A new cybercrime campaign uses advanced phishing, obfuscated scripts, and malicious smart contracts to steal millions from unsuspecting cryptocurrency wallet holders.

According to the latest threat intelligence, a new wave of cryptocurrency thefts is being driven by a highly organized cybercrime operation calling itself Inferno Drainer that has refined the “Drainer-as-a-Service” model after claiming to exit the scene in November 2023.

This operation supplies cybercriminals with a toolkit of malicious scripts, smart contracts, and supporting infrastructure, enabling even low-skilled attackers to efficiently steal (or “drain”) digital assets from unsuspecting users’ wallets.

The attack chain typically begins with sophisticated phishing campaigns, often targeting members of crypto communities on platforms such as Discord. Then:

  • Attackers hijack expired vanity invite links or create fake bots that mimic trusted services, such as token-gated access management bots.
  • Once users are lured to these malicious servers, they are prompted to connect their wallets and sign seemingly legitimate transactions.
  • The phishing sites are convincing, closely imitating real interfaces and even displaying the user’s actual Discord credentials to lower suspicion.
  • The underlying malicious scripts are heavily obfuscated, employing multiple layers of string manipulation, dynamic function calls, and anti-debugging techniques to evade detection and analysis. Each phishing site receives a unique, frequently updated script, complicating automated discovery and takedown efforts.
  • A key innovation of this threat is its use of blockchain infrastructure to store critical configuration data and command server addresses. Rather than hardcoding these details, the scripts retrieve them from smart contracts on blockchains, using encrypted and encoded data that is difficult for defenders to analyze.
  • Communication with command servers is further shielded through rapidly rotating proxy servers and domains, often leveraging reputable platforms to avoid blacklisting.
  • The crypto theft itself is executed through a series of smart contracts that mimic legitimate token contracts but contain hidden logic. These contracts drain funds by exploiting wallet permissions or by prompting direct transfers. To bypass wallet security and blacklists, attackers employ short-lived contracts and frequently rotate receiving addresses. In some cases, tokens are sent to precomputed contract addresses that do not yet exist on-chain, making detection nearly impossible until after the theft occurs.

According to Eli Smadja, Group Manager, Check Point Research, the firm sharing its threat intelligence, over the past six months, this crypto threat operation has victimized more than 30,000 users, resulting in losses exceeding US$9m. The scale, technical sophistication, and relentless adaptation of tactics highlight the evolving threat landscape for cryptocurrency users.