Audit log

Every state-changing event for Vanilla Drainer (DaaS): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-07 23:30:04Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 424,993,513

   sig

   21MTz1UYSwJh…fqtDzxSTcopyexplorer ↗

   hash

   869yKHEA1hat…GZhKXDS8copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (20329 B) ▸

   {"actor":"system:backfill","investigation_id":"f2c745b0-36ba-4a14-a44e-aa3d54016ba3","kind":"publish","page_slug":"vanilla-drainer-daas","published_at":"2026-06-07T23:30:04.325Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Vanilla Drainer (DaaS)","sections":[{"content":"Vanilla Drainer operates as a Drainer-as-a-Service (DaaS) platform, supplying criminal operators with ready-made phishing software kits in exchange for a cut of stolen proceeds. According to blockchain investigator Darkbit, who first publicly detailed the service in mid-2025, Vanilla charges a standard 20% commission on stolen funds, with discounts reportedly available for larger haul amounts. The service operates on a private-access model, meaning ordinary actors cannot easily sign up — access is allegedly restricted and vetted, distinguishing it from more commoditized drainer offerings. Its earliest known public advertisement was posted on December 8, 2024, claiming the capability to bypass Blockaid, a fraud detection platform widely used by Web3 wallet providers. Vanilla attracted former users of the now-diminished Inferno Drainer service, with Darkbit noting: 'I see Vanilla taking over many Inferno customers.'","heading":"Overview and Business Model","severity":"critical","sources":[{"credibility":2,"name":"New Crypto Scam Service Vanilla Drainer Takes $5M in Three Weeks — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"},{"credibility":2,"name":"Blockchain Sleuths Link $5.3 Million In Thefts To Rising Scam Service Vanilla Drainer — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/blockchain-sleuths-link-5-3-million-in-thefts-to-rising-scam-service-vanilla-drainer/"},{"credibility":3,"name":"Darkbit (@darkbitweb) on X — original thread on Vanilla Drainer","type":"social_media","url":"https://x.com/darkbitweb/status/1948412701010477544"}]},{"content":"Blockchain investigator Darkbit, corroborated by Scam Sniffer data, attributed at least $5.27 million in cryptocurrency theft to Vanilla Drainer across a three-week window between approximately July 15 and August 5, 2025. The service was linked to at least four major individual scams during this period, each resulting in six- or seven-figure losses. The single largest confirmed theft occurred on August 5, 2025, when a victim lost $3.09 million in stablecoins. Based on a commission rate of approximately 17%, the Vanilla Drainer operators received roughly $463,000 from that single incident alone. Approximately $2.23 million in total operator fees — denominated primarily in ETH and DAI — was traced to a suspected Vanilla Drainer fee wallet. Earlier activity has been traced back to October 2024, though the full cumulative theft figure since inception is not publicly established. According to Scam Sniffer, Vanilla Drainer contributed to 9,143 identified victims in July 2025 alone.","heading":"Confirmed Theft Activity and Financial Impact","severity":"critical","sources":[{"credibility":2,"name":"New Crypto Scam Service Vanilla Drainer Takes $5M in Three Weeks — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"},{"credibility":2,"name":"Vanilla Drainer: How This Scam Stole $5M in Crypto and What You Need to Know — OKX","type":"news_article","url":"https://www.okx.com/en-us/learn/vanilla-drainer-scam-crypto-theft"},{"credibility":2,"name":"Scam Sniffer 2025 Annual Report — Crypto Phishing Losses Fall 83% to $84 Million","type":"research","url":"https://drops.scamsniffer.io/scam-sniffer-2025-crypto-phishing-losses-fall-83-to-84-million/"},{"credibility":2,"name":"Blockchain Sleuths Link $5.3 Million In Thefts To Rising Scam Service Vanilla Drainer — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/blockchain-sleuths-link-5-3-million-in-thefts-to-rising-scam-service-vanilla-drainer/"}]},{"content":"Vanilla Drainer delivers JavaScript-based drainer payloads through phishing websites that mimic legitimate decentralized finance interfaces. When a victim connects their cryptocurrency wallet to one of these pages, the malicious script scans the wallet for high-value assets and presents a transaction signing prompt disguised as a routine action such as 'Claim,' 'Mint,' or 'Verify.' Signing the transaction grants the attacker permission to transfer assets out of the victim's wallet. Security researchers have identified that Vanilla Drainer's payloads — exceeding 2.7 MB in observed samples — are stored on Arweave-backed domains (*.irys.xyz) and employ runtime code construction with LZ-compressed strings to resist static analysis. A man-in-the-middle proxy layer transparently reroutes all API, GraphQL, and