Verify a decision

{"actor":"system:backfill","investigation_id":"1047fc76-44c3-4bf2-a9d6-13e118fe2c6a","kind":"publish","page_slug":"lucifer-drainer","published_at":"2026-06-02T20:05:02.037Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Lucifer Drainer","sections":[{"content":"Lucifer Drainer is a fully criminal enterprise offering drainer-as-a-service (DaaS) tooling. It is not a financial product, exchange, or legitimate protocol of any kind. The operation automates cryptocurrency wallet theft via phishing pages, malicious smart contract signatures, and abuse of token-approval mechanisms. Researchers at Flare analyzed approximately 700 posts collected from underground forums, chats, and channels associated with Lucifer DaaS between January 2025 and early 2026, documenting its internal operations and finding characteristics consistent with professionalized software-as-a-service businesses: product versioning, release notes, bug-fix cycles, customer support, referral systems, and affiliate onboarding. The platform occupies a dominant position in the current drainer ecosystem, recruiting from communities where predecessor brands including Inferno, Angel, Venom, Nova, Ghost, Medusa, Vega, and Monkey Drainer were previously active.","heading":"Overview and Classification","severity":"critical","sources":[{"credibility":1,"name":"Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"}]},{"content":"Lucifer Drainer operates on a commission-sharing model. The operators explicitly state that the software is not for sale and cannot be leased; the only participation mode is affiliate revenue sharing. Operators retain 20% of each successful drain while affiliates receive 80%. This split is standard across the DaaS industry — BlockSec's joint research with Zhejiang University and MBZUAI analyzed $135 million in on-chain drainer activity from March 2023 to April 2025 and found a 20/80 operator-affiliate split was the dominant model across 1,910 profit-sharing contracts and 87,077 profit-sharing transactions involving 56 operator accounts and 6,087 affiliate accounts. Lucifer positions itself as a 'professional solution' and recruits experienced affiliates capable of generating phishing traffic, explicitly warning beginners they are not welcome. A recurring theme in operator communications was emphasis on 'traffic' — the ability to funnel victims to phishing sites — as the primary affiliate qualification.","heading":"Business Model and Affiliate Structure","severity":"critical","sources":[{"credibility":1,"name":"Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"credibility":2,"name":"Inside Ethereum's Shadow Economy: New Research Unmasks the $135M Drainer-as-a-Service Industry — BlockSec","type":"research","url":"https://blocksec.com/blog/inside-ethereum-s-shadow-economy-new-research-unmasks-the-135-m-drainer-as-a-service-industry"}]},{"content":"Version 6.6.6, announced in March 2025, advertised the following features: ERC-20 token support, Permit2 abuse, off-chain signature exploitation, Telegram notifications for affiliates, wallet-security bypass mechanisms, and multichain deployment. Permit2 abuse is particularly dangerous because it allows token transfers via off-chain signed permissions (EIP-712 typed messages), meaning the victim interaction appears as a simple message-signing event rather than an obvious on-chain approval — drastically reducing the chance a victim recognizes the transaction as malicious. Off-chain signatures via EIP-2612 permit the attacker to later submit signed authorization to the blockchain without user re-approval. A notable deployment feature called 'Zero Config' allows affiliates to upload static files and receive an automatically generated, phishing-ready ZIP package containing the latest Lucifer code pre-loaded for the target site — substantially lowering the technical barrier to deploy new phishing campaigns. The platform also announced a website-cloning feature enabling affiliates to replicate legitimate DeFi, NFT, or airdrop sites for use as phishing frontends.","heading":"Technical Capabilities","severity":"critical","sources":[{"credibility":1,"name":"Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"credibility":2,"name":"Permit2 Phishing Risks: Why Signature Scams Are So Dangerous — DEXTools","type":"research","url":"https://www.dextools.io/tutorials/permit2-phishing-risks-2026"}]},{"content":"Lucifer Drainer has demonstrated significant operational resilience in response to platform enforcement actions. In August 2025, Telegram banned the operation's bots. Rather than folding, the