Crypto drainers are retiring as investigators start to close in

By Cointelegraph
about 1 month ago
MONKEY MONKEY SECURITY PINK COW

Major cryptocurrency drainers like Inferno and Pink made headlines this year by announcing they were retiring — but victims continue to lose staggering sums.

A crypto drainer typically tricks a user into connecting a wallet and approving a transaction that drains all of the user’s funds. 

In October, more than $20 million was lost to phishing schemes, according to Scam Sniffer. While the month’s volume was down 56% from September, the number of victims — 12,058 — jumped 20% month-over-month.

Alex Katz, CEO and co-founder of internet browser security plugin Kerberus told Cointelegraph that draining volume can vary month by month along with market conditions, but the increasing number of victims was alarming.

Meanwhile, law enforcement and cybersecurity firms are getting better at catching cyber crooks. “We think [drainers are shutting down] because they have earned too much. If they continue, it’s only a matter of time before law enforcement finds them or their accomplices,” Cos, founder of MistTrack, told Cointelegraph.

As an example, Tether, the world’s largest stablecoin issuer, recently froze at least three wallets connected to drainer operations.

While Tether did not respond to request for comment, a private investigator who Cointelegraph has confirmed is working with authorities on crypto draining cases said that the three wallets were frozen at the request of a law enforcement agency. 

The investigator has been working with authorities to track down a suspicious entity known as Konpyl. A recent investigation by Cointelegraph Magazine linked Konpyl and associated wallets to a fake Rabby wallet scam that drained about $1.6 million from victims. 

Related: Fake Rabby wallet wreaks havoc after listing on Apple App Store

Offchain evidence reviewed by the magazine during the investigation found links between the Konpyl online persona and a Dubai-based crypto CEO who denied any wrongdoing and claimed to be a victim of blackmail.

The latest trio of accounts frozen by Tether not only share links to drainer wallets but to Konpyl as well. 

Crypto drainers are retiring as investigators start to close in

Blacklisted USDT addresses are connected to drainers and Konpyl. (USDT Blacklist)

At the very least, “[Konpyl] is a big drainer customer,” the investigator told Cointelegraph. “[Konpyl] mostly uses Inferno Drainer but has also experimented with Pink Drainer,” the investigator said.

Top drainers are unplugging

Crypto drainers often work by exploiting vulnerabilities in smart contracts, phishing attacks, or through social engineering tactics to gain access to wallets.

They are created by developers who sell access to illicit actors, enabling them to conduct exploits and subsequent thefts in exchange for fees. This model has become known as the “scam-as-a-service” model.

“One mind shift that you need to make is that drainers are businesses,” Katz said. “If you actually look in the draining transactions, a big percentage goes to the person that deployed the drainer, because they take a commission.”

Over the years, these software tools have been marketed under their own brands, with services like Inferno, Pink and Monkey Drainer rising in popularity.

Related: Blockaid says it caused crypto drainer to shut down, defends against claims of 'false positives

These three aren’t the only drainers around, but they do share a common trait. All of them have announced shutdowns, with Inferno the latest to unplug in October. Inferno claimed that its services have been taken over by Angel Drainer.

Crypto drainers are retiring as investigators start to close in

Inferno Drainer announced its services have been taken over by Angel Drainer in an Oct. 19 announcement. Source: Scam Sniffer

Monkey Drainer was one of the earliest to use the SaaS draining model. It shut down in March 2023, then the next batch of drainers emerged, including Inferno and Pink. 

Pink Drainer was allegedly developed by a former member of the security community who helped battle Monkey Drainer, then later turned to the dark side. Pink Drainer announced its retirement in May 2024, after amassing about $85 million from more than 21,000 victims.

Inferno was inactive after announcing its retirement in November 2023, but resurfaced after Pink’s departure from the scene.

Inferno’s latest shutdown was announced days after Tether froze the three wallets on Oct. 16, which was also the same day Cointelegraph Magazine’s investigation into Konpyl and the fake Rabby wallet was published.