Ethereum RPC traffic through attacker-controlled domains such as thirdtemple.top, giving operators full real-time visibility into wallet balances and enabling injection of tailored malicious payloads calibrated to each victim's specific holdings. Entry point documents hosted on Arweave redirect to Cloudflare Workers instances (*.workers.dev) via hardcoded configuration, leveraging Cloudflare's infrastructure to resist blocklisting. When defenses flag a URL, operators rapidly relaunch with new advertising creatives and landing page URLs, sometimes using chained iframes to simulate commercial traffic distribution systems. Stolen tokens are typically converted into ETH and DAI to facilitate operator fee extraction.","heading":"Technical Infrastructure and Attack Methods","severity":"critical","sources":[{"credibility":2,"name":"Malicious Google Ads Hit Crypto Users With Wallet Drainers — GBHackers","type":"research","url":"https://gbhackers.com/google-ads-hit-crypto-users/"},{"credibility":2,"name":"The State of Drainers Vol. 1 — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"credibility":2,"name":"New Crypto Scam Service Vanilla Drainer Takes $5M in Three Weeks — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"}]},{"content":"Vanilla Drainer phishing kits have been identified as one of the primary payloads deployed via malicious Google Ads campaigns targeting cryptocurrency users. Attackers purchase Google Ads tied to high-intent search keywords such as 'Uniswap,' 'PancakeSwap,' and 'MetaMask,' placing fraudulent listings above legitimate websites in search results. These campaigns employ sophisticated cloaking and fingerprinting techniques — selectively serving malicious content only to users who pass criteria identifying them as genuine crypto users rather than automated scanners or security researchers — to bypass Google's automated ad review systems. The 1Campaign platform, documented by Varonis and Bleeping Computer, is one identified cloaking service used to sustain these campaigns. Security researchers documented approximately $1.27 million in confirmed losses from malvertising campaigns tied to drainer payloads consistent with Vanilla Drainer between March 13 and March 30, 2026 alone. Legitimate Google properties such as sites.google.com and docs.google.com have been abused as primary framing layers to lend apparent legitimacy to attack infrastructure.","heading":"Google Ads Malvertising and Phishing Distribution","severity":"high","sources":[{"credibility":2,"name":"Malicious Google Ads Hit Crypto Users With Wallet Drainers — GBHackers","type":"research","url":"https://gbhackers.com/google-ads-hit-crypto-users/"},{"credibility":2,"name":"1Campaign: A New Cloaking Platform Helping Attackers Abuse Google Ads — Varonis","type":"research","url":"https://www.varonis.com/blog/1campaign"},{"credibility":2,"name":"1Campaign platform helps malicious Google ads evade detection — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-malicious-google-ads-evade-detection/"},{"credibility":2,"name":"Fake Google Ads Target Uniswap Users in $400K Crypto Scam — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/fake-google-ads-target-uniswap-users-in-400k-crypto-scam/"}]},{"content":"A central feature of Vanilla Drainer's marketing to criminal operators is its alleged capability to bypass Blockaid, a widely deployed on-chain fraud detection API integrated by wallet providers including MetaMask and Coinbase Wallet. Vanilla's December 2024 advertisement explicitly promised an 'advanced algorithm' to evade Blockaid detection — a claim that, if substantiated, would neutralize a primary line of defense for millions of users. To further resist detection and takedown, the service deploys a fresh malicious smart contract for every phishing site and domain, preventing blacklisting tools from blocking known contract addresses. Rapid domain cycling — frequently rotating the URLs used for landing pages — limits the effectiveness of blocklist-based defenses. The combination of obfuscated payload delivery via decentralized storage (Arweave/Irys), serverless compute infrastructure (Cloudflare Workers), and per-site contract generation represents a layered anti-detection architecture that security researchers describe as sophisticated relative to commodity drainer tools.","heading":"Fraud Detection Evasion","severity":"high","sources":[{"credibility":2,"name":"New Crypto Scam Service Vanilla Drainer Takes $5M in Three Weeks — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"},{"credibility":2,"name":"Vanilla Drainer: How This Scam Stole $5M in Crypto and What You Need to Know — OKX","type":"news_article","url":"https://www.okx.com/en-us/learn/vanilla-drainer-scam-crypto-theft"},{"credibility":2,"name":"Malicious Google Ads Hit Crypto Users With Wallet Drainers — GBHackers","type":"research","url":"https://gbhackers.com/google-ads-hit-crypto-users/"}]},{"content":"Vanilla Drainer