Crypto drainers sold as easy-to-use malware at IT fairs

Crypto-stealing malware is now packaged for ease of use and sold at industry exhibitions.

With the rise of software-as-a-service offerings, crypto drainers have become more accessible, enabling novice threat actors to commit crypto theft.

Evolving into a software-as-a-service industry, crypto drainers programs meant to siphon off crypto funds are now more easily within reach of cybercriminals.

AMLBot, in its April 22 publication, pointed out that many drainer operators have embraced a SaaS model, widely known as drainer-as-a-service or DaaS.

The report revealed that using a drainer service could cost as little as 100 to 300 USDt for malware deployers.

According to AMLBot’s CEO, Slava Demchuk, “previously, entering the world of cryptocurrency scams required a fair amount of technical knowledge.”

Thanks to DaaS, “getting started isn’t significantly more difficult than with other types of cybercrime.”

As Demchuk pointed out, online spaces have emerged where experienced scammers mentor beginners with guides and walkthroughs.

This is the typical progression for many cybercriminals who have been involved in phishing to enter the crypto drainer scene.

According to Demchuk, the rise of crypto drainer service groups marks greater boldness, with a few starting to adopt operational models akin to traditional businesses. He added:

“Interestingly, some drainer groups have become so bold and professionalized that they even set up booths at industry conferences — CryptoGrab being one such example.“

When asked how criminals manage to attend information technology conferences without getting arrested, he cited Russian cybercrime enforcement as the reason.

“This can all be done in jurisdictions like Russia, where hacking is now essentially legalized if you’re not operating across the post-Soviet space,” he said.

The cybersecurity community has been aware of this practice for a long time, even though it has remained an open secret.

As reported by KrebsOnSecurity in 2021, nearly all ransomware variants deactivate harmlessly if Russian virtual keyboards are found on the system.

Similarly, the information stealer Typhon Reborn v2 compares the user’s IP geolocation to a list of countries that were part of the Soviet Union.

Cisco mentions that the malware shuts down when it identifies a user from one of those countries.

The cause is clear: Russian authorities have indicated they will take steps if local hackers target people in post-Soviet nations.

Demchuk noted that phishing communities serve as the primary source of clients for most DaaS organizations.

These groups find their clients across clearnet and darknet forums, Telegram channels, and gray market platforms.

Scam Sniffer’s report for 2024 showed that drainers caused $494 million in losses, a 67% surge from the prior year, despite only a 3.7% rise in victims.

Kaspersky found that the presence of drainers on darknet forums has grown, with the number of relevant online resources increasing from 55 in 2022 to 129 in 2024.

Normal job listings often attract developers.

While investigating drainers, AMLBot’s open-source intelligence researcher, who chose to remain anonymous for safety, found several job listings targeting developers to create drainers for Web3 ecosystems.

He included a job advert that specified the required attributes of a script to drain Hedera wallets.

This offer, like others, mostly targeted Russian-speaking individuals.

“This request was originally written in Russian and shared in a developer-focused Telegram chat. It’s a clear example of how technical talent is actively recruited in niche, often semi-open communities.“

Ads like these frequently appear in Telegram chats targeted at smart-contract developers, the investigator added.

Although the chats are not exclusive or closed, they tend to be small, with a membership of 100 to 200 people.

Administrators swiftly deleted the announcement, shared as an example.

Still, “as is often the case, those who needed to see it had already taken note and responded.”

Traditionally, these operations took place on specialized forums on both the clearnet and deep web, accessed via Tor.

According to the investigator, Telegram now hosts much of the content because of its policy of refusing to share data with authorities.

The arrest of Telegram’s CEO, Pavel Durov, marked the turning point for this change.

“As soon as Telegram announced that it was giving out data, then the outflow to Tor started again, because it is easier to protect oneself there.”

This remains a concern, but cybercriminals may soon consider it outdated.

Durov expressed his concerns earlier this week about the rising threat to private messaging in France and other EU states, making it clear that Telegram would rather abandon certain markets than risk user privacy by allowing encryption backdoors.