Introduction

In the realm of blockchain technology, smart contracts serve as the digital arbiters of automated agreements, eliminating the need for intermediaries in transaction processes. At their core, smart contracts are self-executing agreements with their terms mostly written into Solidity or Rust, publicly visible to anyone. Novices often find it surprisingly accessible to delve into Solidity programming, thanks to freely available online resources like CryptoZombies, which offer a hands-on and interactive approach, making the learning journey engaging and user-friendly.

So far, so good. However, while these digital agreements bring efficiency and transparency, the decentralized nature of blockchain also opens the door to malicious and creatively new attack vectors. Threat actors exploit the most basic vulnerability available in the wild: user trust, creating leonine contracts that may only benefit one party—the attacker—with substantial financial losses for the victims. 

In this article, we'll explore the malicious smart contracts scene. But tread carefully; if you are not cautious enough, you may end up signing a contract with the crypto devil.

DaaS: A contract to rule them all

In the DeFi space, a specific kind of malicious smart contract known as a "drainer" has emerged. These contracts deceive users into signing away their crypto assets, including tokens and NFTs, and send them to the attacker's wallet. Most Drainers are sophisticated, identifying and transferring only valuable assets, and sometimes even swapping less popular tokens for more desirable ones before executing the drain sending them to the attacker. The question arises: Why would users willingly accept such transactions? Drainers often operate in conjunction with phishing sites posing as legitimate platforms. Drainers play the role of the "backend" in the operation, while the phishing site takes the place of the "frontend." These phishing sites request users to validate their identities by logging in using popular wallets, like Metamask 🦊, and present them with an authentic Metamask request to sign the malicious contract. Then, the worst happens.

While this seems like a hard heist to pull off, the criminal market never stops reinventing itself, surprising even the most seasoned researchers. You don’t have to spend weeks learning Solidity to write your drainer, only to find out you need to improve your frontend game by designing a convincing deceitful site. This process can be easily automated thanks to the Drainers as a Service (DaaS) model—a parallel to the Malware as a Service (MaaS) concept. In this model, threat actors design smart contracts and lease their use to affiliates who deploy copies and share profits with the original creator, while being entitled to receive support and updates. Most drainers come bundled with "phishing kits" for the quick deployment of deceptive websites to trick users into signing malicious contracts.

Let’s review some of the most popular Drainers in the black market.

Devils

Let's start our journey by talking about Inferno Drainer.

Arguably the most popular drainer out there, Inferno left its mark in Web3-powered cybercrime history [1].

Inferno’s Malware-as-a-Service model started in November 2022 and finished a year later in November 2023, after seizing more than $80M from victims [2]. Inferno’s goodbye was a tidy one, slowly shutting down their operation, starting first by deleting the admin’s Telegram account but keeping the infrastructure, files, and devices to guarantee "a smooth transition to the new service" clients may choose, as stated in their last message [2] [16] on their official channel:

The end of the craziest journey.

Inferno drainer is shutting down. 
It has been a long ride with all of you and we'd like to thank you from heart.

Unfortunately, nothing lasts forever.

After +80 millions of $ drained, we decided to shut down, it's time for us to move on.

All files, servers and devices related to inferno drainer will not be destroyed.
We're gonna leave the servers running so all of you to be able to make a smooth transition to the new service you're going to choose.
Feel free to split the not auto-splited assets.

Inferno targeted popular crypto projects such as Pepe, Collab.Land, zkSync, MetaMask, and Nakamigos, among others [14], and used malicious JavaScript code to impersonate Web3 protocols, such as Seaport, WalletConnect, and Coinbase, to trick users into authorizing transactions that transferred their crypto to the scammers’ wallets [15].

Up to this day (January 24th, 2024), even though "inactive," Inferno Drainer keeps syphoning their victims' funds [3-13].

Angels

Angel Drainer is another Malware-as-a-Service scheme targeting EVM (Ethereum Virtual Machine) chains with on-demand deployment of smart contracts. It also targets NFTs, and recently added support for draining SOL.

Angel gained notoriety after being deployed during a phishing incident that targeted a Ledger (hardware wallet manufacturer) engineer, compromising his NPMJS (Node Packet Management) account. This led to the deployment of a malicious version of Ledger Connect Kit, resulting in funds being stolen from users [24].

An interesting point about Angel is that their affiliates have "ranks" (Ruby, Emerald, Diamond, and Sapphire) that grant them different benefits and early access to new features. As of January 24th, Angel’s fees are set at 15%, with revenue exceeding $25 million USD from stolen assets [17-23] [25].