emerged as a successor threat at a time when Inferno Drainer — previously one of the most dominant DaaS operations — was winding down activity. Security Alliance (SEAL) Radar's inaugural drainer report (October 2025) lists Vanilla Drainer alongside Inferno, Rublevka, and Eleven as the four major active drainer families under tracking. Darkbit observed that 'most of the large six- and seven-figure drains of late can be attributed to Vanilla Drainer,' suggesting it has captured a significant share of the high-value end of the drainer market. The private-access model restricts the pool of criminal operators but may result in more operationally sophisticated deployments compared to services available to any buyer. Scam Sniffer's 2025 annual report noted that while overall crypto phishing losses fell 83% year-over-year to $84 million in 2025 — attributed to improved detection and reduced market volatility — the drainer ecosystem remained structurally active, with Vanilla's emergence illustrating the pattern whereby retiring services are replaced by new entrants.","heading":"Competitive Positioning in the Drainer Ecosystem","severity":"high","sources":[{"credibility":2,"name":"The State of Drainers Vol. 1 — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"credibility":2,"name":"Scam Sniffer 2025 Annual Report — Crypto Phishing Losses Fall 83% to $84 Million","type":"research","url":"https://drops.scamsniffer.io/scam-sniffer-2025-crypto-phishing-losses-fall-83-to-84-million/"},{"credibility":2,"name":"New Crypto Scam Service Vanilla Drainer Takes $5M in Three Weeks — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"}]},{"content":"As of the date of this investigation, no public regulatory action by the SEC, CFTC, DOJ, or any other law enforcement body has been identified specifically targeting Vanilla Drainer or its alleged operators. No arrests, indictments, or civil enforcement proceedings have been publicly disclosed. The anonymous and decentralized nature of the operation — with operators interacting through private channels, payments processed on-chain, and infrastructure distributed across decentralized storage networks — poses significant investigative challenges. No named individuals have been publicly attributed to operating or developing the Vanilla Drainer service. The operator fee wallet identified by Darkbit containing approximately $2.23 million has not been linked to any sanctioned address on OFAC's SDN list in publicly available records.","heading":"Law Enforcement and Regulatory Status","severity":"medium","sources":[{"credibility":2,"name":"Blockchain Sleuths Link $5.3 Million In Thefts To Rising Scam Service Vanilla Drainer — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/blockchain-sleuths-link-5-3-million-in-thefts-to-rising-scam-service-vanilla-drainer/"}]},{"content":"Security researchers and the broader industry advise cryptocurrency users to verify URLs with extreme care before connecting wallets, to use hardware wallets that display transaction details on a trusted screen, and to reject unexpected signing requests originating from search-engine advertisements. Users should navigate directly to official protocol websites by typing addresses rather than following sponsored search links. Wallet providers integrating Blockaid or similar transaction simulation layers should be aware that Vanilla Drainer has specifically advertised the capability to circumvent these defenses. The Drainer-as-a-Service model means that the Vanilla Drainer tooling is not operated by a single actor but may be deployed across many independent criminal campaigns simultaneously, broadening the attack surface.","heading":"User Protection and Risk Guidance","severity":"medium","sources":[{"credibility":2,"name":"Drainer as a Service (DaaS) — Ledger Academy","type":"other","url":"https://www.ledger.com/academy/glossary/drainer-as-a-service-daas"},{"credibility":2,"name":"The Rise of Drainer-as-a-Service — SentinelOne","type":"research","url":"https://www.sentinelone.com/blog/the-rise-of-drainer-as-a-service-understanding-daas/"}]}],"sources_used":[{"credibility":2,"name":"New Crypto Scam Service Vanilla Drainer Takes $5M in Three Weeks — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"},{"credibility":2,"name":"Blockchain Sleuths Link $5.3 Million In Thefts To Rising Scam Service Vanilla Drainer — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/blockchain-sleuths-link-5-3-million-in-thefts-to-rising-scam-service-vanilla-drainer/"},{"credibility":2,"name":"Vanilla Drainer: How This Scam Stole $5M in Crypto and What You Need to Know — OKX","type":"news_article","url":"https://www.okx.com/en-us/learn/vanilla-drainer-scam-crypto-theft"},{"credibility":3,"name":"Darkbit (@darkbitweb) on X — original Vanilla Drainer investigation thread","type":"social_media","url":"https://x.com/darkbitweb/status/1948412701010477544"},{"credibility":2,"name":"Malicious Google Ads Hit