The Industrialization of Phishing Attacks in the Encryption World: Analyzing the "Fraud as a Service" Ecosystem

Since June 2024, the security team has monitored a large number of similar phishing transactions, with the amount involved exceeding $55 million in just the month of June. As August and September approached, related phishing activities became more frequent, showing an escalating trend. In the third quarter of 2024, phishing attacks have become the attack method causing the greatest economic losses, with over $243 million gained from 65 attacks. Analysis shows that the recent surge in phishing attacks is likely related to the notorious phishing tool team Inferno Drainer. This team had made a high-profile announcement of "retirement" at the end of 2023, but now seems to be making a comeback, planning a series of large-scale attacks.

This article will analyze the typical methods of operation used by phishing gangs such as Inferno Drainer and Nova Drainer, and will detail their behavioral characteristics to help users improve their ability to recognize and prevent phishing scams.

Scam-as-a-Service(Overview

In the field of cryptocurrency, some phishing teams have invented a new malicious model called "scam-as-a-service." This model packages scam tools and services and offers them to other criminals in a commoditized manner. Inferno Drainer is a typical representative in this field, with a scam amount exceeding $80 million during the period from November 2022 to November 2023 when they first announced the shutdown of their services.

Inferno Drainer helps buyers quickly launch attacks by providing ready-made phishing tools and infrastructure, including phishing website front and back ends, smart contracts, and social media accounts. Phishers who purchase the service retain most of the ill-gotten gains, while Inferno Drainer charges a commission of 10%-20%. This model significantly lowers the technical barrier for scams, making cybercrime more efficient and scalable, leading to a surge in phishing attacks within the encryption industry, especially targeting users who lack security awareness.

![Unveiling the Scam-as-a-Service Ecosystem: The Industrialization of Phishing Attacks in the Encryption World])https://img-cdn.gateio.im/webp-social/moments-31ebce45c9c02effbe933263e3e79253.webp(

The Operating Mechanism of Fraud as a Service

Before introducing scam-as-a-service, let's first understand the workflow of a typical decentralized application (DApp). A typical DApp usually consists of a front-end interface (such as a web page or mobile application) and smart contracts on the blockchain. Users connect to the front-end interface of the DApp through a blockchain wallet, which generates the corresponding blockchain transaction and sends it to the user's wallet. The user then uses their blockchain wallet to sign and approve the transaction. Once signed, the transaction is sent to the blockchain network, and the corresponding smart contract is called to execute the required functionality.

Phishing attackers cleverly induce users to perform unsafe operations by designing malicious front-end interfaces and smart contracts. Attackers often guide users to click on malicious links or buttons, deceiving them into approving hidden malicious transactions, and in some cases, directly tricking users into revealing their private keys. Once users sign these malicious transactions or expose their private keys, attackers can easily transfer the users' assets to their own accounts.

Common phishing methods include:

1. Counterfeit well-known project front-end: Attackers meticulously imitate the official website of well-known projects, creating seemingly legitimate front-end interfaces that lead users to mistakenly believe they are interacting with a trusted project, thereby lowering their guard, connecting their wallets, and executing unsafe operations.

2. Token Airdrop Scams: Attackers extensively promote phishing websites on social media, claiming to have highly attractive opportunities such as "free airdrops", "early presales", and "free NFT minting", luring victims to click on the links. Once victims are attracted to the phishing site, they often unconsciously connect their wallets and approve malicious transactions.

3. False hacker incidents and reward scams: Cybercriminals claim that a well-known project has been hacked or its assets frozen, and are now distributing compensation or rewards to users. They attract users to phishing sites through these fake emergencies, deceiving them into connecting their wallets, ultimately stealing user funds.

Phishing scams are not a new tactic; they have been quite common even before 2020. However, the emergence of the scam-as-a-service model has significantly fueled the rise of phishing scams over the past two years. Before the advent of scam-as-a-service, phishing attackers had to prepare on-chain startup funds, create front-end websites and smart contracts for each attack. Although these phishing sites are mostly poorly constructed and can be recreated into new scam projects by using a template and making simple modifications, the operation and maintenance of the website, as well as page design, still require a certain level of technical expertise. Scam-as-a-service providers like Inferno Drainer completely eliminate the technical barriers of phishing scams, offering services to create and host phishing websites for buyers lacking the necessary skills, and taking a cut from the proceeds of the scams.

![Unveiling the Scam-as-a-Service Ecosystem: The Industrialization of Phishing Attacks in the Encryption World])https://img-cdn.gateio.im/webp-social/moments-71339ab524e62b1626101960c5a90035.webp(

The Profit Distribution Mechanism of Inferno Drainer

On May 21, 2024, Inferno Drainer publicly announced a signature verification message on etherscan, declaring its return and creating new social media channels.

