Crypto Drainers Cause $494M Losses, 67% Increase in 2024

Crypto drainers, a type of malware specifically designed to steal cryptocurrency, have become increasingly accessible as the ecosystem evolves into a software-as-a-service (SaaS) business model. This shift has made it easier for individuals with limited technical knowledge to engage in cryptocurrency scams. According to a report by AMLBot, a crypto forensics and compliance firm, many drainer operations have transitioned to a DaaS (drainer-as-a-service) model, allowing malware spreaders to rent a drainer for as little as 100 to 300 USDt.

Slava Demchuk, the CEO of AMLBot, highlighted that previously, entering the world of cryptocurrency scams required a significant amount of technical knowledge. However, under the DaaS model, the barrier to entry has been lowered, making it as easy to start as other types of cybercrime. Would-be drainer users can join online communities to learn from more experienced scammers who provide guides and tutorials, facilitating the transition of traditional phishing campaign criminals into the crypto drainer space.

Demchuk noted that groups offering crypto drainers as a service have become increasingly bold and professionalized, even setting up booths at industry conferences. One such example is CryptoGrab. When asked how criminal operations can send representatives to information technology industry events without repercussions, Demchuk pointed to the lax enforcement of cybercrime in jurisdictions like Russia, where hacking is essentially legalized if it does not target citizens of the post-Soviet space.

This practice has been an open secret in the cybersecurity industry for many years. For instance, virtually all ransomware strains deactivate without causing harm if they detect Russian virtual keyboards installed. Similarly, the information stealer Typhon Reborn V2 checks the user’s IP geolocation against a list of post-Soviet countries and deactivates if located in one of those countries. This is because Russian authorities have shown that they will act if local hackers target citizens of the post-Soviet block.

DaaS organizations typically find their clientele within existing phishing communities, including gray and black-hat forums on both the clearnet and darknet, as well as Telegram groups and channels and gray market platforms. In 2024, drainers were responsible for approximately $494 million in losses, a 67% increase over the previous year, despite a 3.7% increase in the number of victims. The number of online resources dedicated to drainers on darknet forums rose from 55 in 2022 to 129 in 2024, indicating a growing trend.

Developers are often recruited through normal job advertisements. AMLBot’s open-source intelligence investigator, who prefers to remain anonymous for safety reasons, revealed that while researching drainers, his team came across several job postings specifically targeting developers to build drainers for Web3 ecosystems. One such job advert described the required features of a script that would empty Hedera (HBAR) wallets, primarily targeting Russian speakers. These ads appear in Telegram chats for smart contract developers, which are not private or restricted but are small, with usually 100 to 200 members.

Administrators quickly deleted the announcement provided as an example, but as is often the case, those who needed to see it had already taken note and responded. Traditionally, this kind of business was conducted on specialized clearnet forums and deep web forums accessible through the Tor network. However, much of the content moved to Telegram thanks to its policy against sharing data with authorities. This changed following the arrest of Telegram CEO Pavel Durov, leading to an outflow back to the Tor network for better protection.

However, this threat to cybercriminals may no longer be relevant. Earlier this week, Durov expressed concerns over a growing threat to private messaging in France and other European Union countries, warning that Telegram would rather exit certain markets than implement encryption backdoors that undermine user privacy. This shift highlights the evolving landscape of cybercrime and the need for continuous vigilance in the face of new threats.