Inferno Drainer Malware Returns, Stealing $9M from Crypto Wallets in Six Months

Crypto-stealing malware Inferno Drainer remains in operation despite publicly shutting down—and has has been used to snatch over $9 million from crypto wallets over the past six months.

According to cybersecurity firm Check Point Research, over 30,000 crypto wallets have been drained by the resurgent malware campaign, whose developers claimed to have ceased operations in November 2023.

A spokesperson for CPR told Decrypt that the figure was based on "data obtained from reverse-engineering the drainer‘s JavaScript code, decrypting its configuration received from the C&C server, and analyzing its on-chain activity." The majority of observed was on Ethereum and Binance Chain, they added.

CPR analysts reported that Inferno Drainer smart contracts deployed in 2023 are still active to this day, while the current version of the malware appears to have been improved upon over the previous iteration.

The malware is reportedly now able to use single-use smart contracts and on-chain encrypted configurations, making it far harder to detect and prevent attacks. In addition, command-and-control server communication has been obfuscated via proxy-based systems, meaning tracking has become even more difficult.

Inferno Drainer‘s resurgence comes alongside a phishing campaign targeting Discord users. According to CPR analysts, the campaign leveraged social engineering techniques to redirect users from a legitimate Web3 project’s website to a counterfeit site mimicking the verification UX for popular Discord bot Collab.Land. The fake Collab.Land site hosted a cryptocurrency drainer, which tricked victims into signing malicious transactions—enabling attackers to gain access to their funds.

By combining “targeted deception and effective social engineering tactics,” the malware campaign has generated a “stable financial flow identified through blockchain transaction analysis,” CPR analysts said.

Crypto users are advised to exercise extra caution whenever they are interacting with unfamiliar platforms. The fake Collab.Land bot identified by CPR contained only “subtle visual differences” to the legitimate bot, and the cybercriminals behind the deception are likely to “continue refining their imitation,” the researchers said.

Because the legitimate Collab.Land service requires users to verify their wallet by signing, they noted, “even experienced cryptocurrency users may lower their guard” when presented with the fake bot—making it even more important to verify authenticity before connecting wallets to any service.

The revival of Inferno Drainer is just one of a number of malware campaigns to surface in recent months. Hackers are adopting increasingly sophisticated techniques to deliver crypto-stealing malware, targeting hacked mailing lists, open-source Python libraries and even preloading trojans on counterfeit Android phones.