Verify a decision

{"actor":"system:backfill","investigation_id":"4c3aa5b7-2ed7-442a-9770-1fb107141033","kind":"publish","page_slug":"wallet-drainers","published_at":"2026-05-14T06:01:56.753Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"wallet drainers","sections":[{"content":"<cite index=\"2-1,5-1\">Crypto drainers are malicious tools that steal digital assets like NFTs, and tokens from cryptocurrency wallets</cite>, specifically designed as <cite index=\"5-1\">phishing tools for the Web3 ecosystem</cite>. Unlike traditional malware that steals credentials, <cite index=\"5-8\">drainers masquerade as web3 projects, enticing victims into connecting their crypto wallets to the drainer and approving transaction proposals that grant the operator control of the funds inside the wallet</cite>. <cite index=\"2-11\">Drainers initiate fraudulent transactions and deceive users into signing them, allowing the drainer to siphon off funds to the attacker</cite>. <cite index=\"5-9\">If successful, drainers are able to directly steal users' funds instantly</cite>.","heading":"Definition and Mechanism","severity":"critical","sources":[{"credibility":2,"name":"Check Point Research - Wallet Scam Case Study","type":"research","url":"https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/"},{"credibility":2,"name":"Chainalysis - Understanding Crypto Drainers","type":"research","url":"https://www.chainalysis.com/blog/crypto-drainers/"}]},{"content":"The financial impact of wallet drainers has been devastating. <cite index=\"3-2,15-7\">Scam Sniffer claims that threat actors used wallet drainers to steal $494m from victims in 2024</cite>, representing <cite index=\"15-8\">a 67% annual increase</cite> from the previous year. <cite index=\"15-10\">The estimated $494m lost to wallet drainers in 2024 came from 332,000 wallet addresses, up just 3.7% from 2023 figures</cite>, indicating that <cite index=\"15-11\">cybercriminals are stealing more from each victim</cite>. <cite index=\"15-12\">The largest single theft was a whopping $55.5m</cite>, while <cite index=\"15-13\">there were 30 \"large-loss cases\" of over $1m, amounting to $171m in total or $5.7m on average</cite>. Historical data shows <cite index=\"7-20,16-1\">more than 320,000 users were affected in 2023, with total damage of just under $300 million</cite>. <cite index=\"5-14\">The quarterly growth rate in value stolen by these drainers has even exceeded value stolen by ransomware</cite>.","heading":"Scale of Impact and Financial Losses","severity":"critical","sources":[{"credibility":2,"name":"Infosecurity Magazine - $500m Crypto Wallet Drain","type":"news_article","url":"https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/"},{"credibility":2,"name":"Kaspersky - Crypto Wallet Drainer Analysis","type":"research","url":"https://www.kaspersky.com/blog/what-is-a-crypto-wallet-drainer/50490/"},{"credibility":2,"name":"Medium - Wallet Drainers Industry Analysis","type":"research","url":"https://medium.com/coinmonks/wallet-drainers-a-300-million-crypto-scam-as-a-service-industry-09aa1d44172e"}]},{"content":"The wallet drainer landscape has been dominated by several major operations operating as scam-as-a-service platforms. <cite index=\"11-4\">Inferno made a strong comeback, dominating the year as the leading group with a market share ranging from 40 to 45% of all crypto hits in 2024</cite>. <cite index=\"4-32,4-33\">Inferno Drainer is one of the most notorious crypto drainers estimated to have stolen over $80 million</cite>. <cite index=\"12-1,17-8\">Pink Drainer announced its retirement in May 2024, after amassing about $85 million from more than 21,000 victims</cite>. <cite index=\"11-1,11-3\">The criminal group Pink held 28% of the market in 2024 until it announced its exit in May</cite>. <cite index=\"11-5\">Other gangs in the fight for global dominion over the wallet drainers' dark market include Angel, Acedrainer, MS Drainer, and Nova Drainer</cite>. <cite index=\"17-4\">Inferno Drainer announced its services have been taken over by Angel Drainer in an Oct. 19 announcement</cite>, leading to concerns about <cite index=\"20-29,20-30\">a merger between the two platforms that help scammers and bad actors drain crypto wallets, with Angel Drainer set to inherit a massive infrastructure</cite>.","heading":"Major Drainer Operations","severity":"critical","sources":[{"credibility":2,"name":"Moonlock - Wallet Drainer Crypto Theft 2024","type":"research","url":"https://moonlock.com/wallet-drainer-crypto-theft-2024"},{"credibility":2,"name":"Cointelegraph - Crypto Drainers Retiring","type":"news_article","url":"https://cointelegraph.com/news/crypto-drainers-investigators-hacks-defi"}]},{"content":"Wallet drainers operate under sophisticated scam-as-a-service business models. <cite index=\"9-1\">Drainer as a Service (DaaS) is a malicious business model where hackers rent out wallet-draining code to would-be cybercriminals in exchange for a percentage of the stolen