Verify a decision

{"actor":"system:backfill","investigation_id":"af61c7c5-5ca5-4e72-9f5a-dc0512ef57c2","kind":"publish","page_slug":"eleven-drainer","published_at":"2026-06-26T17:12:25.365Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Eleven Drainer","sections":[{"content":"Eleven Drainer is a criminal software toolkit classified as a Drainer-as-a-Service (DaaS) or Scam-as-a-Service platform. It provides rented phishing infrastructure to third-party operators who deploy wallet-draining attacks against cryptocurrency users. The toolkit is comparable in structure to earlier services such as Inferno Drainer, Angel Drainer, Vanilla Drainer, and Pink Drainer. Eleven Drainer was first publicly identified by SlowMist founder Yu Xian on November 9, 2025, when his team noted a growing cluster of victims linked to the operation. Community research published in November 2025 indicated the toolkit launched approximately in August 2025. Attribution to Russian-linked operators has been alleged by community researchers, though this has not been confirmed by a law enforcement or Tier 1 security firm as of the date of this investigation.","heading":"Overview and Classification","severity":"critical","sources":[{"credibility":2,"name":"New Crypto Phishing Gang Is Targeting Wallet Users and Stealing Millions - BeInCrypto","type":"news_article","url":"https://beincrypto.com/crypto-phishing-gang-eleven-drainer/"},{"credibility":3,"name":"4.2M Stolen in 3 Weeks: Eleven Drainer - BITBBQ","type":"news_article","url":"https://www.bitbbq.com/en/304625/"},{"credibility":2,"name":"Weekly Crypto And Web3 Safety Digest CW48 2025 - CryptoSafetyFirst","type":"research","url":"https://cryptosafetyfirst.com/weekly-crypto-and-web3-safety-digest-cw48-2025/"}]},{"content":"Eleven Drainer operates through a multi-stage social engineering and on-chain exploitation chain. Victims are directed to convincing phishing websites that impersonate legitimate Web3 projects, DeFi protocols, or NFT collections. These sites are promoted through compromised social media accounts on platforms such as Twitter and Discord, fake Google advertisements, and fraudulent airdrop or NFT mint offers. Once a user connects their wallet, the malicious site dynamically loads attack code from external files identified as eleven.js and settings.json. The use of dynamic loading means real command-and-control domains only become visible after wallet connection, complicating static domain-blocking defenses. The core exploit involves tricking the user into signing a malicious transaction—typically an increaseAllowance or setApprovalForAll call—which grants the attacker an unlimited spending allowance over the victim's ERC-20 tokens or NFTs. A second transaction is then used to sweep assets silently. Stolen funds are routed through a smart contract that splits proceeds between the operator's customer wallet and Eleven Drainer admin wallets, with the admin wallets reportedly retaining approximately 15 percent of stolen funds as a service fee. Proceeds are subsequently laundered through mixers and cross-chain bridges.","heading":"Technical Operation and Attack Methods","severity":"critical","sources":[{"credibility":2,"name":"Eleven Drainer Threatens Crypto Wallets - SpazioCrypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/new-eleven-drainer-attack-threat-to-crypto-wallets/"},{"credibility":2,"name":"Weekly Crypto And Web3 Safety Digest CW48 2025 - CryptoSafetyFirst","type":"research","url":"https://cryptosafetyfirst.com/weekly-crypto-and-web3-safety-digest-cw48-2025/"},{"credibility":3,"name":"4.2M Stolen in 3 Weeks: Eleven Drainer - BITBBQ","type":"news_article","url":"https://www.bitbbq.com/en/304625/"}]},{"content":"Community researchers and on-chain analysis have identified several Ethereum addresses and ENS names associated with the Eleven Drainer operation. The ENS name elevendrainer.eth resolves to wallet address 0x498Dc5153F5BB71801049281ECB6F378B284B166, which appears to have been used primarily for testing. The ENS name eleventeam.eth resolves to 0x110002727de44AfA293Df506a7B013b0D37d135b, which shows substantially higher activity consistent with production deployment. Four admin wallets that receive approximately 15 percent of stolen funds have been identified: 0x9867513a84Fc4829Db89e7e1A6BE1be319Db03a2, 0xC00622f392b7b71158CC2a79B313461D6415dF6B, 0xFC86e8548f8bE6Fb65C9C144074Af5730Ac5Cd19, and 0x039362B4a30DA2803d2236e16626c64b6e94FB56. Two laundering fee addresses have been identified: 0x22F5094497215d625e7Ee3FBFBBbe7Bc45eC563D (approximately $410,000 in inflows) and 0xb8e059e617e6998A5d218f9bcd23e804155c71A2 (approximately $65,000 in inflows). These identifiers were surfaced through community on-chain research and have not yet been confirmed through a formal law enforcement or major security-firm attribution report.","heading":"Known On-Chain Identifiers","severity":"critical","sources":[{"credibility":3,"name":"4.2M