A certain address has conducted a large number of transactions with similar patterns. After analyzing and investigating the transactions, we believe that these transactions are the ones carried out by the Inferno Drainer to transfer funds and distribute the loot after detecting that the victim has been hooked. For example, one of the transactions conducted by this address:

1. Inferno Drainer creates a contract through CREATE2. CREATE2 is an instruction in the Ethereum Virtual Machine used to create smart contracts. Compared to the traditional CREATE instruction, the CREATE2 instruction allows for the pre-calculation of a contract's address based on the smart contract's bytecode and a fixed salt. Inferno Drainer takes advantage of the properties of the CREATE2 instruction to pre-calculate the address of the loot-sharing contract for buyers of the phishing service, and only creates the loot-sharing contract after the victim has been hooked, completing the token transfer and loot-sharing operation.

2. Call the created contract to approve the victim's tokens to the phishing address (the buyer of the Inferno Drainer service) and the loot address. The attacker uses various phishing methods to guide the victim into inadvertently signing a malicious Permit2 message. Permit2 allows users to authorize token transfers via signature without directly interacting with their wallet. As a result, the victim mistakenly believes they are only participating in a regular transaction or authorizing some harmless operation, while in reality, they are unknowingly granting their tokens to an address controlled by the attacker.

3. Transfer a certain amount of tokens to the two sharing addresses in succession, and transfer the remaining tokens to the buyer to complete the distribution.

It is worth mentioning that many blockchain wallets currently implement anti-phishing or similar functions, but the anti-phishing features of many wallets are achieved through domain or blockchain address blacklists. Inferno Drainer can partially bypass these anti-phishing functions by creating a contract before distributing the loot, further lowering the victims' vigilance. Because when the victim approves the malicious transaction, the contract has not even been created, making it impossible to analyze and investigate that address. In this transaction, the buyer of the phishing service took away 82.5% of the stolen funds, while Inferno Drainer retained 17.5%.

![Revealing the Scam-as-a-Service Ecosystem: The Industrialization of Phishing Attacks in the Encryption World])https://img-cdn.gateio.im/webp-social/moments-daeee0e1e38cead78e0479f0e9997f2a.webp(

Simple Steps to Create a Phishing Website

With the help of scam-as-a-service, it has become exceptionally easy for attackers to create a phishing website:

1. Enter the service provider's social media channel, and with just a simple command, you can create a free domain name and the corresponding IP address.

2. Choose one from the hundreds of templates provided by the service provider, then enter the installation process, and a few minutes later, a seemingly legitimate phishing site is created.

3. Find the victims. Once a victim enters the website, believes the fraudulent information on the page, and connects their wallet to approve the malicious transaction, the victim's assets will be transferred.

With the help of scam-as-a-service, an attacker can create a phishing website like this in just three steps, taking only a few minutes.

![Revealing the Scam-as-a-Service Ecosystem: The Industrialization of Phishing Attacks in the Encryption World])https://img-cdn.gateio.im/webp-social/moments-0d22fc86dc5998c22f0eb33adf31cea3.webp(

Summary and Security Recommendations

The return of Inferno Drainer undoubtedly poses a huge security risk for industry users. Its powerful features, covert attack methods, and extremely low crime costs make it one of the preferred tools for cybercriminals to carry out phishing attacks and fund theft.

When users participate in cryptocurrency trading, they need to remain vigilant at all times and keep the following points in mind:

• Beware of free lunches: Do not believe in any "pie falling from the sky" promotions, such as suspicious free airdrops or compensations; only trust official websites or projects that have undergone professional audit services.
• Carefully check the network link: Before connecting your wallet to any website, carefully check the URL to see if it mimics a well-known project, and try to use WHOIS domain lookup tools to check its registration date. Websites with a very short registration time are likely to be fraudulent projects.
• Protect privacy information: Do not submit your mnemonic phrase or private key to any suspicious websites or apps. Before signing any messages or approving transactions in the wallet, carefully check whether the transaction is a Permit or Approve transaction that could lead to a loss of funds.
• Pay attention to scam information updates: Follow official social media accounts that regularly publish warning information. If you find that you have inadvertently authorized tokens to a scam address, promptly revoke the authorization or transfer the remaining assets to another secure address.

![Revealing the Scam-as-a-Service Ecosystem: The Industrialization of Phishing Attacks in the Encryption World])https://img-cdn.gateio.im/webp-social/moments-778ec30657bca8d7c8d23eecba03d2f1.webp(