Tools of Phishing: Inferno Drainer and Scams as a Service

triangular signs saying scam with a fish hook on them

This might be how it begins: You see a link on social media that offers a discount on something you want, or a cool service such as animation for NFTs. Or maybe you find an NFT offer has been airdropped into your wallet.

Whatever the initial outreach, you’re intrigued. You click the link and find yourself on a brand-name website of a major player in the crypto scene. You enter your wallet’s private key in order to pay for the service, discount, or NFT on offer.

Next thing you know, your NFTs or other assets have disappeared from your wallet.

What happened? You may have fallen victim to a type of scam where attackers use malicious software created by a third party. The organizations that provide this phishing software to bad actors operate with a business model known as Fraud as a Service (FaaS).

This type of swindle became a major issue targeting traditional retailers around 2021. Now, it’s made its way into crypto in a big way. To keep your assets safe, it’s important to understand how these scams work.

What is Fraud as a Service in web3? A definition

Here’s a definition of FaaS in web3:

“Fraud as a Service is a digital-business model in which, in exchange for compensation, one organization provides tools and services to other attackers to facilitate their commission of fraudulent activity online. FaaS can employ many different tactics in stealing crypto assets.”

That is the tricky part of FaaS scams: The way the scam plays out can take many forms.

What does Fraud as a Service mean?

Fraud as a Service is a similar model to the popular Software as a Service (SaaS) tech business model, but with a twist: in FaaS, the clients are all thieves, and the software that organizations rent to those clients is designed to help them steal crypto.

FaaS organizations focus on the part of the scam they do well and leave the rest to their customers. They provide the software that enables a scam, then sit back and let individual attackers do the work of luring crypto users to their phishing website.

With this setup, the individual thief doesn’t even need to know how to code to gain access to your wallet. If they can send a link, they can steal your crypto–with help from a FaaS purveyor.

Why do FaaS organizations do this? For a cut of the take, of course.

How does Fraud as a Service work?

The business model here is fairly simple. An entity offers to help attackers steal crypto assets. This FaaS operator might be an individual, a decentralized team, or traditionally structured business–their organizational makeup doesn’t matter. What’s important is that they’re building software that defrauds crypto users, then making it available to attackers.

Let’s break this process down step-by-step:

Step 1: Fraud as a Service coders create the software

The FaaS operator does the technically demanding part of the scam–constructing malicious websites and smart contracts that will enable theft of crypto. Once they’ve created sites such as these, the FaaS organization makes them available to would-be attackers for a fee.

FaaS example: Inferno Drainer

One FaaS organization that popped up in 2023 is known as Inferno Drainer. By May 2023, the watchdog site Scam Sniffer reported nearly $6 million had been stolen using Inferno’s malicious smart contracts and phishing websites.

Inferno Drainer offers their software for use at a 20% commission for smart contracts, which rises to 30% if the attacker also wants them to spin up websites. You can see Inferno personnel apparently discussing their fee structure here:

We’re not talking about just a few fraudulent websites, either. Scam Sniffer’s research tracked nearly 700 phishing websites created with Inferno Drainer.

How does Inferno Drainer fool users? By making their phishing websites resemble those of legitimate web3 projects and platforms. Here are a few of the over 200 brands Scam Sniffer found Inferno Drainer’s malicious websites were imitating:

These familiar logos help build user confidence and more easily convince visitors to input their keys.

Step 2: Attackers promote the scam to steal crypto assets

Once the bogus smart contracts and fraudulent websites are set up, it’s up to the individual attackers to decide how to promote them. It’s their job to lure users to either use the contracts or visit the phishing sites where the contract may be set up.

You have to admit, it’s an attractive setup for criminals, because it’s ‘try before you buy.’

If the attacker doesn’t succeed in gaining access to users’ wallets and stealing their crypto, they owe the FaaS operator nothing. Bad actors can give this a whirl cost-free. They send out phishing links in various ways to see if they can drive some traffic to their Inferno Drainer sites. If it works, both the attacker and the FaaS group profit.

FaaS attacker example: 530K wallets targeted in fake airdrop

One popular way to get users to click is to send them an airdrop that appears to offer a valuable coin or NFT, which users must visit a website to claim.

For instance, an as-yet-unidentified Inferno Drainer client sent over 1,700 different malicious NFTs on Polygon to nearly 700,000 wallets, Scam Sniffer reported. The NFTs appeared to be from legitimate NFT projects such as UniSwap and ApeCoin, among others. One red flag, though: the link was always redacted using beacons or tinyurl.

Clicking the link led the user to visit a website to claim their NFT–but the sites were really phishing ploys created by Inferno Drainer.

Over 300 users fell for the scam, Scam Sniffer found. In all, crypto worth $1.3 million has been stolen by this attacker–so far. As we write, this Polygon NFT grift is still active and claiming more victims.

