Cybercriminals have recently advanced their tactics by offering "drainer-as-a-service" (DaaS), enabling the rental of crypto-stealing malware for as little as $100. This shift marks a significant change in how digital theft is conducted, making it increasingly accessible to those with only basic knowledge of cybercrime techniques.
According to a report released by the crypto forensics company AMLBot on April 22, the landscape for crypto hackers has transformed dramatically. Slava Demchuk, the CEO of AMLBot, elaborated that the skills once necessary for conducting such operations are now within reach for anyone familiar with fundamental cyber principles.
Online Communities Transforming Novices into Hackers
Online forums serve as breeding grounds for aspiring scammers, where seasoned criminals share their expertise. Novices in phishing can easily transition into crypto drainers, thanks to various tutorials available within these communities.
Some DaaS collectives exhibit such confidence in their activities that they openly advertise their services, even establishing booths at industry conferences. Demchuk pointed to examples like CryptoGrab, highlighting that in specific regions, particularly Russia, such activities face minimal legal repercussions. Hacking incidents that do not target local or post-Soviet victims often go unpunished.
The cybersecurity community has long recognized the protective measures in place in these areas. Previous reports have indicated that many types of malware, such as ransomware and information stealers like Typhon Reborn v2, are designed to shut down if they identify system settings from Russia or nearby territories.
The Growth of DaaS and Phishing Networks
DaaS operations flourish within phishing networks, which are widespread across clearnet forums, darknet platforms, and even Telegram groups. Developers are often scouted through job advertisements in semi-open Telegram channels, specifically looking for Russian-speaking programmers who can write scripts to drain Web3 wallets.
Investigation by AMLBot revealed job postings for malware aimed at platforms like Hedera (HBAR), underscoring an active hunt for technical talent in specialized online communities.
The influx of drainers has caused considerable financial damages—according to Scam Sniffer, an astonishing $494 million was reported stolen through these schemes in 2024, reflecting a 67% rise from the previous year.
Cybersecurity firm Kaspersky also documented a notable increase in darknet forums focused on drainer tools, jumping from 55 in 2022 to 129 in 2024.
While Telegram was once viewed as a safe space for cybercriminals, its recent information-sharing initiatives with law enforcement have raised concerns. As a result, many offenders have transitioned back to the Tor network, where maintaining anonymity is considerably easier.
Financial Losses from Crypto Hacks in Q1
In the first quarter of 2025, the crypto industry suffered a staggering loss of $1,635,933,800 across 39 hacking incidents, according to the blockchain security platform Immunefi. This quarter is noted as the most damaging in the history of the crypto sector regarding hacking.
Most losses were attributed to two major hacks at centralized exchanges. Phemex faced a deficit of $69.1 million in January, while Bybit incurred an enormous loss of $1.46 billion in February. The total losses during this period marked a 4.7-fold increase compared to Q1 2024, where hackers stole $348,251,217.
Experts suspect that the notorious North Korean Lazarus Group is responsible for the two largest attacks, having stolen a staggering $1.52 billion, which accounts for 94% of the total losses during this quarter.