operators issued instructions to their affiliate channel directing users to create replacement bots and grant them admin privileges. In November 2025, a documentation domain hosted on Google Firebase was suspended following exposure in security research. The operators responded by migrating all documentation to IPFS (InterPlanetary File System), explicitly framing decentralization as a countermeasure against future takedowns. This migration effectively removed a central point of failure for documentation access. As of a Bleeping Computer deep-dive published in May 2026, the operation remained live and was actively recruiting affiliates.","heading":"Operational Resilience and Infrastructure","severity":"critical","sources":[{"credibility":1,"name":"Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"}]},{"content":"Lucifer Drainer operates within a competitive underground ecosystem shaped by the exits of several predecessor platforms. Inferno Drainer, which claimed responsibility for $250 million in total thefts, announced a shutdown in November 2023 but was later confirmed by Check Point Research to have resurfaced and stolen at least $9 million from 30,000+ wallets in a subsequent six-month period. In October 2024, Inferno announced it was handing its platform to Angel Drainer. Angel Drainer was itself shut down in July 2024 after researchers at Match Systems alleged they had de-anonymized its developers — but it resurfaced as AngelX within weeks, deploying over 300 malicious dApps in four days. Pink Drainer ceased operations in May 2024 after stealing approximately $85 million from over 21,000 victims. Each successive shutdown created a pool of experienced phishing affiliates seeking new platforms — a market dynamic that Lucifer Drainer exploited through targeted recruitment messaging across communities where these brands had operated. Scam Sniffer reported that aggregate crypto phishing losses declined from $494 million in 2024 to approximately $83.85 million in 2025, a reduction attributed partly to improved wallet-security tooling, though the drainer ecosystem itself 'remains active' with new entrants filling gaps left by departing operations.","heading":"Ecosystem Context and Predecessor Drainers","severity":"high","sources":[{"credibility":1,"name":"Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"credibility":1,"name":"Return of the Crypto Inferno Drainer — Check Point Research","type":"research","url":"https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/"},{"credibility":2,"name":"Pink Drainer Shuts Down After Stealing $85 Million in Crypto — BeInCrypto","type":"news_article","url":"https://beincrypto.com/pink-drainer-shuts-down/"},{"credibility":2,"name":"Angel Drainer Reportedly Shuts Down Following Identification of Developers — DeFi Planet","type":"news_article","url":"https://defi-planet.com/2024/07/crypto-malware-angel-drainer-reportedly-shuts-down-following-identification-of-developers/"},{"credibility":2,"name":"Crypto Phishing Losses Fell 83% in 2025, Scam Sniffer Reports — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/crypto-phishing-losses-fell-83-percent-2025-wallet-drainers"}]},{"content":"No public attribution of the Lucifer Drainer operators' real-world identities has been reported as of June 2026. The operators communicate exclusively through pseudonymous underground channels and have taken deliberate steps to avoid identification, including migrating to IPFS after centralized infrastructure was suspended. No law enforcement actions, indictments, or arrests have been publicly associated with this specific operation. The operators' use of IPFS hosting, commission-only distribution (rather than kit sales), and careful affiliate vetting all reduce the forensic surface available to investigators. The anonymous or pseudonymous nature of the team is itself a significant risk signal for any party unknowingly interacting with infrastructure they operate.","heading":"Operator Anonymity and Attribution","severity":"high","sources":[{"credibility":1,"name":"Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"}]},{"content":"Academic and industry research place the DaaS industry in significant context. BlockSec's joint study covering March 2023 to April 2025 attributed $135 million in on-chain losses to the DaaS ecosystem on Ethereum alone, with 76,582 individual victims. The three platforms that dominated this period — Angel Drainer ($53.1 million), Inferno Drainer ($59 million), and Pink Drainer ($14.7 million) — have all since reduced operations or exited. Lucifer Drainer is positioned as