The Inferno Drainer [1] [2] [3] [4] [5] [6] [7] [8] [9], a crypto-draining malware [6], gained notoriety from November 2022 to November 2023 for its large-scale crypto scam. It stole over $87 million from more than 137,000 individuals.


The operation involved a “scam-as-a-service” model, where affiliates received a 20% cut of their earnings [6] [9]. A cybersecurity services company [2], Group-IB Global Pvt Ltd [2], uncovered over 16,000 malicious domains associated with the Inferno Drainer scam [2]. The fraudsters impersonated more than 100 cryptocurrency brands and utilized phishing domains to deceive victims into authorizing fraudulent transactions [5]. They specifically posed as Coinbase and employed social engineering tactics to trick victims into connecting their wallets to the attackers’ infrastructure. By spoofing popular Web3 protocols like Seaport [3] [5], WalletConnect [3] [4] [5] [7] [8], and Coinbase [3] [4] [5] [7] [8], they initiated unauthorized transactions and drained funds from over 130,000 victims, resulting in a staggering $80 million stolen [1]. The operation also enticed victims with promises of receiving an airdrop or free tokens for minting new NFTs. The group offered a customer panel for affiliates [2], allowing them to customize malware features and track stolen assets [2]. Despite allegedly being shut down in November 2023 [3] [7], the control panel remained active in December and as of mid-January this year.


Experts warn of potential developments in new drainers and a surge in websites hosting malicious scripts masquerading as Web3 protocols [8], even though the Inferno Drainer has ceased operations [8]. Group-IB warns cryptocurrency holders to remain vigilant against phishing attacks [2]. The cybersecurity company Group-IB has published a report on the Inferno Drainer scam operation, revealing that it used 16,000 phishing domains and stole $80 million from crypto users since March 2023 [7]. Although the operation was shut down in November 2023, the threat of Inferno Drainer still exists as past users may have moved on to other schemes [7]. The operation targeted crypto users through phishing sites that impersonated popular brands like Seaport [7], WalletConnect [3] [4] [5] [7] [8], and Coinbase [3] [4] [5] [7] [8]. They tricked users into linking their accounts for fake financial rewards and conducted fraudulent transactions [7]. The operation also involved creating and hosting websites that appeared as official crypto projects [7]. Group-IB warns that similar malware threats continue to evolve in the crypto ecosystem [7], emphasizing the need for increased vigilance and security measures [7]. It is important for cryptocurrency holders to remain vigilant against similar scams [6], verify the legitimacy of websites before connecting their wallets [6], and use security tools to detect and block phishing attempts [6]. Ongoing education and awareness about phishing tactics and online security are crucial [6], and cryptocurrency platforms and users should implement robust security measures to protect against such schemes [6].