Rise of Drainer-as-a-Service: A New Threat to Cryptocurrency Holders

Severity: High (Score: 64.5)

Sources: Bleepingcomputer

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: inside, crypto, drainer, spot, before, empties, your

Severity indicators: ot

Summary

Cryptocurrency theft operations have evolved into structured underground services known as Drainer-as-a-Service (DaaS). These services rely on social engineering tactics to lure victims to fake crypto-related websites, where they unknowingly connect their wallets. Once connected, attackers can transfer assets directly from victims' wallets within seconds. An analysis of 700 posts from underground forums revealed a professionalized ecosystem focused on affiliate growth and automation. The Lucifer DaaS platform exemplifies this trend, offering tools for phishing, wallet interaction, and transaction management. Victims are primarily targeted through phishing links and fake websites. The current status indicates a growing sophistication in these operations, posing significant risks to cryptocurrency users. Key Points: • Drainer-as-a-Service (DaaS) platforms are increasingly professionalized, resembling legitimate businesses. • Victims are tricked into connecting their wallets to fake crypto sites, leading to asset theft. • The Lucifer DaaS platform showcases advanced techniques for phishing and wallet interaction.

Detailed Analysis

**Impact** Cryptocurrency holders across multiple blockchains are targeted by Drainer-as-a-Service (DaaS) platforms, with victims losing tokens, NFTs, and other digital assets. The scope includes users engaging with fake crypto, NFT, airdrop, or DeFi websites globally. The business model affects both individual investors and DeFi platforms by undermining trust and causing direct financial losses. No specific geographic concentration or total loss figures were provided. **Technical Details** Attackers use social engineering via phishing links, fake websites, compromised social media accounts, ads, spam, and direct messages to lure victims into connecting their wallets and approving malicious transactions. The Lucifer DaaS platform automates wallet permission abuse, transaction approvals, and asset transfers across multiple blockchains, leveraging ERC20, Permit2, and off-chain signatures. The operation functions as a commission-based affiliate model, with operators maintaining the infrastructure and affiliates driving traffic. No CVEs or specific IOCs were disclosed. **Recommended Response** Monitor for phishing campaigns targeting wallet connections and suspicious transaction approval requests on crypto-related platforms. Educate users to verify website authenticity before wallet connection and transaction approval. Deploy detections for known phishing domains and block traffic from underground forums and Telegram channels linked to DaaS recruitment. No patches are applicable; focus on user awareness and network-level blocking of identified infrastructure.

Source articles (2)

• Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleepingcomputer · 2026-05-21
  In recent years, cryptocurrency theft operations have evolved far beyond isolated phishing pages and fake NFT mint scams. What once consisted mainly of individual actors running malicious wallet-conne…
• Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — Bleepingcomputer · 2026-05-21
  In recent years, cryptocurrency theft operations have evolved far beyond isolated phishing pages and fake NFT mint scams. What once consisted mainly of individual actors running malicious wallet-conne…

Timeline

• 2025-01-01 — Lucifer DaaS operations analyzed: Flare researchers examined 700 posts from underground forums detailing the workings of the Lucifer DaaS platform.
• 2026-05-21 — Article published detailing DaaS threats: BleepingComputer published an article outlining the rise of DaaS and its impact on cryptocurrency theft.

Related entities

• Phishing (Attack Type)
• Angel (Malware)
• Inferno (Malware)
• Lucifer (Malware)
• Lucifer Drainer (Malware)
• Vega (Malware)
• Venom (Malware)
• Ghost (Ransomware Group)
• Medusa (Ransomware Group)
• Monkey (Ransomware Group)
• Nova (Ransomware Group)
• T1566.002 - Spearphishing Link (Mitre Attack)
• T1566 - Phishing (Mitre Attack)
• Discord (Platform)
• Google Firebase (Platform)
• InterPlanetary File System (Platform)
• IPFS (Platform)
• Telegram (Platform)
• X/Twitter (Platform)