← BACK TO FEED
crypto securityphishingDaaSWeb3wallet fraud

Drainer-as-a-Service: How Crypto Wallet Theft Became a Subscription Business

Crypto drainers have evolved into sophisticated "Drainer-as-a-Service" (DaaS) platforms, where operators maintain the technical infrastructure while affiliates drive victims to fake crypto or DeFi websites, tricking them into approving malicious wallet transactions that instantly transfer their assets. An analysis of the "Lucifer DaaS" operation reveals it functions much like a legitimate SaaS business, complete with software updates, affiliate commissions, automated deployment tools, and operational resilience strategies such as migrating to decentralized hosting after takedowns. Users can protect themselves by being cautious of unsolicited wallet connection requests, unexpected approval prompts, urgent claims, and suspicious links received via social media or messaging platforms.

Crypto theft has grown up. What used to be a handful of dodgy phishing pages and fake NFT mints has quietly industrialised into something far more structured: Drainer-as-a-Service platforms, where the people who build the tools and the people who find the victims operate as separate business units and split the proceeds.

The basic mechanic is simple enough. Victims land on a fake crypto site, connect their wallet, approve what looks like a routine transaction, and watch their assets vanish. No device compromise required. No malware download. Just social engineering, a convincing UI, and a malicious approval that takes seconds to execute but is effectively irreversible.

Security researchers at Flare spent early 2025 to 2026 analysing around 700 posts from underground forums, chats, and channels associated with a DaaS operation called Lucifer Drainer. What they found reads less like a cybercrime report and more like a SaaS startup pitch deck that accidentally got indexed by the wrong people.

How the Model Works

The operator builds and maintains the draining infrastructure. Affiliates supply the victims. The affiliate's job is traffic generation: phishing links, cloned websites, compromised social media accounts, spam, whatever works. The platform handles wallet interaction logic, signature abuse, transaction execution, and alerts. Revenue is commission-based.

Lucifer's own promotional material spells it out. Affiliates bring "traffic through phishing links, fake websites, and similar methods." The service manages "signatures, approvals, and token transfers." The operator takes 20% of every successful hit. The software itself is explicitly not for sale.

This is closer to the ransomware affiliate model than anything from the early phishing era. The developers maintain the product. The affiliates run the distribution. Everyone gets paid proportionally, and nobody needs to understand the full stack to participate.

Lucifer as a Case Study

The dataset gives an unusually detailed view of how one of these operations evolves over time. In March 2025, Lucifer announced version 6.6.6 with ERC20 support, Permit2 abuse, off-chain signatures, multichain functionality, wallet security bypasses, and Telegram notifications. Standard feature release stuff, basically.

From that point the channel started looking more like a product development feed than a criminal operation. Bug fixes. Wallet compatibility patches. Deployment workflow improvements. Hosting recommendations. There was even a website cloning feature that let affiliates generate phishing-ready packages as preloaded ZIP files.

By later in the year they had introduced "Zero Config" deployment, meaning affiliates could upload static files, auto-generate phishing infrastructure, and go live with minimal technical knowledge. Lowering the barrier to entry is a deliberate growth strategy, same as it is for legitimate SaaS.

The posts also revealed active recruitment across the same underground spaces where competing drainer brands such as Inferno, Angel, Venom, Nova, Ghost, and Medusa were being discussed. A persistent theme throughout was traffic. The operators made clear that the ability to bring victims mattered far more than technical sophistication. That said, they explicitly turned away complete beginners, suggesting they wanted affiliates who could operate independently without needing their hand held.

Resilience Under Pressure

When Lucifer's Telegram bots were banned in August 2025, the operators simply instructed affiliates to set up new bots with admin access and posted migration guidance. When a Firebase-hosted documentation domain was suspended after security researchers flagged it in November 2025, they moved the docs to IPFS. Decentralised file storage as operational continuity planning. It works.

This pattern of adapting around takedowns mirrors what Check Point documented with Inferno Drainer, which kept functioning despite wallet warnings, blacklists, and anti-phishing defences. Disruption slows these operations down. It rarely stops them.

Why Drainers Work

Crypto is the ideal target for this type of attack. Assets move fast, transfers are irreversible, and there is no fraud team to call. A successful wallet approval converts to liquid funds almost instantly, with no bank portal to hack and no mule account to manage.

The other factor is genuine user confusion. Wallet prompts, token approvals, signatures, permits, allowances — most people interacting with Web3 applications do not fully understand what they are authorising. Permit and Permit2 mechanisms are particularly useful for attackers because they allow token transfers via signed permissions rather than direct on-chain transactions. The interaction feels routine. The outcome is not.

What to Watch For

DaaS platforms are specifically designed to make malicious wallet interactions look normal. Some red flags worth knowing:

Wallet connection requested the moment you land on a site. Signature or approval requests before you receive anything. Unlimited token approvals or Permit/Permit2 permission requests. "Gasless claim" prompts that still require wallet sign-off. Fake urgency: "claim now", "limited mint", "expiring rewards". Links arriving via Telegram, Discord, or X DMs. Freshly registered or slightly-off crypto domains. Sites cloned from legitimate DeFi or NFT platforms. Multiple redirects before the wallet prompt appears. Prompts to reconnect or re-sign repeatedly. Any platform pushing you to act before you have had time to verify anything.

Using a wallet with significant holdings on an unfamiliar Web3 site is also, frankly, just asking for trouble.

The Bigger Picture

Lucifer is one operation in a larger ecosystem. The underground communities where it operates are full of competing services running the same basic model, all fighting for affiliates, traffic, and visibility. The commoditisation of crypto theft infrastructure means the technical barrier keeps dropping. More automation, simpler deployment, lower skill requirements for affiliates.

This is not a wave of sophisticated criminal masterminds. It is a service industry. And like most service industries, it will keep scaling until the economics stop working.