Skip to main content
Emerging ThreatsMalware & Ransomware

Crypto Drainers Evolve Into Sophisticated Service Platforms

Dimly lit underground forum with individuals around a table surrounded by computer equipment and screens.

"In one promotional post, the actor explains that affiliates provide 'traffic through phishing links, fake websites, and similar methods,' while the service manages 'signatures, approvals, and token transfers.'"

How Lucifer reveals the modern Drainer-as-a-Service model

Flare researchers analyzed approximately 700 posts collected from underground forums, chats, and channels related to the "Lucifer DaaS" between January 2025 and early 2026. That corpus shows a business model that looks less like ad‑hoc phishing and more like a commission-driven platform. Operators maintain the software, affiliates supply victims, and profits are split: Lucifer repeatedly told its Telegram channel that the software was "not for sale" and that the operators take a 20% commission from successful "hits."

The dataset frames Lucifer as a platform offering ongoing development and support — bug fixes, hosting recommendations, and feature updates — while affiliates focus on distribution through phishing links, fake websites, compromised accounts, ads, spam, or direct messages.

Technical features that make drainers fast, stealthy, and scalable

Lucifer advertised features that lower the technical barrier and increase automation: ERC20 support, Permit2 abuse, off‑chain signatures, multichain functionality, Telegram notifications, and "wallet-security bypasses." A March 2025 announcement of version 6.6.6 explicitly listed many of these capabilities.

Operational tooling extended beyond code: a website‑cloning feature produced ZIP files preloaded with Lucifer code, and later "Zero Config" workflows allowed affiliates to upload static files, generate phishing packages, and deploy infrastructure automatically. Those changes let less technical affiliates deploy malicious wallet prompts in minutes and enabled rapid scaling across multiple blockchains.

How these schemes convert a wallet approval into immediate theft

Crypto drainers do not rely on compromising a device. They instead exploit wallet permissions and user confusion. Victims are lured to fake crypto, NFT, airdrop, DeFi, or token‑claim sites and asked to connect their wallets. Once a signature or approval is granted — sometimes via Permit or Permit2 off‑chain mechanisms — a drainer can transfer tokens, NFTs, or other assets directly from the victim's wallet within seconds.

The Lucifer posts and related commentary highlight why authorizations like Permit and Permit2 are attractive to attackers: signed permissions can authorize transfers in ways that feel less alarming to users than obvious send transactions, while still granting attackers an avenue to move funds rapidly and irreversibly.

Operational resilience: how takedowns matter less than they used to

Lucifer's timeline in 2025 demonstrates deliberate resilience. After Telegram bots were banned in August 2025, the group instructed users to create new bots and grant admin privileges, and provided post‑migration configuration guidance. In November 2025, when a documentation domain hosted on Google Firebase was suspended following research reports, Lucifer moved documentation to the InterPlanetary File System (IPFS) — presenting decentralization as a means to survive takedowns.

That adaptability mirrors other reporting in the space: the dataset references a broader ecosystem — including Inferno, Angel, Venom, Nova, Ghost, Medusa, Vega, and Monkey — and echoes Check Point’s research on "Inferno Drainer," which described similar adaptation despite wallet warnings, blacklists, and anti‑phishing defenses.

What this means for technologists and security teams, affected enterprises, and end users

  • Technologists and security teams should treat DaaS platforms like Lucifer as ongoing threats that combine software development practices (releases, bug fixes, support) with criminal economics. Monitoring underground recruitment, ZIP deployments, and "Zero Config" distribution workflows can provide early detection, as Flare reports it does by tracking drainer ecosystems and phishing infrastructure chatter.
  • Affected enterprises and procurement leaders should expect phishing vectors to be automated and distributed; website cloning and automated ZIPs mean threat actors can impersonate legitimate projects at scale. Defenses that rely solely on domain takedowns or blocking known malicious hosts will be incomplete while groups host documentation and deployment artifacts on decentralized platforms like IPFS.
  • End users and the general public must treat wallet approvals and signature requests as high‑risk events. Clear, concrete warning signs include unexpected signature requests before receiving anything, requests for unlimited token approvals or Permit/Permit2 permissions, "gasless claim" prompts that still require approval, and links arriving via Telegram, Discord, or DM channels. The Lucifer dataset underscores that repeated reconnects, vague transaction details, and pressure to act quickly are common tactics.

Lucifer’s public development cadence — version announcements, automated deployment, ZIP cloning, and a 20% commission model — draws a clear line from malware‑kit era phishing to a mature underground SaaS economy. That evolution makes the problem both faster and harder to eradicate: when affiliates do the hunting and operators maintain the platform, takedowns of individual sites or bots are only temporary delays. The practical question left by the evidence Flare collected is straightforward and urgent: can defenders match the drainer operators' pace of automation, distribution, and decentralization before more wallets are emptied?

Source: Inside a Crypto Drainer — BleepingComputer