Inferno Malware Masqueraded as Coinbase, Drained $87 Million from 137,000 Victims

The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023.

The scheme “leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions,” Singapore-headquartered Group-IB said in a report shared with The Hacker News.

Inferno Drainer, which was active from November 2022 to November 2023, is estimated to have reaped over $87 million in illicit profits by scamming more than 137,000 victims.

The malware is part of a broader set of similar offerings that are available to affiliates under the scam-as-a-service (or drainer-as-a-service) model in exchange for a 20% cut of their earnings.

What’s more, customers of Inferno Drainer could either upload the malware to their own phishing sites, or make use of the developer’s service for creating and hosting phishing websites, either at no extra cost or charging 30% of the stolen assets in some cases.

The DaaS tool gained popularity in the aftermath of the shut down of Monkey Drainer in March 2023, which also paved for the emergence of another short-lived drainer service called Venom Drainer.

Data compiled by Scam Sniffer shows that crypto phishing scams proliferating the drainer kits have cumulatively stolen $295.4 million in assets from about 320,000 users in 2023.

According to Group-IB, the activity spoofed upwards of 100 cryptocurrency brands via specially crafted pages that were hosted on over 16,000 unique domains.

Further analysis of 500 of these domains has revealed that the JavaScript-based drainer was hosted initially on a GitHub repository (kuzdaz.github[.]io/seaport/seaport.js) before incorporating them directly on the websites. The user “kuzdaz” currently does not exist.

In a similar fashion, another set of 350 sites included a JavaScript file, “coinbase-wallet-sdk.js,” on a different GitHub repository, “kasrlorcian.github[.]io.”

These sites were then propagated on sites like Discord and X (formerly Twitter), enticing potential victims into clicking them under the guise of offering free tokens (aka airdrops) and connecting their wallets, at which point their assets were drained once the transactions were approved.

In using the names seaport.js, coinbase.js and wallet-connect.js, the idea was to masquerade as popular Web3 protocols like Seaport, WalletConnect, and Coinbase to complete the unauthorized transactions. The earliest website containing one of these scripts dates back to May 15, 2023.

“Another typical feature of phishing websites belonging to Inferno Drainer was that users cannot open website source code by using hotkeys or right-clicking on the mouse,” Group-IB analyst Viacheslav Shevchenko said. “This means that the criminals attempted to hide their scripts and illegal activity from their victims.”

It’s worth noting that Google-owned Mandiant’s X account was compromised earlier this month to distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK, a variant of which known as Rainbow Drainer has pilfered nearly $4.17 million in assets from 3,947 Solana users over the past month.

“We believe that the ‘X as a service’ model will continue to thrive, not least because it creates greater opportunities for less technically competent individuals from trying their hand at becoming cybercriminals, and for developers, it is a highly profitable way to bolster their revenues,” the company told The Hacker News.

“We also expect to see increased attempts at hacking official accounts, as posts purportedly authored by an authoritative voice are likely to inspire trust in the eyes of viewers, and may make potential victims more likely to follow links and connect their accounts.”

On top of that, Group-IB said the success of Inferno Drainer could fuel the development of new drainers as well as lead to a surge in websites containing malicious scripts spoofing Web3 protocols, noting 2024 could become the “year of the drainer.”

“Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further,” Andrey Kolmakov, head of Group-IB’s High-Tech Crime Investigation Department, said.