FaaS Attacker example: Fake_Phishing182232 targets Ethereum users

Another approach is for attackers to simply send out links to phishing websites via the social media channel of their choice–Telegram, Discord, Twitter, you name it. That appears to be the method employed by Ethereum wallet owner Fake_Phishing182232, who is using Inferno Drainer to steal crypto.

This bad actor stole valuable Bored Apes, Mutant Apes, Invisible Friends, and other NFTs, which they liquidated in early July ‘23 on Blur for $135,000. PeckShield’s analysis found that Fake_Phishing used Inferno Drainer sites to obtain the credentials needed to steal the NFTs.

Here’s a sample of Fake_Phishing’s stolen Bored Apes below–you can check the tweetstream #Fake_Phishing182232 for live updates on this attacker’s activities.

Step 3: Cash out–fast

Exactly how does a FaaS scam steal crypto? MetaSleuth noted that Inferno Drainer’s smart contract uses a deceptive ‘claim’ function to trick users into believing they are claiming some valuable crypto asset or service, when in fact it grants wallet access to attackers.

Then, the attacker accesses wallets, sends NFTs to their own wallet, and liquidates those NFTs quickly on Blur, the most popular place to sell stolen NFTs right now. Roughly half of stolen NFTs in June ‘23 were resold within 3 hours of being stolen.

To sum up the process to this point: An attacker can send a link, collect credentials, swipe NFTs, sell them, and vanish with the proceeds–all in just a few hours.

Step 4: Pay up

In the final step of this scam, the thief remits the 20%-30% commission they owe the FaaS company. For instance, this PeckShield alert describes how Fake_Phishing182232 apparently paid Inferno Drainer its cut in ETH for 16 NFTs it sold.

Step 5: Keep changing

How does a busy fraud organization that operates on a publicly viewable blockchain avoid getting shut down or perhaps even identified and arrested? Short answer: keep moving.

As MetaSleuth noted in late June ‘23 that after 17 days in operation, Inferno Drainer changed both the operator it was using to liquidate its ill-gotten gains and the address of their smart contract on the blockchain. Changing up the mechanics of how it executes makes it harder to shut Inferno Drainer down.

FaaS attacks and the perils of staking

As you may have noticed in the PeckShield graphic above, engaging in NFT staking seems to put owners at more risk. Staking allows NFT owners to earn a return on their asset by pledging to keep the NFTs on a platform that offers rewards for doing so.

But staking also creates another point of entry where your wallet might be compromised. That’s because NFT staking involves connecting your NFT wallet to the platform. While you’re staking an NFT, you can’t sell it–but it can be stolen if the platform is compromised.

If you’re staking NFTs, know the risks. Be extremely wary of clicking links from anyone you don’t know, since staked NFTs seem to be a particular target of FaaS scams.

Don’t fall for FaaS attackers: our top prevention tips

Here at Dragonscale, we’re passionate about helping crypto users avoid losing their tokens to thieves. Here are our tips to keep your crypto assets safe:

  • Don’t click links from anyone you don’t know. Seriously, this one rule can save you so much grief. Understand that any number of bad actors are sending phishing links and airdropped offers to vast numbers of crypto users, every day. If you don’t know who it came from, assume it’s a scam. Never click.
  • Be suspicious of redacted links. Know that scammers often use services such as tinyurl that obscure the actual URL you’ll visit if you click. If you click a link and see it translating to an unexpected URL, bail out.
  • Verify what website you’re on. It’s fairly easy to steal a logo and make a website look like it’s run by a major corporation or big web3 project. When in doubt, navigate independently to that brand’s site to make any purchases, never by reaching it with a link.
  • Remember, a phishing link can come from anywhere. There is no communication channel that’s free of phishing–so whether you’re chatting on a Discord server or tweeting or reading your email, be on guard.
  • Don’t accept airdrops from strangers. Honest parties rarely send free NFTs out of the goodness of their heart without notifying you it’s going to happen. Legitimate NFT projects notify you ahead of time if they’re going to do an airdrop to their loyal users. If an airdrop comes out of the blue, assume it’s a scam. Again, don’t click.
  • Consider the pros and cons before you stake NFTs. With attackers targeting NFTs staked in hot wallets, you’ll have to weigh whether it’s worth the risk of theft or whether you’d be better off storing NFTs in a cold wallet.

The rise of FaaS is yet another reminder that if it sounds too good to be true–it is.

FaaS is here to stay

Particular scam-as-a-service projects may come and go–for instance, the Monkey Drainer scam we’ve previously reported on shut down in March 2023. But the model of fraud as a service is here to stay, and it enables rapid theft by many attackers based on widely distributed software.

There’s a lot of value at risk with FaaS scams. NFTs are a $200 billion market and only expected to keep on growing.

To safeguard your crypto assets, make it your business to scan the news and learn about attackers’ evolving methods. Be active in a web3 community that tracks and shares information about attacks, so you’re in the know and don’t lose your NFTs.

Subscribe to updates from the Dragonscale Newsletter

Don't miss out on the latest posts. Sign up now to get new posts sent directly to your inbox.