Ace up the sleeve

“We will be taking over this industry one step at a time by treating this like the software business it is” said the Ace Drainer administrator on their channel after airing their very first public release in September 2023.

Little is known about Ace Drainer up to this date [26], but their software looks as promising as it does dangerous. It is backed not only by their technical prowess (with custom phishing templates, multiple exchanges targeted, and multiple chains compatibility) but also by their megalomaniac approach of taking the throne left by Inferno Drainer at all costs. They disseminate a conqueror-like speech paired with “loyalty” tokens to their users like offering “0% fees” just after Inferno’s closure to quickly seize the market opening left by them.

“We are quickly proving our key role and dominance as the best drainer”.

Pinky promise 

Pink Drainer first emerged in April 2023 and quickly pulled off a 156 ETH heist [30]. Allegedly developed by a lone developer (PinkDeveloper), it has already seized more than $25 million [27] from more than ten thousand victims [28] [29] as of today.

Pink became multichain compatible just a month after its launch and achieved its first million in July, according to PinkDeveloper.

Don’t make eye contact

Medusa Drainer entered the arena on the very day Inferno decided to quit, positioning themselves as an alternative to Monkey, Venom, and Inferno itself.

Hi everyone; after Monkey, Inferno & Venom exits, there's no drainer left that holds water, so we decided to come up to public as an alternative. 

Who are we?
- We are an organisation that made multi-million dollars in the past 12 months from multiple methods. we are looking at high quality workers to work in long-term with us.

Little is known about them [31], as Medusa tends to hide their cards, playing in a more conservative way and selecting who to work with. In the first week of 2024, they claimed to have seized more than $5 million from victims.

Drain Me

Remember that phishing is a crucial part of the drainers' operation, and deceiving users is a must to steal their funds. As always, criminals are improving their game to maximize profits, successfully compromising and impersonating significant players such as hardware crypto wallet manufacturers like Ledger [24] and Trezor [33], and even the SEC (Securities and Exchange Commission) [32]. Stay vigilant, be safe out there… and don’t get rekt.

References

1. https://dune.com/scamsniffer/inferno-drainer

2. https://t.me/InfernoDrainer/150

3. https://twitter.com/MistTrack_io/status/1744575117395702224

4. https://twitter.com/MistTrack_io/status/1745976951452712995

5. https://twitter.com/MistTrack_io/status/1748106498214130100

6. https://twitter.com/MistTrack_io/status/1748104017698529669

7. https://twitter.com/MistTrack_io/status/1748354033067434213

8. https://twitter.com/MistTrack_io/status/1748354059462184983

9. https://twitter.com/MistTrack_io/status/1750126255532584971

10. https://twitter.com/MistTrack_io/status/1750136816559387099

11. https://twitter.com/MistTrack_io/status/1750136788197491053

12. https://twitter.com/MistTrack_io/status/1750139159610798527

13. https://twitter.com/MistTrack_io/status/1750243991910789590

14. https://decrypt.co/140877/inferno-drainer-scam-scammer-phishing-crypto-nfts

15. https://cybernews.com/crypto/cryptocurrency-con-malware-stole-millions/

16. https://cointelegraph.com/news/inferno-drainer-shut-down-after-stealing-millions-crypto-wallet-scam-kit

17. https://twitter.com/MistTrack_io/status/1742344082779938997

18. https://twitter.com/MistTrack_io/status/1742351908961157421

19. https://twitter.com/MistTrack_io/status/1744689322534863168

20. https://twitter.com/MistTrack_io/status/1746266239973109785

21. https://twitter.com/MistTrack_io/status/1747417488495968735

22. https://twitter.com/MistTrack_io/status/1747692179106197897

23. https://twitter.com/MistTrack_io/status/1749766556006191244

24. https://www.ledger.com/blog/security-incident-report

25. https://dune.com/scamsniffer/angel-drainer-scam-stats

26. https://twitter.com/MistTrack_io/status/1747171766198489516

27. https://dune.com/scamsniffer/pinkdrainer-stats

28. https://twitter.com/MistTrack_io/status/1740802673698623626

29. https://twitter.com/MistTrack_io/status/1744515274769158439

30. https://twitter.com/MetaSleuth/status/1644261722059051008

31. https://twitter.com/MistTrack_io/status/1745446804291018815

32. https://twitter.com/malwrhunterteam/status/1744867233841430742

33. https://twitter.com/vxunderground/status/1750223676706828328