funds</cite>. <cite index=\"13-16\">The developers behind Inferno Drainer advertised the following usage terms: They would keep 20% of all assets stolen using their malware, and the other 80% would be routed to users</cite>. <cite index=\"16-14,16-15\">They offer to individuals and phishing teams that allow them to drain crypto wallets on a turnkey basis, for an initial hefty deposit and claiming a 20–30% cut of the future phishing loot</cite>. <cite index=\"16-15\">Angel Drainer demanded from its \"customers\" $40,000 deposit along with a 20% fee justified by the wholesome phishing service offered</cite>. <cite index=\"13-5\">Services such as Inferno provide users with access to a dedicated Telegram channel as well as customer portal, where they can \"customize features of the malware and detailed key statistics\"</cite>. <cite index=\"16-16\">According to Scam Sniffer report, in 2023, their drainer fees allowed those crypto SAAS to bank in at least $47 million</cite>.","heading":"Business Model and Service Structure","severity":"high","sources":[{"credibility":2,"name":"Ledger - Drainer as a Service","type":"official","url":"https://www.ledger.com/academy/glossary/drainer-as-a-service-daas"},{"credibility":2,"name":"Bank InfoSecurity - Crypto Drainer Operations","type":"news_article","url":"https://www.bankinfosecurity.com/crypto-seeking-drainer-scam-as-a-service-operations-thrive-a-24107"}]},{"content":"Wallet drainers employ sophisticated social engineering and technical tactics to target victims. <cite index=\"1-25,1-26\">Each campaign typically starts with a victim being contacted through X messages, Telegram or Discord</cite>. <cite index=\"1-27\">A fake employee of the company will contact a victim asking to test out their software in exchange for a cryptocurrency payment</cite>. <cite index=\"2-10,2-11\">Typically, users are tricked into visiting phishing websites that mimic legitimate cryptocurrency platforms</cite>. <cite index=\"7-26\">Frequent pretexts are an airdrop or NFT minting: these models of rewarding user activity are popular in the crypto world</cite>. <cite index=\"5-20,5-21\">Operators of crypto drainers typically promote their malicious Web3 sites by sharing fake links in Discord communities and on compromised social media accounts. For example, scammers previously compromised the official SEC social media account to promote a fake token airdrop</cite>. <cite index=\"2-3\">Check Point Research uncovered a malicious app on Google Play designed to steal cryptocurrency marking the first time a drainer has targeted mobile device users exclusively</cite>.","heading":"Attack Vectors and Tactics","severity":"high","sources":[{"credibility":2,"name":"Darktrace - Wallet Drainers Social Engineering","type":"research","url":"https://www.darktrace.com/blog/crypto-wallets-continue-to-be-drained-in-elaborate-social-media-scam"}]},{"content":"Wallet drainers have evolved sophisticated technical capabilities to bypass security measures. <cite index=\"11-14,11-15\">As blockchain cybersecurity experts develop guardrails to mitigate these attacks, wallet drainer gangs develop new bypasses</cite> including <cite index=\"11-15\">exploiting wallet normalization processes to initiate signatures that wallets can process but security detection layers might miss, using legitimate contracts and adding Cloudflare or fake CAPTCHA pages to prevent detection, and attempting to bypass wallet blacklists through XSS vulnerabilities</cite>. <cite index=\"26-9,26-10\">The drainer has recently started using functionality in the Ethereum network called CREATE2 to generate new addresses for each malicious signature. This allows the drainer to sidestep security alerts built into some crypto wallet software that would flag known malicious addresses</cite>. <cite index=\"1-13\">A common tactic in the observed campaigns is the use of stolen code signing certificates to evade detection and increase the appearance of legitimate software</cite>.","heading":"Technical Bypasses and Evolution","severity":"high","sources":[{"credibility":3,"name":"Web3isGoingGreat - CREATE2 Wallet Drainer","type":"community_report","url":"https://www.web3isgoinggreat.com/?id=create2-wallet-drainer"}]},{"content":"Law enforcement response to wallet drainers has been limited, though some progress has been made. <cite index=\"21-12,21-16,21-17\">Victims are advised to report incidents to law enforcement or cybercrime authorities, as cryptocurrency theft is a financial crime in many jurisdictions</cite>. <cite index=\"22-1,22-2,22-13\">Victims can contact blockchain analytics firms or forensic teams for high-value incidents, as they can trace flows and provide evidence that might aid law enforcement, and file a police report as some crypto crimes are now investigated</cite>. However, <cite index=\"22-14,22-15,22-16,22-17\">recovery is rare, with many drains resulting in funds being swapped, split, and bridged away within minutes, and prevention being