This sneaky malware masquerades as Coinbase, but in reality it just drains all your accounts
Hackers posed as Coinbase and used well-crafted phishing pages to steal people’s cryptocurrency hauls, according to a report from cybersecurity researchers Group-IB.
According to the report, an unnamed group of hackers operated a malware-as-a-service called Inferno Drainer between November 2022 and 2023.
As the name suggests, this type of malware is capable of draining all funds from people’s cryptocurrency wallets, including both fungible and non-fungible tokens (NFT). Other threat actors would use the dish rack and give 20% of all profits to the operators.
False air drops
For the dish drainer to work, a victim must connect their wallet to the attacker’s infrastructure. This was done via convincing landing pages. Group-IB said it has found more than 16,000 unique domains linked to the Inferno Drainer phishing operation. At least 100 different crypto brands were imitated during that time. It is not known how many different groups participated in the campaign. What we do know is that most victims who landed on the landing pages connected their wallets thinking they would receive an airdrop.
An airdrop happens in the cryptocurrency world when a new project starts and the developers try to get tokens into circulation. Normally they used the promise of an airdrop to create a community and generate buzz around the project, because people interested in receiving the airdrop would be charged with certain things (e.g. sharing Twitter posts, participating in Discord communication, writing blogs, etc.).
However, instead of receiving the airdrop, once the victims connected their wallets and approved the transactions, the drainer would simply withdraw all the money from the accounts, and given the nature of blockchain, the funds would be lost forever. Group-IB believes that more than 130,000 people have fallen victim to the campaign, which earned the operators more than $80 million.
Inferno Drainer was said to have closed in November 2023, but the user panel was still active in mid-January of this year.