According to security researchers with Group-IB, the hottest form of malware in 2024 may well be crypto drainers. A case study of the “Inferno” drainer, the most successful of these operations to date, demonstrates how easy it is for criminals to use and how much profit is potentially available.
Crypto drainers are a new “as a service” offering, akin to ransomware in that this is now the most popular model for the most dangerous (and profitable) groups. That opens the field up to lower-skill affiliates, who can simply choose to give up a little more of their own profit to have nearly all of the hosting and phishing design done for them. Their end is simply to dupe victims via social media, texts or emails, something that becomes easier by the day as AI tools develop.
The most popular crypto drainer of 2023 reached nearly $100 million in theft
Crypto drainers in an “as a service” model burst onto the scene in 2022, but 2023 was the year that they ascended to “major threat” status. Group-IB examines the “Inferno” malware, a drainer that officially operated from November 2022 to November 2023 and is thus far the most successful example in terms of victim count (about 130,000) and stolen assets (about $87 million worth).
Those numbers are of course still below the annual hauls that the biggest ransomware gangs collect, but crypto drainers are also much easier to operate for the affiliate. They don’t really have to have any hacking knowledge at all, with the approach being one of advertising and text-based social engineering instead. Thus far most of the successful efforts have spammed X and Discord with promises of free token giveaways, sometimes employing hacked accounts (which can be bought or obtained by crude credential stuffing) for added legitimacy.
A victim of crypto malware or scams has little recourse once the money is gone, since it is a direct wallet-to-wallet transfer. Their best hope is that the funds eventually pass through an exchange based in the US or some other friendly country where they might be frozen and at least partially recovered. However, the most likely outcome is that the criminals will take the funds straight to a mixing service or some Russia-based exchange where they will be beyond reach.
Will crypto drainer malware break out in 2024?
Group-IB, along with a number of other security researchers, believes that crypto drainers are going to be the big malware trend of the coming year. The “as a service” model will spur tremendous growth and invite numerous players that were previously put off by the technical complexities of ransomware or data extortion.
Inferno Drainer essentially got away with it. No members of the group have been identified as of yet, and they rode off into retirement with their cash. The malware is apparently still operational, with security researchers reporting that existing clients were still able to make use of their affiliate panels into January. That will not go unnoticed by other criminals, who will flock to a space perceived as low-risk and high-reward.
All of the crypto drainers in total took in an estimated $295 million in 2023. That’s still far from ransomware money, and these groups do not pose the same risk to critical infrastructure. They also attack people who have deliberately placed assets outside of regulated government banking systems. All of that could add up to international law enforcement making them a low priority even if they are continually stealing larger amounts of money.
Security researchers also expect sophistication of these schemes to increase. Promising fake airdrops on Twitter/X and Discord has been going on for years now, and there is increased general wariness. That will push players in the market to evolve and to seek new hunting grounds.
All of this points to substantial crypto drainer growth in the near term. Crypto holders need to be especially cautious of any promised free giveaways or requests to connect to their wallets, and may consider switching to use of a hardware or encrypted wallet wherever feasible. But the main advice is what already applies to phishing schemes – be vigilant about URLs, especially from unsolicited messages, and potential lookalike assets that are spoofed.