Crypto Drainers Now Sold as Easy-to-Use Malware at IT Industry Fairs

Crypto drainers, malware designed to steal cryptocurrency, have become an increasingly accessible and professionalized software-as-a-service (SaaS) industry, enabling low-skill actors to target unsuspecting victims. The evolution of crypto drainer operations has transformed them from technical nightmares into a relatively simple and user-friendly service that can be rented for as little as $100 to $300 USDt (USDT).

In an April 22 report, crypto forensics and compliance firm AMLBot revealed that many drainer operations have transitioned to a SaaS model known as drainer-as-a-service (DaaS). This shift has made it easier for malware spreaders to enter the world of cryptocurrency scams without requiring extensive technical knowledge. According to AMLBot CEO Slava Demchuk, "getting started isn't significantly more difficult than with other types of cybercrime."

Under the DaaS model, would-be drainer users join online communities to learn from experienced scammers who provide guides and tutorials. This is how many criminals involved with traditional phishing campaigns transition to the crypto drainer space.

Demchuk explained that groups offering crypto drainers as a service are increasingly bold and some are evolving almost like traditional business models. When asked how a criminal operation can send representatives to information technology industry events without repercussions, such as arrests, he pointed to Russian cybercrime enforcement as the reason. "This can all be done in jurisdictions like Russia, where hacking is now essentially legalized if you're not operating across the post-Soviet space," he said.

The practice has been an open secret in the cybersecurity industry for many years. Cybersecurity news publication KrebsOnSecurity reported in 2021 that "virtually all ransomware strains" deactivate without causing harm if they detect Russian virtual keyboards installed. Similarly, the information stealer Typhon Reborn v2 checks the user's IP geolocation against a list of post-Soviet countries.

According to networking firm Cisco, if it determines that it is located in one of those countries, it deactivates. The reason is simple: Russian authorities have shown that they will act if local hackers hit citizens of the post-Soviet bloc.

Demchuk further explained that DaaS organizations usually find their clientele within existing phishing communities. This includes gray and black hat forums on both clearnet (regular internet) and darknet (deep web), as well as Telegram groups and channels, and gray market platforms.

In 2024, Scam Sniffer reported that drainers were responsible for about $494 million in losses, a 67% increase over the previous year, despite a 3.7% increase in the number of victims. Drainers are on the increase, with cybersecurity giant Kaspersky reporting that the number of online resources dedicated to them on darknet forums rose from 55 in 2022 to 129 in 2024.

Developers are often recruited through normal job adverts. AMLBot's open-source intelligence investigator, who prefers to remain anonymous for safety reasons, told Cointelegraph that while researching drainers, his team "did come across several job postings specifically targeting developers to build drainers for Web3 ecosystems."

He provided one job advert that described the required features of a script that would empty Hedera (HBAR) wallets. Once again, the offer was mainly targeted at Russian speakers: The investigator further added that ads like this appear in Telegram chats for smart-contract developers.

Those chats are not private or restricted, but they are small, with usually 100 to 200 members. Administrators quickly deleted the announcement provided as an example. Still, "as is often the case, those who needed to see it had already taken note and responded."

Traditionally, this kind of business was conducted on specialized clearnet forums and deep web forums accessible through the Tor network. Still, the investigator said that much of the content moved to Telegram thanks to its policy against sharing data with authorities.

This changed following the arrest of Telegram CEO Pavel Durov: Still, this is a concern to cybercriminals that may no longer be relevant. Earlier this week, Durov expressed misgivings over a growing threat to private messaging in France and other European Union countries, warning that Telegram would rather exit certain markets than implement encryption backdoors that undermine user privacy.