Crypto drainers now sold as easy-to-use malware at IT industry fairs

Crypto drainers, malware designed to steal cryptocurrency, have become easier to access as the ecosystem evolves into a software-as-a-service (SaaS) business model.

In an April 22 report, crypto forensics and compliance firm AMLBot revealed that many drainer operations have transitioned to a SaaS model known as drainer-as-a-service (DaaS). The report revealed that malware spreaders can rent a drainer for as little as 100 to 300 USDt (USDT).

Crypto drainers report image. Source: AMLBot

AMLBot CEO Slava Demchuk told Cointelegraph that “previously, entering the world of cryptocurrency scams required a fair amount of technical knowledge.” That is no longer the case. Under the DaaS model, “getting started isn’t significantly more difficult than with other types of cybercrime.”

Demchuk explained that would-be drainer users join online communities to learn from experienced scammers who provide guides and tutorials. This is how many criminals involved with traditional phishing campaigns transition to the crypto drainer space.

Related: North Korean hackers target crypto devs with fake recruitment tests

Cybercrime in Russia — almost legal

Groups offering crypto drainers as a service are increasingly bold and some are evolving almost like traditional business models, Demchuk said, adding:

“Interestingly, some drainer groups have become so bold and professionalized that they even set up booths at industry conferences — CryptoGrab being one such example.“

When asked how a criminal operation can send representatives to information technology industry events without repercussions, such as arrests, he pointed to Russian cybercrime enforcement as the reason. “This can all be done in jurisdictions like Russia, where hacking is now essentially legalized if you're not operating across the post-Soviet space,” he said.

The practice has been an open secret in the cybersecurity industry for many years. Cybersecurity news publication KrebsOnSecurity reported in 2021 that “virtually all ransomware strains” deactivate without causing harm if they detect Russian virtual keyboards installed.

Similarly, the information stealer Typhon Reborn v2 checks the user’s IP geolocation against a list of post-Soviet countries. According to networking firm Cisco, if it determines that it is located in one of those countries, it deactivates. The reason is simple: Russian authorities have shown that they will act if local hackers hit citizens of the post-Soviet bloc.

Related: What is Bitcoinlib, and how did hackers target it?

Drainers keep growing

Demchuk further explained that DaaS organizations usually find their clientele within existing phishing communities. This includes gray and black hat forums on both clearnet (regular internet) and darknet (deep web), as well as Telegram groups and channels and gray market platforms.

In 2024, Scam Sniffer reported that drainers were responsible for about $494 million in losses, a 67% increase over the previous year, despite a 3.7% increase in the number of victims. Drainers are on the increase, with cybersecurity giant Kaspersky reporting that the number of online resources dedicated to them on darknet forums rose from 55 in 2022 to 129 in 2024.

Developers are often recruited through normal job adverts. AMLBot’s open-source intelligence investigator, who prefers to remain anonymous for safety reasons, told Cointelegraph that while researching drainers, his team “did come across several job postings specifically targeting developers to build drainers for Web3 ecosystems.”

He provided one job advert that described the required features of a script that would empty Hedera (HBAR) wallets. Once again, the offer was mainly targeted at Russian speakers:

“This request was originally written in Russian and shared in a developer-focused Telegram chat. It’s a clear example of how technical talent is actively recruited in niche, often semi-open communities.“

The investigator further added that ads like this appear in Telegram chats for smart-contract developers. Those chats are not private or restricted, but they are small, with usually 100 to 200 members.

Administrators quickly deleted the announcement provided as an example. Still, “as is often the case, those who needed to see it had already taken note and responded.”

Traditionally, this kind of business was conducted on specialized clearnet forums and deep web forums accessible through the Tor network. Still, the investigator said that much of the content moved to Telegram thanks to its policy against sharing data with authorities. This changed following the arrest of Telegram CEO Pavel Durov:

“As soon as Telegram announced that it was giving out data, then the outflow to Tor started again, because it is easier to protect oneself there.”

Still, this is a concern to cybercriminals that may no longer be relevant. Earlier this week, Durov expressed misgivings over a growing threat to private messaging in France and other European Union countries, warning that Telegram would rather exit certain markets than implement encryption backdoors that undermine user privacy.

Magazine: As Ethereum phishing gets harder, drainers move to TON and Bitcoin