vastly more effective than recovery</cite>. <cite index=\"12-24,12-25\">Law enforcement and cybersecurity firms are getting better at catching cyber crooks, with some experts believing drainers are shutting down because they have earned too much</cite>. <cite index=\"17-10\">Inferno's latest shutdown was announced days after Tether froze three wallets on Oct. 16</cite>, suggesting some enforcement actions have been taken.","heading":"Law Enforcement Response","severity":"medium","sources":[{"credibility":3,"name":"Medium - Wallet Drainers Recovery Guide","type":"community_report","url":"https://medium.com/@Bitviser/wallet-drainers-101-how-they-really-work-and-why-theyre-so-effective-ad87bda318fa"}]}],"sources_used":[{"credibility":2,"name":"Darktrace - Wallet Drainers Social Engineering Campaign","type":"research","url":"https://www.darktrace.com/blog/crypto-wallets-continue-to-be-drained-in-elaborate-social-media-scam"},{"credibility":2,"name":"Check Point Research - Wallet Scam Case Study","type":"research","url":"https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/"},{"credibility":2,"name":"Infosecurity Magazine - $500m Crypto Wallet Drain","type":"news_article","url":"https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/"},{"credibility":2,"name":"Group-IB - Crypto Wallet Drainers Knowledge Hub","type":"research","url":"https://www.group-ib.com/resources/knowledge-hub/crypto-wallet-drainers/"},{"credibility":2,"name":"Chainalysis - Understanding Crypto Drainers","type":"research","url":"https://www.chainalysis.com/blog/crypto-drainers/"},{"credibility":2,"name":"Kaspersky - Crypto Wallet Drainer Analysis","type":"research","url":"https://www.kaspersky.com/blog/what-is-a-crypto-wallet-drainer/50490/"},{"credibility":2,"name":"Moonlock - Wallet Drainer Crypto Theft 2024","type":"research","url":"https://moonlock.com/wallet-drainer-crypto-theft-2024"},{"credibility":2,"name":"Bank InfoSecurity - Crypto Drainer Operations","type":"news_article","url":"https://www.bankinfosecurity.com/crypto-seeking-drainer-scam-as-a-service-operations-thrive-a-24107"},{"credibility":2,"name":"Cointelegraph - Crypto Drainers Retiring Investigation","type":"news_article","url":"https://cointelegraph.com/news/crypto-drainers-investigators-hacks-defi"}],"summary":"Wallet drainers are malicious phishing tools specifically designed for the Web3 ecosystem that trick users into authorizing fraudulent transactions that empty their cryptocurrency wallets. These sophisticated scam-as-a-service operations have stolen over $500 million in 2024 alone from hundreds of thousands of victims through fake websites masquerading as legitimate crypto projects.","timeline":[{"date":"2021-08-01","event":"Early drainware attack targeting Aurory NFT launch","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/drainware-unfortunately-coming-to-a-cryptocurrency-wallet-near-you"},{"date":"2021-12-31","event":"Crypto drainers began to surface, causing financial losses of millions","source":"Group-IB","source_url":"https://www.group-ib.com/resources/knowledge-hub/crypto-wallet-drainers/"},{"date":"2022-12-17","event":"14 Bored Ape NFTs worth over $1 million stolen using drainer techniques","source":"Kaspersky","source_url":"https://www.kaspersky.com/blog/what-is-a-crypto-wallet-drainer/50490/"},{"date":"2023-03-01","event":"Monkey Drainer shuts down, next batch of drainers emerge including Inferno and Pink","source":"Cointelegraph","source_url":"https://cointelegraph.com/news/crypto-drainers-investigators-hacks-defi"},{"date":"2023-11-01","event":"Inferno Drainer announces retirement after stealing over $80 million","source":"Bank InfoSecurity","source_url":"https://www.bankinfosecurity.com/crypto-seeking-drainer-scam-as-a-service-operations-thrive-a-24107"},{"date":"2023-12-31","event":"Total damage from drainers reaches just under $300 million affecting 320,000+ users","source":"Kaspersky","source_url":"https://www.kaspersky.com/blog/what-is-a-crypto-wallet-drainer/50490/"},{"date":"2024-01-09","event":"SEC's X account compromised to promote fake token airdrop drainer","source":"HackMag","source_url":"https://hackmag.com/security/crypto-drainers"},{"date":"2024-05-31","event":"Pink Drainer announces retirement after amassing $85 million from 21,000+ victims","source":"Cointelegraph","source_url":"https://cointelegraph.com/news/crypto-drainers-investigators-hacks-defi"},{"date":"2024-10-16","event":"Tether freezes three wallets tied to Inferno Drainer","source":"Cointelegraph","source_url":"https://cointelegraph.com/news/crypto-drainers-investigators-hacks-defi"},{"date":"2024-10-19","event":"Inferno Drainer transfers control to Angel Drainer","source":"Bitget","source_url":"https://www.bitget.com/news/detail/12560604287131"},{"date":"2024-12-31","event":"Wallet drainers steal $494 million from 332,000 victims in 2024","source":"Infosecurity Magazine","source_url":"https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/"}]},"v":1}