Inferno Drainer Malware Returns, Stealing $9M from Crypto Wallets in Six Months

Crypto-stealing malware Inferno Drainer remains in operation despite publicly shutting down—and has has been used to snatch over $9 million from crypto wallets over the past six months.

According to cybersecurity firm Check Point Research, over 30,000 crypto wallets have been drained by the resurgent malware campaign, whose developers claimed to have ceased operations in November 2023.

A spokesperson for CPR told Decrypt that the figure was based on "data obtained from reverse-engineering the drainer's JavaScript code, decrypting its configuration received from the C&C server, and analyzing its on-chain activity." The majority of observed was on Ethereum and Binance Chain, they added.

CPR analysts reported that Inferno Drainer smart contracts deployed in 2023 are still active to this day, while the current version of the malware appears to have been improved upon over the previous iteration.

What Is Inferno Drainer? New Phishing Scam Pilfering Crypto, NFTs

It’s likely targeting your favorite crypto projects on the largest blockchains. But what exactly is Inferno Drainer? Scam Sniffer, a platform specializing in the identification of scams, announced on Friday that the malicious software provider is allegedly linked to thousands of scams resulting in the theft of several million dollars. 1/ Inferno Drainer, a scam vendor specializing in multi-chain scams, has stolen $5.9 million in assets from nearly 4,888 victims through over 689 phishing website...

The malware is reportedly now able to use single-use smart contracts and on-chain encrypted configurations, making it far harder to detect and prevent attacks. In addition, command-and-control server communication has been obfuscated via proxy-based systems, meaning tracking has become even more difficult.

Inferno Drainer's resurgence comes alongside a phishing campaign targeting Discord users. According to CPR analysts, the campaign leveraged social engineering techniques to redirect users from a legitimate Web3 project’s website to a counterfeit site mimicking the verification UX for popular Discord bot Collab.Land. The fake Collab.Land site hosted a cryptocurrency drainer, which tricked victims into signing malicious transactions—enabling attackers to gain access to their funds.

By combining “targeted deception and effective social engineering tactics,” the malware campaign has generated a “stable financial flow identified through blockchain transaction analysis,” CPR analysts said.

Crypto users are advised to exercise extra caution whenever they are interacting with unfamiliar platforms. The fake Collab.Land bot identified by CPR contained only “subtle visual differences” to the legitimate bot, and the cybercriminals behind the deception are likely to “continue refining their imitation,” the researchers said.

Because the legitimate Collab.Land service requires users to verify their wallet by signing, they noted, “even experienced cryptocurrency users may lower their guard” when presented with the fake bot—making it even more important to verify authenticity before connecting wallets to any service.

Hackers Preloading Counterfeit Android Phones With Crypto-Stealing Malware: Kaspersky

That cheap smartphone may look like a steal—and it could well be, but not in the way you were hoping. Cheap counterfeit phones are now being sold preloaded with malware that targets unsuspecting Android users—stealing cryptocurrency, replacing phone numbers during calls, and hijacking their social media accounts. Cybersecurity company Kaspersky reported the novel technique for spreading the dangerous Triada trojan in a recent analysis. Since its discovery in 2016, Triada has evolved into one of...

The revival of Inferno Drainer is just one of a number of malware campaigns to surface in recent months. Hackers are adopting increasingly sophisticated techniques to deliver crypto-stealing malware, targeting hacked mailing lists, open-source Python libraries and even preloading trojans on counterfeit Android phones.