Crypto drainers now sold as easy-to-use malware at IT industry fairs

Crypto drainers — malware designed to steal cryptocurrency — have become easier to access as the ecosystem evolves into a software-as-a-service (SaaS) business model.

In an April 22report, crypto forensics and compliance firm AMLBot revealed that many drainer operations have transitioned to a SaaS model known as drainer-as-a-service (DaaS). The report revealed that malware spreaders can rent a drainer for as little as 100 to 300 USDt (USDT).

AMLBot CEO Slava Demchuk told Cointelegraph that “previously, entering the world of cryptocurrency scams required a fair amount of technical knowledge.” That is no longer the case. Under the DaaS model, “getting started isn’t significantly more difficult than with other types of cybercrime.”

Demchuk explained that would-be drainer users join online communities to learn from more experienced scammers who provide guides and tutorials. This is how many criminals involved with traditional phishing campaigns transition to the crypto drainer space.

Related:North Korean hackers target crypto devs with fake recruitment tests

Cybercrime in Russia — almost legal

Demchuk said that groups offering crypto drainers as a service are increasingly bold and keep resembling traditional businesses more and more:

When asked how a criminal operation can send representatives to information technology industry events without repercussions, such as arrests, he pointed to Russian cybercrime enforcement as the reason. “This can all be done in jurisdictions like Russia, where hacking is now essentially legalized if you’re not operating across the post-Soviet space,” he said.

The practice has been an open secret in the cybersecurity industry for many years. Cybersecurity news publication KrebsOnSecurityreportedin 2021 that “virtually all ransomware strains” deactivate without causing harm if they detect Russian virtual keyboards installed.

Similarly, the information stealer Typhon Reborn v2 checks the user’s IP geolocation against a list of post-Soviet countries. According to networking firmCisco, if it determines that it is located in one of those countries, it deactivates. The reason is simple, Russian authorities have shown that they will act if local hackers hit citizens of the post-Soviet block.

Related:What is Bitcoinlib, and how did hackers target it?

Drainers keep growing

Demchuk further explained that DaaS organizations usually find their clientele within existing phishing communities. This includes gray and black hat forums on both clearnet (regular internet) and darknet (deep web), as well as Telegram groups and channels, and gray market platforms.

In 2024, Scam Snifferreportedthat drainers were responsible for approximately $494 million in losses, a 67% increase over the previous year, despite a 3.7% increase in the number of victims. Drainers are on the rise, with cybersecurity giant Kasperskyreportingthat the number of online resources dedicated to them on darknet forums rose from 55 in 2022 to 129 in 2024.

Developers are often recruited through normal job adverts. AMLBot’s open-source intelligence investigator, who prefers to remain anonymous for safety reasons, told Cointelegraph that while researching drainers, his team “did come across several job postings specifically targeting developers to build drainers for Web3 ecosystems.”

He provided one job advert that describes the required features of a script that would empty Hedera (HBAR) wallets. Once again, the offer was mainly targeted at Russian speakers:

The investigator further added that ads like this one appear in Telegram chats for smart contract developers. Those chats are not private or restricted, but they are small, with usually 100 to 200 members.

Administrators quickly deleted the announcement provided as an example. Still, “as is often the case, those who needed to see it had already taken note and responded.”

Traditionally, this kind of business was conducted on specialized clearnet forums and deep web forums accessible through the Tor network. Still, the investigator explained that much of the content moved to Telegram thanks to its policy against sharing data with authorities. This changed following the arrest of Telegram CEO Pavel Durov:

Still, this is a threat to cybercriminals that may no longer be relevant. Earlier this week, Durov expressed concerns over a growing threat to private messaging in France and other European Union countries, warning that Telegram would ratherexit certain markets than implement encryption backdoorsthat undermine user privacy.

Magazine:As Ethereum phishing gets harder, drainers move to TON and Bitcoin

Crypto drainers — malware designed to steal cryptocurrency — is now an increasingly accessible industry that easily allows one to partake in its profits.

Crypto forensics and compliance firm AMLBot explained in its report on drainers,publishedon April 22, that many operations transitioned to a software-as-a-service (SaaS) model known as drainer-as-a-service (DaaS). The report reveals that malware spreaders can rent a drainer for as little as 100 to 300 USDt.

AMLBot CEO Slava Demchuk told Cointelegraph that “previously, entering the world of cryptocurrency scams required a fair amount of technical knowledge.” That is no longer the case. Under the DaaS model, “getting started isn’t significantly more difficult than with other types of cybercrime.”

Demchuk explained that would be drainer users join online communities to learn from more experienced scammers who provide guides and tutorials. This is how many criminals involved with traditional phishing campaigns transition to the crypto drainer space.

Related:North Korean hackers target crypto devs with fake recruitment tests

Cybercrime in Russia: almost legal

Demchuk said that groups offering crypto drainers as a service are increasingly bold and keep resembling traditional businesses more and more. He said:

When asked how a criminal operation can send representatives to information technology industry events without repercussions, such as arrests, he pointed to Russian cybercrime enforcement as the reason. “This can all be done in jurisdictions like Russia, where hacking is now essentially legalized if you’re not operating across the post-Soviet space,” he said.

While this statement may come as a surprise to outsiders, it has been an open secret in the cybersecurity industry for many years. Cybersecurity news publication KrebsOnSecurityreportedin 2021 that “virtually all ransomware strains” deactivate without causing harm if they detect Russian virtual keyboards installed.

Similarly, the information stealer Typhon Reborn V2 checks the user’s IP geolocation against a list of post-Soviet countries. According to networking firmCisco, if it determines that it is located in one of those countries, it deactivates. The reason is simple, Russian authorities have shown that they will act if local hackers hit citizens of the post-Soviet block.

Related:What is Bitcoinlib, and how did hackers target it?

Drainers keep growing

Demchuk further explained that DaaS organizations usually find their clientele within existing phishing communities. This includes gray and black-hat forums on both clearnet (regular internet) and darknet (deep web) as well as Telegram groups and channels and gray market platforms.

In 2024, Scam Snifferreportedthat drainers were responsible for approximately $494 million in losses, a 67% increase over the previous year, despite a 3.7% increase in the number of victims. Drainers are on the rise, with cybersecurity giant Kasperskyreportingthat the number of online resources dedicated to them on darknet forums rose from 55 in 2022 to 129 in 2024.

Developers are often recruited through normal job adverts. AMLBot’s open source intelligence investigator — who prefers to remain anonymous for safety reasons — told Cointelegraph that while researching drainers, his team “did come across several job postings specifically targeting developers to build drainers for Web3 ecosystems.”

He provided one job advert that describes the required features of a script that would empty Hedera (HBAR) wallets. Once again, the offer was mainly extended to Russians:

The investigator further added that ads like this one appear in Telegram chats for smart contract developers. Those chats are not private or restricted, but they are small, with usually 100 to 200 members.

Administrators quickly deleted the announcement provided as an example. Still, “as is often the case, those who needed to see it had already taken note and responded.”

Traditionally, this kind of business was conducted on specialized clearnet forums and deep web forums accessible through the Tor network. Still, the investigator explained that much of the content moved to Telegram thanks to its policy against sharing data with authorities. This changed following the arrest of Telegram CEO Pavel Durov:

Still, this is a threat to cybercriminals that may no longer be relevant. Earlier this week, Durov expressed concerns over a growing threat to private messaging in France and other European Union countries, warning thatTelegram would rather exit certain markets than implement encryption backdoorsthat undermine user privacy.

Magazine:As Ethereum phishing gets harder, drainers move to TON and Bitcoin