Check Point Research revealed a sophisticated phishing campaign using Discord to target crypto users via fake Collab.Land bots and phishing sites linked to Inferno Drainer. Despite shutdown claims, Inferno Drainer evolved with stealthy smart contracts, leading to over $9 million stolen from 30,000+ wallets in six months. (Affected: Cryptocurrency users, Discord platforms, Web3 environments)
Keypoints :
- Inferno Drainer phishing campaign abuses Discord and fake Collab.Land bots to steal crypto wallets’ funds.
- Attackers hijack expired vanity Discord invite links to lure victims into malicious servers.
- Multi-layer obfuscation, encrypted smart contract configs, and proxy communication evade detections.
- Short-lived single-use smart contracts bypass wallet security and anti-phishing blacklists.
- Over 30,000 wallets compromised in 6 months, with financial losses exceeding $9 million.
- Phishing sites use OAuth2 flow on Discord with time-limited authorization tokens for stealth.
- Malicious fake token (ERC-20) smart contracts trick users into signing transactions draining their assets.
- Stolen funds are aggregated in Receiver contracts and distributed between attackers and customers.
- Cloudflare Workers and customer-hosted proxies hide attackers’ infrastructure.
- Attackers continuously rotate domains, smart contract addresses, and wallet accounts for evasion.
MITRE Techniques :
- Spearphishing via Service (T1566.001) – Using phishing links and fake Discord bots within targeted crypto communities to redirect victims.
- Drive-by Compromise (T1189) – Redirecting from legitimate Web3 websites to phishing sites hosting malicious drainers.
- Abuse Elevation Control Mechanism (T1548) – Exploitation of OAuth2 to gain unauthorized access to Discord user data without direct prompts.
- Obfuscated Files or Information (T1027) – Employing heavy multi-layered JavaScript obfuscation and encryption to hinder detection and reverse engineering.
- Deobfuscate/Decode Files or Information (T1140) – Usage of encrypted smart contract configurations and encoded payloads to prevent analysis.
- Use Alternate Authentication Material (T1550) – Using intercepted OAuth2 authorization codes and JWT tokens to authenticate victims stealthily.
- Proxy Execution (T1090) – Utilizing customer-installed PHP proxies to hide real command and control server addresses.
- Access Token Manipulation (T1110) – Abusing blockchain wallet permissions by tricking victims into signing malicious transactions granting token spending rights.
- Persistence via Smart Contracts (T1606) – Deploying single-use and rotating smart contracts to maintain attack infrastructure.
- Domain Generation Algorithms (T1483) – Frequent rotation and registration of phishing domains to evade blacklisting.
Indicator of Compromise :
- The report includes numerous phishing domains such as roles-collab[.]com, collab.land-wl[.]com, and collab-mpc-land[.]com used to host phishing sites impersonating Collab.Land.
- Several Cloudflare Workers domains (workers[.]dev) are identified as C2 infrastructure endpoints, e.g., sharp-dev-40d.ivx9ctza.workers[.]dev.
- JavaScript file names used in attacks are randomized UUID-like strings (e.g., 66bc4b94-a47f-4157-9a3b-9a4205f44360.js), changing frequently to evade detection.
- Smart contract addresses on Binance Smart Chain and Ethereum (e.g., 0x158862Ec60B7934f1333e53AC1e148811A2E3BeB for config storage) serve as configuration points for the drainer.
- Perpetrators use short-lived phishing tokens and OAuth2 authorization codes with expiry times to limit detection windows.
- Examples of compromised or associated wallet addresses, contract addresses, and C2 URLs are provided to enable threat hunting and blockchain monitoring.
Views: 31