Crypto Users With Wallet Drainers — GBHackers","type":"research","url":"https://gbhackers.com/google-ads-hit-crypto-users/"},{"credibility":2,"name":"The State of Drainers Vol. 1 — Security Alliance (SEAL) Radar","type":"research","url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"credibility":2,"name":"Scam Sniffer 2025 Annual Report — Crypto Phishing Losses Fall 83% to $84 Million","type":"research","url":"https://drops.scamsniffer.io/scam-sniffer-2025-crypto-phishing-losses-fall-83-to-84-million/"},{"credibility":2,"name":"1Campaign: A New Cloaking Platform Helping Attackers Abuse Google Ads — Varonis","type":"research","url":"https://www.varonis.com/blog/1campaign"},{"credibility":2,"name":"1Campaign platform helps malicious Google ads evade detection — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-malicious-google-ads-evade-detection/"},{"credibility":2,"name":"Fake Google Ads Target Uniswap Users in $400K Crypto Scam — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/26/fake-google-ads-target-uniswap-users-in-400k-crypto-scam/"},{"credibility":2,"name":"Drainer as a Service (DaaS) — Ledger Academy","type":"other","url":"https://www.ledger.com/academy/glossary/drainer-as-a-service-daas"},{"credibility":2,"name":"The Rise of Drainer-as-a-Service — SentinelOne","type":"research","url":"https://www.sentinelone.com/blog/the-rise-of-drainer-as-a-service-understanding-daas/"},{"credibility":2,"name":"New Crypto Scam Service Vanilla Drainer Steals $5.27 Million in Three Weeks — Yellow.com","type":"news_article","url":"https://yellow.com/en-US/news/new-crypto-scam-service-vanilla-drainer-steals-dollar527-million-in-three-weeks"}],"summary":"Vanilla Drainer is a Drainer-as-a-Service (DaaS) operation that emerged in late 2024 and has been linked by blockchain investigators to at least $5.27 million in confirmed cryptocurrency theft across a three-week window in mid-2025. The service provides phishing software kits to criminal operators on a private-access basis, taking a 15-20% commission on stolen proceeds, and employs obfuscated JavaScript payloads, man-in-the-middle proxy layers, and aggressive domain and smart contract cycling to evade established fraud detection platforms including Blockaid.","timeline":[{"date":"2024-10-01","event":"Earliest theft activity attributed to Vanilla Drainer infrastructure detected by on-chain investigators, though the operation had not yet been publicly named.","source":"CoinTelegraph / Darkbit investigation","source_url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"},{"date":"2024-12-08","event":"Earliest known public advertisement for Vanilla Drainer posted, claiming an 'advanced algorithm' capable of bypassing Blockaid fraud detection.","source":"CoinTelegraph / Darkbit investigation","source_url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"},{"date":"2025-07-15","event":"Start of the confirmed three-week window during which Vanilla Drainer was linked to at least four major phishing operations totaling $5.27 million.","source":"FinanceFeeds / Darkbit","source_url":"https://financefeeds.com/blockchain-sleuths-link-5-3-million-in-thefts-to-rising-scam-service-vanilla-drainer/"},{"date":"2025-07-24","event":"Blockchain investigator Darkbit (@darkbitweb) published a public thread on X identifying Vanilla Drainer and attributing multiple large six- and seven-figure thefts to it.","source":"Darkbit on X","source_url":"https://x.com/darkbitweb/status/1948412701010477544"},{"date":"2025-08-05","event":"Largest single theft attributed to Vanilla Drainer: a victim lost $3.09 million in stablecoins in a single phishing incident; operators collected approximately $463,000 as their commission.","source":"CoinTelegraph / FinanceFeeds","source_url":"https://financefeeds.com/blockchain-sleuths-link-5-3-million-in-thefts-to-rising-scam-service-vanilla-drainer/"},{"date":"2025-08-25","event":"CoinTelegraph and multiple outlets published coverage of the Vanilla Drainer investigation, reporting the $5.27 million total linked to the service.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/new-scam-service-vanilla-drainer-5m-three-weeks"},{"date":"2025-10-01","event":"Security Alliance (SEAL) Radar published 'The State of Drainers Vol. 1,' identifying Vanilla Drainer as one of four major active drainer families under ongoing tracking alongside Inferno, Rublevka, and Eleven.","source":"SEAL Radar","source_url":"https://radar.securityalliance.org/2025-10-drainers-vol-1/"},{"date":"2026-03-13","event":"Malvertising campaigns deploying drainer payloads consistent with Vanilla Drainer infrastructure caused approximately $1.27 million in confirmed losses between March 13 and March 30, 2026, representing an activity spike.","source":"GBHackers / Security Alliance research","source_url":"https://gbhackers.com/google-ads-hit-crypto-users/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision e7db1995-4465-424a-b3a1-9315114490d3copy