The development of crypto drainers into a specialized, easily available software-as-a-service sector has made it possible for unskilled individuals to steal cryptocurrency.
As the ecosystem develops into a software-as-a-service (SaaS) business model, access to malware known as “crypto drainers,” which is meant to steal cryptocurrency, has been easier.
Many drainer operations have switched to a SaaS model called drainer-as-a-service (DaaS), according to a report published on April 22 by the crypto forensics and compliance company AMLBot. According to the research, virus propagators can rent a drainer for as little as $100 to $300 USDT.
Slava Demchuk, CEO of AMLBot, told Cointelegraph that “it used to take a fair amount of technical knowledge to get into the world of cryptocurrency scams.” That isn’t the case now.
“Getting started isn’t significantly more difficult than with other types of cybercrime,” according to the DaaS model.
Demchuk clarified that potential drainer users enroll in internet forums in order to pick up tips and tricks from more seasoned con artists. Many of the fraudsters that are active in traditional phishing efforts move to the crypto drainer sector in this manner.
In Russia, cybercrime is practically legal
According to Demchuk, companies that provide cryptocurrency drainers as a service are becoming more daring and increasingly mimicking established companies.
He cited Russian cybercrime enforcement as the explanation for how a criminal operation may send representatives to IT industry gatherings without facing consequences, such arrests.
“If you’re not operating across the post-Soviet space, you can do all of this in countries like Russia, where hacking is now practically legal,” he said.
For many years, the cybersecurity sector has kept the practice a secret. According to a 2021 article by cybersecurity news source KrebsOnSecurity, “virtually all ransomware strains” deactivate without causing damage if they identify installed Russian virtual keyboards.
Typhon Reborn v2, an information stealer, similarly compares the user’s IP geolocation to a list of post-Soviet nations. The networking company Cisco claims that it deactivates if it finds out that it is situated in one of those nations.
The explanation is straightforward: Russian authorities have demonstrated that they will take action if local hackers target post-Soviet block individuals.
Drainers continue to expand
Demchuk went on to say that DaaS companies typically locate their customers in pre-existing phishing communities. This includes Telegram groups and channels, gray market platforms, and black hat and gray hat forums on the clearnet (the conventional internet) and darknet (the deep web).
According to Scam Sniffer, drainers caused over $494 million in damages in 2024, a 67% increase over the year before, even though the number of victims increased by 3.7%.
According to cybersecurity behemoth Kaspersky, drainers are becoming more prevalent; in 2024, there were 129 darknet forums with resources devoted to them, up from 55 in 2022.
Typical job advertisements are frequently used to hire developers. The open-source intelligence investigator for AMLBot, who wishes to remain anonymous for security reasons, told that his team “did come across several job postings specifically targeting developers to build drainers for Web3 ecosystems” when investigating drainers.
The researcher also mentioned that advertisements similar to this one may be found in smart contract developers’ Telegram discussions. Although the discussions are small—typically consisting of 100 to 200 members—they are neither secret nor limited.
As an example, the announcement was promptly removed by administrators. However, “those who needed to see it had already taken note and responded,” as is frequently the case.
Historically, this type of activity was carried out on deep web forums and specialized clearnet forums that were reachable via the Tor network. However, the investigator clarified that Telegram’s policy against exchanging data with authorities was the reason why a large portion of the information was transferred there.
