Drainers: Signing the Crypto Devil’s Contract

Mauro Eldritch

Published in

bitso.engineering

6 min readJan 30, 2024

@MauroEldritch, Quetzal Team @ Bitso — 2024

Introduction

In the realm of blockchain technology, smart contracts serve as the digital arbiters of automated agreements, eliminating the need for intermediaries in transaction processes. At their core, smart contracts are self-executing agreements with their terms often written in languages like Solidity or Rust, publicly visible to anyone. Novices often find it surprisingly accessible to delve into Solidity programming, thanks to freely available online resources like CryptoZombies, which offer a hands-on and interactive approach, making the learning journey engaging and user-friendly.

So far, so good. However, while these digital agreements bring efficiency and transparency, the decentralized nature of blockchain also opens the door to malicious and creatively new attack vectors. Threat actors exploit the most basic vulnerability available in the wild: user trust, creating leonine contracts that may only benefit one party — the attacker — with substantial financial losses for the victims.

In this article, we’ll explore the malicious smart contracts scene. But tread carefully; if you are not cautious enough, you may end up signing a contract with the crypto devil.

DaaS: A contract to rule them all

In the DeFi space, a specific kind of malicious smart contract known as a “drainer” has emerged. These contracts deceive users into signing away their crypto assets, including tokens and NFTs, and send them to the attacker’s wallet. Most Drainers are sophisticated, identifying and transferring only valuable assets, and sometimes even swapping less popular tokens for more desirable ones before executing the drain sending them to the attacker. The question arises: Why would users willingly accept such transactions? Drainers often operate in conjunction with phishing sites posing as legitimate platforms. Drainers play the role of the “backend” in the operation, while the phishing site takes the place of the “frontend.” These phishing sites request users to validate their identities by logging in using popular wallets, like Metamask 🦊, and present them with an authentic Metamask request to sign the malicious contract. Then, the worst happens.

While this seems like a hard heist to pull off, the criminal market never stops reinventing itself, surprising even the most seasoned researchers. You don’t have to spend weeks learning Solidity to write your drainer, only to find out you need to improve your frontend game by designing a convincing deceitful site. This process can be easily automated thanks to the Drainers as a Service (DaaS) model — a parallel to the Malware as a Service (MaaS) concept. In this model, threat actors design smart contracts and lease their use to affiliates who deploy copies and share profits with the original creator, while being entitled to receive support and updates. Most drainers come bundled with “phishing kits” for the quick deployment of deceptive websites to trick users into signing malicious contracts.

Let’s review some of the most popular Drainers in the black market.

Devils

Let’s start our journey by talking about Inferno Drainer.

Arguably the most popular drainer out there, Inferno left its mark in Web3-powered cybercrime history [1].

Inferno’s Malware-as-a-Service model started in November 2022 and finished a year later in November 2023, after seizing more than $80M from victims [2]. Inferno’s goodbye was a tidy one, slowly shutting down their operation, starting first by deleting the admin’s Telegram account but keeping the infrastructure, files, and devices to guarantee “a smooth transition to the new service” clients may choose, as stated in their last message [2] [16] on their official channel:

The end of the craziest journey.
Inferno drainer is shutting down. It has been a long ride with all of you and we’d like to thank you from heart.
Unfortunately, nothing lasts forever.
After +80 millions of $ drained, we decided to shut down, it’s time for us to move on.
All files, servers and devices related to inferno drainer will not be destroyed.
We’re gonna leave the servers running so all of you to be able to make a smooth transition to the new service you’re going to choose.
Feel free to split the not auto-splited assets.

Inferno targeted popular crypto projects such as Pepe, Collab.Land, zkSync, MetaMask, and Nakamigos, among others [14], and used malicious JavaScript code to impersonate Web3 protocols, such as Seaport, WalletConnect, and Coinbase, to trick users into authorizing transactions that transferred their crypto to the scammers’ wallets [15].

Up to this day (January 24th, 2024), even though “inactive,” Inferno Drainer keeps syphoning their victims’ funds [3–13].

Angels

Angel Drainer is another Malware-as-a-Service scheme targeting EVM (Ethereum Virtual Machine) chains with on-demand deployment of smart contracts. It also targets NFTs, and recently added support for draining SOL.

Angel gained notoriety after being deployed during a phishing incident that targeted a Ledger (hardware wallet manufacturer) engineer, compromising his NPMJS (Node Packet Management) account. This led to the deployment of a malicious version of Ledger Connect Kit, resulting in funds being stolen from users [24].

An interesting point about Angel is that their affiliates have “ranks” (Ruby, Emerald, Diamond, and Sapphire) that grant them different benefits and early access to new features. As of January 24th, Angel’s fees are set at 15%, with revenue exceeding $25 million USD from stolen assets [17–23] [25].

Ace up the sleeve

“We will be taking over this industry one step at a time by treating this like the software business it is,” said the Ace Drainer administrator on their channel after airing their very first public release in September 2023.

Little is known about Ace Drainer up to this date [26], but their software looks as promising as it does dangerous. It is backed not only by their technical prowess (with custom phishing templates, multiple exchanges targeted, and multiple chains compatibility) but also by their megalomaniac approach of taking the throne left by Inferno Drainer at all costs. They disseminate a conqueror-like speech paired with “loyalty” tokens to their users like offering “0% fees” just after Inferno’s closure to quickly seize the market opening left by them.

“We are quickly proving our key role and dominance as the best drainer.”

Pinky promise

Pink Drainer first emerged in April 2023 and quickly pulled off a 156 ETH heist [30]. Allegedly developed by a lone developer (PinkDeveloper), it has already seized more than $25 million [27] from more than ten thousand victims [28] [29] as of today.

Pink became multichain compatible just a month after its launch and achieved its first million in July, according to PinkDeveloper.

Don’t make eye contact

Medusa Drainer entered the arena on the very day Inferno decided to quit, positioning themselves as an alternative to Monkey, Venom, and Inferno itself.

Hi everyone; after Monkey, Inferno & Venom exits, there’s no drainer left that holds water, so we decided to come up to public as an alternative.
Who are we?
- We are an organisation that made multi-million dollars in the past 12 months from multiple methods. we are looking at high quality workers to work in long-term with us.

Medusa Drainer notifications via Telegram

Little is known about them [31], as Medusa tends to hide their cards, playing in a more conservative way and selecting who to work with. In the first week of 2024, they claimed to have seized more than $5 million from victims.

Drain Me

Remember that phishing is a crucial part of the drainers’ operation, and deceiving users is a must to steal their funds. As always, criminals are improving their game to maximize profits, successfully compromising and impersonating significant players such as hardware crypto wallet manufacturers like Ledger [24] and Trezor [33], and even the SEC (Securities and Exchange Commission) [32]. Stay vigilant, be safe out there… and don’t get rekt.

Acknowledgments

Bitso Information Security Team. Rob Harrop for his corrections.