campaign is not the only one of its kind. Earlier this month, Mandiant’s Google-owned X account was hacked and used to distribute links to a phishing page that hosted a cryptocurrency drainer called CLINKSINK.
Group-IB told The Hacker News that it expects the “X as a service” model to continue to thrive because it provides cybercriminals with an easy and lucrative way to launch their scams. They also warned that official accounts could be targeted more frequentlyt, because they can give credibility to phishing links and make users more likely to click on them.
This campaign would have been active for one year, between 2022 and 2023, and likely succeeded in stealing more than $87 million from more than 137,000 victims. So that’s a small portion of the $2 billion that was stolen in 2023. Inferno Drainer was reportedly shut down in November 2023, but the user panel was still active as of mid-January of this year.
Additionally, Group-IB said the success of Inferno Drainer could inspire the development of new malware of this type and an increase in websites containing malicious scripts that spoof Web3 protocols. He also predicted that 2024 could become “the year of the drainer”.