The Inferno and Konpyl connection

Onchain evidence suggests a relationship between accounts linked to Konpyl and those associated with Inferno, although security experts have provided varying analyses on the specifics.

One sample onchain relationship comes from a draining incident in March 2024, when a victim lost $4.39 million in cryptocurrencies to a crypto thief equipped with Inferno Drainer’s set.

Crypto drainers are retiring as investigators start to close in

Security community sniffs out an Inferno-linked draining attack and exposes illicit wallets used. (Scam Sniffer)

Some of the stolen tokens were burned with the help of blockchain detective ZachXBT, but others were consolidated and travel to 0x344…12ac3 which security firm MistTrack suspects is owned by Inferno Drainer. Here, around $767,610 in Wrapped Ether enters DeFi platform CoW Protocol. 

On the other end, this amount is received by 0x87B…A53d92 (CoW Output) in Tether (USDT).

Crypto drainers are retiring as investigators start to close in

MistTracks’ analysis illustrated the consolidation of illicit funds. (MistTrack)

From this CoW output address, a relationship with Konpyl can be drawn.

The output address has three transactions with 0xF2F…6a608, twice in August 2022 and once in May 2024. The first of the three transactions is the funding transaction for this 0xF2F wallet, or the first recorded transfer to that account. 

0xF2F is tied to a Konpyl-linked account through seven transactions dating back to October 2023, totaling around half a million dollars, establishing the 0xF2F wallet as the bridge that connects the March 2024 Inferno Drainer-linked scheme and the entity linked to the 2024 fake Rabby wallet incident in this sample trail.

Unpacking the fund movements

These movements, according to the private investigator, suggest that the entity known as Konpyl may be a major user of Inferno Drainer or have an even deeper involvement.

Still, Fantasy, investigation lead at crypto insurance firm Fairside Network, has a different take.

Fantasy told Cointelegraph that it’s also possible none of the wallets identified before entering CoW Protocol actually belong to Inferno Drainer. Rather, the wallets may all belong to Inferno Drainer customers.

“An Inferno customer would not willingly give up more of a theft. A more likely explanation is that this is a customer consolidating theft proceeds,” he told Cointelegraph, pointing to transactions that show draining fees were paid to a separate wallet.

Crypto drainers are retiring as investigators start to close in

Fees paid to Inferno suggest that the subsequent movement could be made by an Inferno customer. (Etherscan)

Fantasy also presented an alternative as to why Konpyl could be linked to the exploits. 

“I wonder if he is an OTC [over-the-counter] trader and threat actors are using him to launder money. This may lead to an explanation as to why Konpyl’s Rhino outputs consolidate as they do,” Fantasy theorized, analyzing Konpyl’s onchain movements summarized by Cointelegraph Magazine’s October investigation. 

“Concealing movements using OTC traders is not an uncommon tactic. Usually, these types of traders do not care where the funds originate from, as long as they receive their fee.”

Law enforcement and security experts closing the gap

Meanwhile, Fun, founder of Scam Sniffer, told Cointelegraph that continuous contributions by entities like MistTrack, Scam Sniffer and security group SEAL 911 are contributing to blacklisting illicit addresses.

Crypto drainers are retiring as investigators start to close in

Security firm Blockaid questions whether Inferno Drainer is prepping to ride off into the sunset. (Blockaid)

Internet browser extensions like Kerberrus also exist,  while wallets are increasingly integrating user-security services like Blockaid.

Magazine: As Ethereum phishing gets harder, drainers move to TON and Bitcoin

“For their safety, shutting down was inevitable,” Fun said. “Whether it’s Inferno Drainer or Pink Drainer, they’re just services used by scammers. The real perpetrators are hidden behind these drainer names.”

Still, Katz of Kerberrus warns that shutdowns in the world of crypto drainers should be taken with a grain of salt, as they may be playing possum, much like Inferno’s “retirement” in November 2023, only to return and wreak havoc for half of 2024.

“They might say they shut down for security companies to lower their guard. But at the end of the day, they can rebrand under a new name [and] they can come back,” Katz said.

“These are criminals — let’s make that very clear. You can’t trust criminals no matter what they say.”

Related News