Inferno Drainer, posing as Coinbase, duped 137,000 victims, siphoning $87 million. Sophisticated malware utilized Web3 protocols, signaling a rising trend in cyber threats.
Introduction:
In a startling revelation, the now-defunct Inferno Drainer orchestrated a massive cyber attack, camouflaging itself as Coinbase and raking in an estimated $87 million from a staggering 137,000 victims. This sophisticated malware, active from November 2022 to November 2023, left a trail of deception by creating over 16,000 unique malicious domains within a year.
The Elaborate Scheme with Infreno:
Operating under the scam-as-a-service model, Inferno Drainer’s operators crafted an intricate scheme. The malware leveraged high-quality phishing pages, enticing users to connect their cryptocurrency wallets to the attackers’ infrastructure. The attackers skillfully spoofed Web3 protocols, duping victims into unwittingly authorizing transactions.
The Numbers and Affiliation Model:
During its one-year reign, Inferno Drainer successfully scammed 137,000 victims, accumulating a staggering $87 million in illicit profits. This malware is part of a broader set of similar offerings available to affiliates under the scam-as-a-service model, who receive a 20% cut of the earnings. Notably, customers could either upload the malware to their phishing sites or utilize the developer’s services for creating and hosting phishing websites, with varying cost structures.
Crafty Spoofing Tactics:
Group-IB’s analysis reveals that Inferno Drainer managed to spoof over 100 cryptocurrency brands through meticulously crafted pages hosted on more than 16,000 unique domains. The malware utilized JavaScript-based drainers hosted on GitHub repositories, with one example being “kuzdaz.github[.]io/seaport/seaport.js.” Notably, attempts were made to hide the malicious scripts by restricting users from accessing website source code through hotkeys or right-clicking.
Web3 Protocol Spoofing:
In a bid to execute unauthorized transactions, Inferno Drainer adopted a cunning approach by masquerading as popular Web3 protocols like Seaport, WalletConnect, and Coinbase. The use of deceptive names such as seaport.js, coinbase.js, and wallet-connect.js aimed to trick users into connecting their wallets, ultimately leading to drained assets. The drainer’s success was exemplified by the sheer number of domains it operated and the sophisticated tactics employed.
Rising Trend: 'X as a Service' Model:
The success of Inferno Drainer highlights a growing trend in the cybercriminal landscape – the ‘X as a service’ model. This model not only provides opportunities for less technically competent individuals to engage in cybercrime but also proves to be a lucrative avenue for developers to boost their revenues. Group-IB anticipates a surge in hacking attempts on official accounts, exploiting the trust associated with authoritative voices to lure potential victims into connecting their accounts.
Year of the Drainer:
As the aftermath of Inferno Drainer unfolds, Group-IB predicts 2024 to be the “year of the drainer.” The success of this malicious campaign is likely to inspire the development of new drainers and an uptick in websites containing malicious scripts spoofing Web3 protocols. The lingering threat emphasizes the need for heightened cybersecurity measures within the cryptocurrency community.
Conclusion:
While Inferno Drainer may have ceased its malicious activities, its impact resonates as a stark reminder of the evolving and sophisticated nature of cyber threats. Cryptocurrency holders face an ongoing risk, and the prevalence of drainers underscores the urgency for robust cybersecurity practices. As the digital landscape continues to evolve, vigilance and proactive measures become paramount in safeguarding against such malicious attacks.
Interesting Article : Opera MyFlaw Bug: A Deep Dive into a Critical Browser Vulnerability
Pingback: Google Chrome Zero Day Vulnerability Fixed : Update Now