New research by SentinelLabs has shed light on the rising trend of Drainer-as-a-Service (DaaS). This new form of cyber criminal activity plays a significant role in recent high-profile social media account takeovers, such as those of the U.S. Securities and Exchange Commission (SEC) and Mandiant, where malicious content has been spread with the aim of stealing cryptocurrency.
Crypto drainers and Drainers as a Service, although in existence since at least 2021, have received little attention until recently. Crypto drainers are malicious tools or scripts specifically designed to transfer cryptocurrency from a victim's wallet to one controlled by a cyber attacker. In 2021, drainers targeted platforms such as MetaMask and were advertised on underground forums.
DaaS has become a prevalent model with vendors offering software and support to cybercriminals in exchange for a percentage of the stolen assets. The stolen cryptocurrency is distributed between 'affiliates' (users of the DaaS) and the DaaS operators, with the latter typically receiving between 5% to 25% depending on services rendered.
The impact of these attacks can be monumental, especially when high-profile social media accounts are commandeered. Both Mandiant and the SEC have recently been victimised through this method, with attackers using those platforms to disseminate malicious content to large audiences under the guise of a reliable source. Other victims of these takeovers include CertiK and Bloomberg Crypto. In December, a crypto drainer reportedly stole $59 million from 63,000 individuals using more than 10,000 phishing websites.
The methodology usually begins with a brute force password attack, which involves systematic attempts at guessing all potential passwords. Accounts lacking two-factor or multi-factor authentication are particularly at risk. Once a cybercriminal gains access to the account, they share phishing links to websites hosting drainers. The misleading content often offers free items or rewards to users who visit the site and sign a transaction, ensnaring victims who connect their wallets under false pretences.
SentinelLabs pointed out the rising prominence of crypto drainers since 2023, with many increasingly advertised across underground markets and Telegram channels. Within the research, Mandiant identified Chick Drainer and Rainbow Drainer as two DaaS offerings using CLINKSINK; however, it's suspected that the CLINKSINK source code may have leaked and be in use by multiple other threat actors.
Despite crypto drainers primarily targeting individuals, SentinelLabs has emphasised that enterprises and organisations should remain vigilant since their social media accounts can become part of the attack chain. Units within an organisation that deal with cryptocurrency assets could also find themselves at risk.
To address and mitigate the threat of drainer attacks, it's recommended that all social media accounts have two-factor or multi-factor authentication enabled. SentineLabs also advises cryptocurrency users to exercise caution with NFTs, 'airdrops', and other crypto advertisements, much as they would with emails and other communication channels. Adopting hardware-based wallets for extra security has also been suggested.