Hackers Steal $9 Million from Crypto Wallets in Six Months

One of the most sophisticated cryptocurrency-stealing malware, Inferno Drainer, has resumed its activity despite publicly announcing its shutdown in November 2023. According to research by Check Point Research (CPR), hackers using this tool have stolen over $9 million from more than 30,000 cryptocurrency wallets over the past six months. The new version of the malware has received significant improvements, including single-use smart contracts and encrypted configurations, making it even more dangerous. The malicious campaign is now actively using phishing against Discord users, redirecting them to fake websites to steal cryptocurrency assets.

Evolution of Inferno Drainer: Return with New Capabilities

Check Point Research specialists have discovered that Inferno Drainer smart contracts deployed back in 2023 continue to function to this day, while the current version of the malware has been substantially improved compared to the previous iteration. A CPR representative told Decrypt that data on the scale of the attack was obtained “from reverse-engineering the drainer’s JavaScript code, decrypting its configuration received from the C&C server, and analyzing its on-chain activity.” The majority of observed attacks occurred on Ethereum and Binance Chain.

According to the researchers’ report, the new version of the malware possesses several advanced characteristics that significantly complicate its detection and neutralization:

1. Single-use smart contracts — a unique contract is created for each attack, making it difficult to identify patterns and block known malicious addresses.
2. On-chain encrypted configurations — the malware settings are stored in encrypted form directly on the blockchain, making them difficult to distinguish from legitimate transactions.
3. Command-and-control server communication obfuscation — the use of proxy systems to mask communication with command servers significantly complicates tracking the attackers’ infrastructure.

“We’re observing a qualitative leap in the technical complexity of cryptocurrency-stealing malware,” comments Anna Kovaleva, head of cybersecurity at consulting company BlockSec. “Inferno Drainer demonstrates all the signs of a professionally developed solution created by a team with a deep understanding of both blockchain technologies and security bypass methods.”

According to experts, the fact that Inferno Drainer has returned after publicly announcing the end of its activities highlights the profitability of such attacks and indicates a possible change in tactics by the malware developers—instead of directly selling malicious tools as a service (MaaS, Malware-as-a-Service), they may have transitioned to a more closed model of exploiting their product.

Discord Phishing Campaign: How the Attacks Work

The resurgence of Inferno Drainer is accompanied by a large-scale phishing campaign targeting Discord users. According to CPR analysts, attackers are using social engineering methods to redirect victims from legitimate Web3 project sites to counterfeit resources mimicking the verification interface of a popular Discord bot—Collab.Land.

The attack scheme looks as follows:

1. A user visits a legitimate Web3 project site, which has presumably been compromised or contains malicious links.
2. From there, the victim is redirected to a fake site imitating the verification process through Collab.Land—a bot widely used in Discord communities to verify NFT or token ownership.
3. The fake site contains an embedded cryptocurrency drainer that tricks users into signing malicious transactions, giving attackers access to their funds.

“What makes this attack particularly dangerous is that the fake Collab.Land bot has only ‘subtle visual differences’ from the real one,” explains Dmitry Volkov, information security specialist. “Since the legitimate Collab.Land service does require users to verify their wallet by signing, even experienced cryptocurrency users may lower their guard when interacting with the fake bot.”

By combining “targeted deception and effective social engineering tactics,” the malicious campaign has generated a “stable financial flow identified through blockchain transaction analysis,” CPR analysts note.

Growing Sophistication of Cryptocurrency Threats and Precautionary Measures

The revival of Inferno Drainer is just one of many cases of cryptocurrency-stealing malware to surface in recent months. Hackers are adopting increasingly sophisticated methods to distribute malicious programs, targeting hacked mailing lists, open-source Python libraries, and even preloading trojans on counterfeit Android phones.

“In 2025, we’re observing a significant increase in the complexity of attack vectors on cryptocurrency owners,” notes Sergei Ivanov, director of research at CryptoDefense. “While previously most attacks were based on simple phishing sites or compromise of private keys, now attackers are actively using multi-stage complex schemes, including smart contract manipulation, targeted phishing, and exploitation of trust in popular services.”

Analysts recommend that cryptocurrency users exercise extra caution when interacting with unfamiliar platforms:

1. Carefully check URL addresses — even minor changes in a website address may indicate a phishing page.
2. Use hardware wallets — they provide an additional layer of protection by requiring physical confirmation of transactions.
3. Carefully review transaction signing requests — pay special attention to requested permissions and potential risks.
4. Don’t trust links in Discord messages — even if they appear to be sent by familiar members or administrators.
5. Use separate wallets with limited funds for interacting with new or unverified projects.

Given that cybercriminals will “continue refining their imitation” of legitimate services, verifying authenticity before connecting wallets to any service becomes especially important.

“This situation once again emphasizes that the main attack vector in the cryptocurrency sphere remains the human factor,” concludes Marina Petrova, blockchain project security expert. “Even the most secure blockchain is powerless against a user who voluntarily signs a malicious transaction. Education and constant vigilance remain key factors of protection.”

As the cryptocurrency industry continues to grow and attract new users, further complication of malicious campaigns can be expected. The case of Inferno Drainer demonstrates that even the public “closure” of a malicious project does not guarantee the cessation of its activities, but may only signal a tactical regrouping and transition to more covert operations.