the successor platform absorbing affiliates from these defunct operations. The study also found that only 10.8% of DaaS-related blockchain addresses had been previously flagged by public trackers like Etherscan, highlighting substantial gaps in on-chain detection. The broader 2024 phishing-drainer wave resulted in $494 million in losses across 332,000 wallet addresses. While 2025 showed an 83% decline in aggregate losses to approximately $83.85 million, the drainer ecosystem continued to operate with new entrants, adapted techniques (including EIP-7702 account abstraction exploits after the Ethereum Pectra upgrade), and persistent affiliate networks.","heading":"Broader DaaS Industry Impact","severity":"high","sources":[{"credibility":2,"name":"Inside Ethereum's Shadow Economy: New Research Unmasks the $135M Drainer-as-a-Service Industry — BlockSec","type":"research","url":"https://blocksec.com/blog/inside-ethereum-s-shadow-economy-new-research-unmasks-the-135-m-drainer-as-a-service-industry"},{"credibility":1,"name":"Cryptocurrency Wallet Drainers Stole $494 Million in 2024 — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/cryptocurrency-wallet-drainers-stole-494-million-in-2024/"},{"credibility":2,"name":"Crypto Phishing Losses Fell 83% in 2025, Scam Sniffer Reports — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/crypto-phishing-losses-fell-83-percent-2025-wallet-drainers"}]},{"content":"Users are at risk from Lucifer Drainer infrastructure through phishing pages that mimic legitimate DeFi protocols, NFT projects, token airdrops, and wallet-connection flows. The platform's 'Zero Config' site-cloning capability means high-fidelity replicas of real projects can be deployed rapidly by affiliates with limited technical skill. Key warning signs include: unsolicited wallet-connection prompts, requests to sign Permit or Permit2 messages (especially 'gasless claim' or 'off-chain signature' prompts), transaction signatures that do not originate from a trusted application URL, and social-media campaigns promoting limited-time token distributions. Lucifer-affiliated phishing sites distribute wallets through phishing links, fake websites, compromised social media accounts, malicious advertisements, spam, and direct messages. Once a victim signs a malicious EIP-712 Permit2 message, the attacker can drain approved tokens in a single subsequent on-chain transaction with no further user interaction required.","heading":"User Risk and Protection Guidance","severity":"high","sources":[{"credibility":1,"name":"Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"credibility":2,"name":"The Rise of Drainer-as-a-Service: Understanding DaaS — SentinelOne","type":"research","url":"https://www.sentinelone.com/blog/the-rise-of-drainer-as-a-service-understanding-daas/"}]}],"sources_used":[{"credibility":1,"name":"Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"credibility":2,"name":"Inside Ethereum's Shadow Economy: New Research Unmasks the $135M Drainer-as-a-Service Industry — BlockSec","type":"research","url":"https://blocksec.com/blog/inside-ethereum-s-shadow-economy-new-research-unmasks-the-135-m-drainer-as-a-service-industry"},{"credibility":2,"name":"The Rise of Drainer-as-a-Service: Understanding DaaS — SentinelOne","type":"research","url":"https://www.sentinelone.com/blog/the-rise-of-drainer-as-a-service-understanding-daas/"},{"credibility":1,"name":"Return of the Crypto Inferno Drainer — Check Point Research","type":"research","url":"https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/"},{"credibility":1,"name":"Cryptocurrency Wallet Drainers Stole $494 Million in 2024 — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/cryptocurrency-wallet-drainers-stole-494-million-in-2024/"},{"credibility":2,"name":"Crypto Phishing Losses Fell 83% in 2025, Scam Sniffer Reports — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/crypto-phishing-losses-fell-83-percent-2025-wallet-drainers"},{"credibility":2,"name":"Pink Drainer Shuts Down After Stealing $85 Million in Crypto — BeInCrypto","type":"news_article","url":"https://beincrypto.com/pink-drainer-shuts-down/"},{"credibility":2,"name":"Angel Drainer Absorbs Inferno's Toolkit — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/f118d-inferno-drainer-hands-over-to-angel-drainer"},{"credibility":2,"name":"Angel Drainer App Shuts Down After Developer Identification — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2024/07/17/angel-drainer-app-shuts-down-after-developer-identification/"},{"credibility":2,"name":"The State of Drainers Vol. 1 — Security Alliance (SEAL)","type":"research","url":"https://www.securityalliance.org/news/2025-10-drainers-vol-1"},{"credibility":1,"name":"Unmasking the Shadow Economy: A Deep Dive into Drainer-as-a-Service Phishing on Ethereum — ACM IMC 2025","type":"research","url":"https://dl.acm.org/doi/10.1145/3730567.3764476"},{"credibility":2,"name":"Permit2 Phishing Risks: Why Signature Scams Are So Dangerous — DEXTools","type":"research","url":"https://www.dextools.io/tutorials/permit2-phishing-risks-2026"},{"credibility":2,"name":"Inferno Drainer Shuts Down After Heist of Over $80M — CryptoNews","type":"news_article","url":"https://cryptonews.net/news/security/27907982/"}],"summary":"Lucifer Drainer is a criminal drainer-as-a-service (DaaS) platform that industrializes cryptocurrency wallet theft through a structured affiliate model. Active since at least early 2025, it operates by providing affiliates with phishing kits, automated site-cloning tools, and commission-split infrastructure (operators retain 20% per successful drain) while affiliates supply phishing traffic. Despite Telegram bot bans in August 2025 and documentation domain suspension in November 2025, the operation migrated to IPFS and remained active as of May 2026, making it one of the most operationally resilient drainer platforms in the current threat landscape.","timeline":[{"date":"2023-11-01","event":"Inferno Drainer announces shutdown after claiming over $80 million in total theft; later found to have continued operations covertly.","source":"Inferno Drainer Shuts Down After Heist of Over $80M — CryptoNews","source_url":"https://cryptonews.net/news/security/27907982/"},{"date":"2024-05-17","event":"Pink Drainer ceases operations after stealing approximately $85 million from over 21,000 victims.","source":"Pink Drainer Shuts Down After Stealing $85 Million in Crypto — BeInCrypto","source_url":"https://beincrypto.com/pink-drainer-shuts-down/"},{"date":"2024-07-17","event":"Angel Drainer suspends operations after cybersecurity firm Match Systems claims to have de-anonymized its developers.","source":"Angel Drainer App Shuts Down After Developer Identification — CryptoTimes","source_url":"https://www.cryptotimes.io/2024/07/17/angel-drainer-app-shuts-down-after-developer-identification/"},{"date":"2024-10-19","event":"Inferno Drainer announces it has transferred its platform and code to the Angel Drainer team, consolidating two of the largest DaaS operations.","source":"Angel Drainer Absorbs Inferno's Toolkit — CryptoRank","source_url":"https://cryptorank.io/news/feed/f118d-inferno-drainer-hands-over-to-angel-drainer"},{"date":"2025-01-01","event":"Flare researchers begin collecting and analyzing approximately 700 underground posts from forums, chats, and channels related to Lucifer DaaS; research period spans January 2025 through early 2026.","source":"Inside a Crypto Drainer — Bleeping Computer","source_url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"date":"2025-03-01","event":"Lucifer Drainer announces version 6.6.6 featuring ERC-20 support, Permit2 abuse, off-chain signatures, Telegram notifications, wallet-security bypasses, and multichain deployment.","source":"Inside a Crypto Drainer — Bleeping Computer","source_url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"date":"2025-05-01","event":"Lucifer Drainer operators publicly restate the commission-only model: 'We do not sell or lease the software and only split 20% per hit.'","source":"Inside a Crypto Drainer — Bleeping Computer","source_url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"date":"2025-08-01","event":"Telegram bans Lucifer Drainer bots. Operators instruct affiliates via channel to create new bots and grant them admin privileges, maintaining continuity.","source":"Inside a Crypto Drainer — Bleeping Computer","source_url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"date":"2025-11-01","event":"Documentation domain hosted on Google Firebase suspended following security research exposure. Lucifer Drainer migrates documentation to IPFS, citing decentralization as a takedown-resistance strategy.","source":"Inside a Crypto Drainer — Bleeping Computer","source_url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"},{"date":"2026-05-21","event":"Bleeping Computer publishes deep-dive on Lucifer Drainer's internal operations, confirming the platform remains live and actively recruiting affiliates as of May 2026.","source":"Inside a Crypto Drainer — Bleeping Computer","source_url":"https://www.bleepingcomputer.com/news/security/inside-a-crypto-drainer-how-to-spot-it-before-it-empties-your-wallet/"}]},"v":1}