Stolen in 3 Weeks: Eleven Drainer - BITBBQ","type":"on_chain","url":"https://www.bitbbq.com/en/304625/"},{"credibility":2,"name":"Phishing Group Eleven Drainer Targets Crypto Users - Phemex News","type":"news_article","url":"https://phemex.com/news/article/eleven-drainer-phishing-group-targets-crypto-users-34135"}]},{"content":"On November 21, 2025, Eleven Drainer code was deployed as part of a DNS hijack targeting decentralized exchanges Aerodrome Finance and Velodrome Finance. Attackers compromised an account at domain registrar NameSilo, modified SOA, NS, and A records for aerodrome.finance and velodrome.finance, stripped DNSSEC protections, and redirected both domains to a cloned frontend serving Eleven Drainer JavaScript. Aerodrome Finance held approximately $400 million in total value locked at the time of the attack. The attack was strictly a DNS and frontend-layer compromise; underlying smart contracts were not exploited. Blockchain security firm Blockaid detected malicious transaction patterns at 21:31 UTC and classified the domain malicious by 21:32 UTC, approximately 36 minutes before the first public user report at 22:07 UTC. Remediation began at 22:40 UTC when nameservers were replaced. Blockaid reported that its network warned 408 users during wallet connection and 491 during transaction signing, preventing an estimated $3.5 million in losses. Approximately $700,000 was stolen from users outside Blockaid's protection network across nine attacker-controlled addresses during the four-hour window the attack was active.","heading":"Aerodrome and Velodrome DNS Hijack (November 2025)","severity":"critical","sources":[{"credibility":1,"name":"Aerodrome Finance Hit by Front-End Attack, Users Urged to Avoid Main Domain - CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2025/11/22/aerodrome-finance-hit-by-front-end-attack-users-urged-to-avoid-main-domain"},{"credibility":2,"name":"How Blockaid's Customer Data Network Contained the Aerodrome DNS Attack - Blockaid Blog","type":"research","url":"https://www.blockaid.io/blog/how-blockaids-customer-data-network-contained-the-aerodrome-dns-attack"},{"credibility":2,"name":"DNS Attack Strikes Aerodrome and Velodrome as Aero Merger Nears - Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/dns-attack-strikes-aerodrome-and-velodrome-as-aero-merger-nears/"},{"credibility":2,"name":"Aerodrome and Velodrome suffer website takeovers, again - Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/?id=aerodrome-and-velodrome-website-takeovers"}]},{"content":"On June 21, 2026, blockchain security firm Blockaid detected a frontend attack on the Gitcoin subdomain files.gitcoin.co. Blockaid's monitoring systems identified that the subdomain was serving Eleven Drainer code designed to steal users' cryptocurrency wallet assets. Blockaid publicly disclosed the incident via its official account and advised users not to interact with the affected subdomain while investigation and remediation were underway. Loss figures from this specific incident had not been confirmed in available reporting at the time of this investigation. The incident demonstrates that Eleven Drainer infrastructure remained active and deployed as of mid-2026, more than seven months after its initial public identification.","heading":"Gitcoin Subdomain Compromise (June 2026)","severity":"high","sources":[{"credibility":2,"name":"Blockaid flags frontend attack on files.gitcoin.co warning of Eleven Drainer code - BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/blockaid-flags-frontend-attack-on-files-gitcoin-co-on-june-warns-of-eleven-drainer-wallet-theft-code"},{"credibility":2,"name":"Blockaid on X - Security Alert on Gitcoin subdomain","type":"social_media","url":"https://x.com/blockaid_/status/2068534795684946308"},{"credibility":2,"name":"Gitcoin Subdomain Compromised by Malicious Code Attack - Phemex News","type":"news_article","url":"https://phemex.com/news/article/gitcoin-subdomain-hit-by-frontend-attack-with-malicious-code-90167"},{"credibility":2,"name":"Security Company: Gitcoin Subdomain Suffered Frontend Attack - ChainCatcher","type":"news_article","url":"https://www.chaincatcher.com/en/article/2272637"}]},{"content":"Community researchers reported that Eleven Drainer stole approximately $4.2 million in cryptocurrency within its first three weeks of active operation in November 2025. The largest single confirmed victim loss attributed to the kit during this period was approximately $1.22 million. Of the documented incidents, the Aerodrome and Velodrome DNS hijack accounted for approximately $700,000 in direct losses. Blockaid separately reported preventing an estimated $3.5 million in additional losses during that same DNS hijack through its real-time detection network. The loss figures are drawn from community on-chain research and crypto security firm reporting rather than court-verified or law enforcement records, and