The Rise of Crypto Drainers: Easy-to-Use Malware in the IT Industry

Crypto drainers, malware for stealing cryptocurrencies, have shifted to a DaaS model, allowing easier access for scammers with lower technical knowledge requirements. Groups like CryptoGrab are openly represented at IT conferences, leveraging jurisdictions like Russia with weak cybercrime laws. Despite rising losses from drainers, recruitment for their development is escalating within Russian-speaking communities, and malware promotion is shifting back to the dark web following changes in Telegram’s data policies.

Crypto drainers, which are malware designed to steal cryptocurrencies, have recently transitioned into a software-as-a-service (SaaS) model known as drainer-as-a-service (DaaS). According to a report by AMLBot, criminals can now rent drainers for 100 to 300 USDT, making it significantly easier for would-be scammers to enter the cryptocurrency space. This shift has led to a substantial decrease in the technical knowledge previously required to execute these scams.

Slava Demchuk, CEO of AMLBot, states that individuals looking to use drainers often join online communities to obtain guidance from experienced scammers. These communities provide valuable resources, including tutorials which are aiding traditional phishing artists in transitioning to cryptocurrency scams. The user-friendly nature of DaaS has broadened the pool of criminals engaged in cryptocurrency theft.

Demchuk also observed that some drainer groups have evolved to exhibit bold professionalism, with certain operations establishing booths at IT industry conferences, like CryptoGrab. He highlighted that jurisdictions with minimal consequences for cybercrime, such as Russia, enable these groups to operate more freely and without significant legal risks.

Cybersecurity reports point out that many ransomware strains will become dormant if they detect that they are running in Russia. This indicates a protective strategy among Russian cybercriminals, where they avoid harming local citizens while simultaneously exploiting other global targets.

DaaS groups primarily find clients through established phishing networks, including both clearnet and darknet forums, in addition to platforms like Telegram. The ongoing increase in drainer-related losses – reporting about $494 million in 2024, a 67% rise from the previous year – underscores the expanding scope of this illicit market, despite a modest increase in victim numbers.

Additionally, there are indications that developers are being specifically targeted to create drainers. Job postings for building scripts to empty cryptocurrency wallets were found mainly in Russian-speaking forums, demonstrating an organised recruitment effort within niche communities.

The channel for promoting this malware has shifted from hidden deep web forums to more accessible platforms like Telegram due to its previous stance on user data privacy. However, recent changes in Telegram’s policy towards data sharing have raised concerns, prompting some content to return to the darker alleys of the web for better protection against law enforcement actions.