Hackers were posing as Coinbase and using well-designed phishing pages to steal people's cryptocurrency, according to a report from cybersecurity researchers Group-IB.
According to the report, between November 2022 and 2023, an anonymous group of hackers operated a malware-as-a-service, called Inferno Drainer.
As the name suggests, this type of malware is capable of draining all funds found in people's cryptocurrency wallets, including fungible and non-fungible tokens (NFT). Other threat actors would use the drain and give 20% of all profits to the operators.
Fake airdrops
For the drain to work, the victim must connect their wallet to the attackers' infrastructure. This was achieved through compelling landing pages. Group-IB said it found more than 16,000 unique domains linked to the Inferno Drainer phishing operation. During that time at least 100 different cryptocurrency brands were impersonated. It is unknown how many different groups participated in the campaign. What we do know is that most victims who ended up on the landing pages connected their wallets thinking they would receive an airdrop.
An airdrop, in the world of cryptocurrencies, occurs when a new project begins and developers seek to add tokens to circulation. Typically, they would use the promise of an airdrop to create a community and generate excitement around the project, as people interested in receiving the airdrop would be tasked with certain things (e.g. sharing Twitter posts, participating in Discord communications, blogging, etc.).
However, instead of receiving the airdrop, once victims connect their wallets and approve transactions, the drain will simply withdraw all funds from the accounts and, given the nature of blockchain, the funds will be lost forever. Group-IB believes that more than 130,000 people were victims of the campaign, which generated its operators more than $80 million.
Inferno Drainer was supposedly shut down in November 2023, but the user panel was still active in mid-January of this year.