should be treated as estimates rather than confirmed totals. Loss figures for the June 2026 Gitcoin incident were unavailable at the time of this investigation.","heading":"Financial Losses and Scale","severity":"critical","sources":[{"credibility":3,"name":"4.2M Stolen in 3 Weeks: Eleven Drainer - BITBBQ","type":"news_article","url":"https://www.bitbbq.com/en/304625/"},{"credibility":2,"name":"How Blockaid's Customer Data Network Contained the Aerodrome DNS Attack - Blockaid Blog","type":"research","url":"https://www.blockaid.io/blog/how-blockaids-customer-data-network-contained-the-aerodrome-dns-attack"},{"credibility":2,"name":"New Crypto Phishing Gang Is Targeting Wallet Users and Stealing Millions - BeInCrypto","type":"news_article","url":"https://beincrypto.com/crypto-phishing-gang-eleven-drainer/"}]},{"content":"Eleven Drainer operates within an established criminal marketplace for wallet-draining toolkits. Preceding services include Inferno Drainer, Angel Drainer, Vanilla Drainer, and Pink Drainer—several of which publicly announced shutdowns before successors emerged. Across the DaaS sector, drainers were responsible for an estimated $494 million in losses industry-wide during 2024, a 67 percent increase from the prior year, according to reporting from Infosecurity Magazine citing security research. The DaaS business model typically involves the toolkit operators taking a percentage of stolen funds (in the case of Eleven Drainer, reportedly approximately 15 percent) rather than charging upfront subscription fees, aligning operator incentives with attack volume. Blockchain security firm Check Point Research has published case studies on the broader drainer-tactics ecosystem. The Ledger Academy has documented the DaaS model as part of its security glossary. Security researchers at Group-IB have catalogued crypto wallet drainers as a distinct and growing category of Web3 crime.","heading":"Industry Context: Drainer-as-a-Service Ecosystem","severity":"high","sources":[{"credibility":2,"name":"Scammers Drain $500m from Crypto Wallets in a Year - Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/"},{"credibility":2,"name":"Wallet Scam: A Case Study in Crypto Drainer Tactics - Check Point Research","type":"research","url":"https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/"},{"credibility":2,"name":"Drainer as a Service (DaaS) - Ledger Academy","type":"research","url":"https://www.ledger.com/academy/glossary/drainer-as-a-service-daas"},{"credibility":2,"name":"Crypto Wallet Drainers - Group-IB Knowledge Hub","type":"research","url":"https://www.group-ib.com/resources/knowledge-hub/crypto-wallet-drainers/"},{"credibility":2,"name":"Return of the Crypto Inferno Drainer - Check Point Research","type":"research","url":"https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/"}]},{"content":"As of this investigation, no public regulatory actions, indictments, or law enforcement operations have been identified that name Eleven Drainer specifically. No SEC, CFTC, DOJ, or Europol announcements referencing Eleven Drainer were found in available sources. Attribution to specific individuals or geographic regions (including the alleged Russian origin) has not been confirmed through law enforcement channels. The absence of regulatory action is consistent with the nascent timeline of the operation (first publicly identified November 2025) and the broader difficulty of prosecuting pseudonymous DaaS operators in jurisdictions with limited crypto-crime enforcement capacity.","heading":"Regulatory and Law Enforcement Status","severity":"medium","sources":[]}],"sources_used":[{"credibility":2,"name":"New Crypto Phishing Gang Is Targeting Wallet Users and Stealing Millions - BeInCrypto","type":"news_article","url":"https://beincrypto.com/crypto-phishing-gang-eleven-drainer/"},{"credibility":3,"name":"4.2M Stolen in 3 Weeks: Eleven Drainer - BITBBQ","type":"news_article","url":"https://www.bitbbq.com/en/304625/"},{"credibility":2,"name":"Eleven Drainer Threatens Crypto Wallets - SpazioCrypto","type":"news_article","url":"https://en.spaziocrypto.com/hack/new-eleven-drainer-attack-threat-to-crypto-wallets/"},{"credibility":2,"name":"Weekly Crypto And Web3 Safety Digest CW48 2025 - CryptoSafetyFirst","type":"research","url":"https://cryptosafetyfirst.com/weekly-crypto-and-web3-safety-digest-cw48-2025/"},{"credibility":1,"name":"Aerodrome Finance Hit by Front-End Attack - CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2025/11/22/aerodrome-finance-hit-by-front-end-attack-users-urged-to-avoid-main-domain"},{"credibility":2,"name":"How Blockaid's Customer Data Network Contained the Aerodrome DNS Attack - Blockaid Blog","type":"research","url":"https://www.blockaid.io/blog/how-blockaids-customer-data-network-contained-the-aerodrome-dns-attack"},{"credibility":2,"name":"DNS Attack Strikes Aerodrome and Velodrome as Aero Merger Nears - Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/dns-attack-strikes-aerodrome-and-velodrome-as-aero-merger-nears/"},{"credibility":2,"name":"Aerodrome and Velodrome suffer website takeovers, again - Web3 Is Going Great","type":"news_article","url":"https://www.web3isgoinggreat.com/?id=aerodrome-and-velodrome-website-takeovers"},{"credibility":2,"name":"Blockaid flags frontend attack on files.gitcoin.co - BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/blockaid-flags-frontend-attack-on-files-gitcoin-co-on-june-warns-of-eleven-drainer-wallet-theft-code"},{"credibility":2,"name":"Blockaid Security Alert on Gitcoin subdomain - X","type":"social_media","url":"https://x.com/blockaid_/status/2068534795684946308"},{"credibility":2,"name":"Gitcoin Subdomain Compromised by Malicious Code Attack - Phemex News","type":"news_article","url":"https://phemex.com/news/article/gitcoin-subdomain-hit-by-frontend-attack-with-malicious-code-90167"},{"credibility":2,"name":"Security Company: Gitcoin Subdomain Suffered Frontend Attack - ChainCatcher","type":"news_article","url":"https://www.chaincatcher.com/en/article/2272637"},{"credibility":2,"name":"Phishing Group Eleven Drainer Targets Crypto Users - Phemex News","type":"news_article","url":"https://phemex.com/news/article/eleven-drainer-phishing-group-targets-crypto-users-34135"},{"credibility":2,"name":"Scammers Drain $500m from Crypto Wallets in a Year - Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/"},{"credibility":2,"name":"Wallet Scam: A Case Study in Crypto Drainer Tactics - Check Point Research","type":"research","url":"https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/"},{"credibility":2,"name":"Drainer as a Service (DaaS) - Ledger Academy","type":"research","url":"https://www.ledger.com/academy/glossary/drainer-as-a-service-daas"},{"credibility":2,"name":"Crypto Wallet Drainers - Group-IB Knowledge Hub","type":"research","url":"https://www.group-ib.com/resources/knowledge-hub/crypto-wallet-drainers/"},{"credibility":2,"name":"Return of the Crypto Inferno Drainer - Check Point Research","type":"research","url":"https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/"}],"summary":"Eleven Drainer is a Drainer-as-a-Service (DaaS) toolkit and phishing syndicate that emerged around August 2025, offering rented wallet-draining infrastructure to criminal operators who deploy it through phishing sites, DNS hijacks, and compromised front-ends. The kit is associated with confirmed theft of at least $4.2 million across a three-week window in November 2025, including a $700,000 loss from a DNS hijack of decentralized exchanges Aerodrome and Velodrome. As of June 2026, the kit remains active and was detected embedded in a compromised Gitcoin subdomain.","timeline":[{"date":"2025-08-01","event":"Eleven Drainer toolkit alleged to have launched, based on community research placing its origin approximately August 2025. Exact launch date is unconfirmed.","source":"BITBBQ community research","source_url":"https://www.bitbbq.com/en/304625/"},{"date":"2025-11-06","event":"Largest cluster of Eleven Drainer drain activity observed, with the majority of the confirmed $4.2 million in November losses occurring between November 6 and November 8, 2025.","source":"BITBBQ community research","source_url":"https://www.bitbbq.com/en/304625/"},{"date":"2025-11-09","event":"SlowMist founder Yu Xian publicly identifies a growing cluster of victims linked to Eleven Drainer, marking the first major public disclosure of the operation.","source":"BeInCrypto","source_url":"https://beincrypto.com/crypto-phishing-gang-eleven-drainer/"},{"date":"2025-11-21","event":"Eleven Drainer code deployed in a DNS hijack of Aerodrome Finance and Velodrome Finance via a compromised NameSilo registrar account. Attackers stripped DNSSEC and redirected both protocol frontends to a phishing interface. Approximately $700,000 was stolen; an estimated $3.5 million in additional losses was prevented by Blockaid's detection network.","source":"CoinDesk; Blockaid Blog","source_url":"https://www.coindesk.com/web3/2025/11/22/aerodrome-finance-hit-by-front-end-attack-users-urged-to-avoid-main-domain"},{"date":"2025-11-24","event":"Extended community on-chain analysis published, identifying ENS addresses, admin wallets, fee laundering addresses, and the scam-as-a-service fee structure (approximately 15 percent to operators).","source":"CryptoSafetyFirst CW48 2025 digest","source_url":"https://cryptosafetyfirst.com/weekly-crypto-and-web3-safety-digest-cw48-2025/"},{"date":"2026-06-21","event":"Blockaid detects Eleven Drainer code embedded in the Gitcoin subdomain files.gitcoin.co via a frontend attack. Blockaid advises users not to interact with the site. The incident confirms the toolkit remains active more than seven months after its initial public identification.","source":"Blockaid on X; Phemex News","source_url":"https://x.com/blockaid_/status/2068534795684946308"}]},"v":1}