The Reveal Platform
Crypto drainers represent a class of financially motivated threats targeting Web3 users by abusing blockchain transaction authorization mechanisms rather than exploiting software vulnerabilities. Instead of stealing credentials or deploying traditional malware, these attacks manipulate users into approving malicious transactions that grant attackers permission to transfer digital assets.
While early drainer campaigns relied purely on phishing and deceptive interfaces, recent activity shows an evolution toward hybrid models that combine social engineering, malicious smart contracts, and endpoint-level data exfiltration, increasing both scale and operational impact.
A crypto drainer is a malicious mechanism designed to extract cryptocurrency assets by inducing users to authorize transactions that delegate control over their tokens or NFTs.
Unlike traditional account compromise techniques, drainers do not require:
Instead, they abuse legitimate blockchain functionality.
In most cases, drainers exploit standard token approval mechanisms:
approve(address spender, uint256 amount) setApprovalForAll(address operator, bool approved)Once these permissions are granted, attacker-controlled contracts can invoke transfer functions to move assets without further user interaction.
A typical crypto drainer campaign follows a structured workflow:
1. Initial Access (Phishing / Social Engineering)
Attackers lure victims via:
2. Wallet Interaction
Victims are prompted to:
These prompts are designed to appear legitimate.
3. Malicious Transaction Execution
The transaction interacts with an attacker-controlled smart contract, invoking permission-granting functions such as:
approve()setApprovalForAll()4. Permission Abuse
Once approval is granted, the attacker gains the ability to transfer assets programmatically. In many cases, attackers request unlimited token allowances, enabling repeated asset transfers without requiring additional user interaction.
5. Asset Drain
Assets are transferred to attacker-controlled wallets, often within a single block confirmation window, leaving little opportunity for intervention.
Underground forums indicate that crypto drainers are increasingly commoditized and distributed as Drainer-as-a-Service (DaaS) offerings.
Key characteristics:
This model lowers the barrier to entry and enables large-scale campaigns by low-skilled actors.
The Bonk.fun incident highlights the effectiveness of frontend manipulation in Web3 attacks.
Attackers compromised the website interface and injected a fake “Terms of Service” prompt. Users who interacted with the prompt unknowingly signed malicious transactions, resulting in immediate asset loss.
Key Insight:
This highlights a key weakness in Web3 security models, where protections can be bypassed through interface-level manipulation.
Discussions on Reddit forums about the Bonk.fun hijack indicate that one user claimed the attacker injected a “HussDrainer” tool into the website.
Such attacks typically involve injection of malicious JavaScript into the frontend, altering transaction prompts without modifying backend contract logic.
This illustrates the pricing structure of various crypto drainer tools along with their advertised capabilities. It shows how these tools are often sold as packaged services, offering features such as multi-chain support, automated asset draining, and user-friendly dashboards. This reflects increasing commercialization of drainer tools, where even low-skilled attackers can access advanced capabilities for a price.
While traditional drainers operate purely through browser-based transaction abuse, recent campaigns demonstrate a shift toward hybrid models that incorporate endpoint-level payloads to expand data collection and persistence capabilities.
The analyzed repository masquerades as:
However, analysis reveals behavior consistent with infostealer malware, extending beyond standard drainer capabilities.
Repository naming patterns like “airdrop-claim-eip-7702”, which can be misleading and may act as phishing techniques. These types of projects often try to attract victims by promising recovery of lost funds or free airdrops.
In reality, such repositories can contain malicious code that tricks users into interacting with fake airdrop functions. When users follow the instructions and connect their wallets, they may be asked to approve or sign transactions. This is where the attack happens — instead of recovering funds, the code can grant permission to the attacker, allowing them to drain the wallet.
The use of terms like “wallet recovery”, “airdrop claim”, and “easy setup” is a common social engineering tactic to build trust. Since these repositories are publicly available, inexperienced users might believe they are legitimate tools, while in fact they could be designed to steal funds.
The following analysis is based on static and behavioral examination of the retrieved sample.
User Execution → Launcher.cmd
↓
LuaJIT Invocation (luajit.exe)
↓
Lua Script Execution (uix.txt)
↓
Decryption of Embedded Configuration
↓
.env File Access & Monitoring
↓
HTTPS POST → Discord Webhook
↓
Loop for Continuous Data Exfiltration
No persistence mechanisms were observed, suggesting the attack relies on immediate execution and rapid data exfiltration rather than long-term system foothold.
The presence of:
luajit.exe(nix.txt)indicates a user-executed payload delivery model, which is atypical for legitimate Web3 workflows and serves as an evasion technique.
The archive contains luajit.exe and a launcher script (Launcher.cmd) that executes a Lua-based payload (uix.txt). This reflects a user-executed delivery model, which is atypical for legitimate Web3 workflows. The use of an interpreted Lua payload complicates static detection, as core logic is executed dynamically at runtime rather than embedded in compiled binaries.
The malware targets .env files, which commonly store:
The script implements periodic file access to monitor changes and retransmit updated data. This behavior suggests periodic file polling rather than event-driven monitoring, which may generate detectable patterns in file access telemetry.
We downloaded the application from the above github repo and found that it uses a Discord webhook as a data exfiltration endpoint to exfiltrate sensitive data over HTTPS. It continuously monitors the .env file for any changes and retransmits updated information. Since .env files often contain critical secrets such as crypto wallet credentials, this represents a significant security risk.
The sample leverages Discord webhook infrastructure as a data exfiltration endpoint.
The above module is responsible for the decrypting URL which uses a Discord webhook as a data exfiltration endpoint
hxxps://discord.com/api/webhooks/1411056528018112634/6SeAntJD8PfBeKbT23dJnwdkk_xuGMosIcjeCH0bXPYoQCHfLIHV8hJpK0nvHxDVkrlr
(https://discord.com/api/webhooks/{webhook_id}/{webhook_token}) which points to a webhook endpoint of Discord used for data exfiltration. It sends the contents of a .env file to this endpoint via an HTTPS POST request. This behavior is consistent with automated exfiltration of sensitive environment variables.
The webhook URL is stored in an encrypted format using OpenSSL-compatible AES encryption.
Salted__headerA Python-based implementation of this decryption process successfully recovers the webhook URL.
The use of AES-256-CBC with EVP_BytesToKey suggests basic obfuscation rather than advanced cryptographic protection.The following script replicates the decryption logic observed in the sample:
import base64
from Crypto.Cipher import AES
from hashlib import md5 # Key Derivation Function from Salt and Password
def evp_bytes_to_key (password, salt, key_len=32, iv_len=16):
d = "b''
prev = b''
while len(d) < key_len + iv_len:
prev = md5(prev + password + salt).digest()
d += prev
return d[:key_len], d[key_len:key_len + iv_len]
def decrypt_discord_url():
# Encrypted Discord Server URL
unwrap = "U2FsdGVkX19qDrIIfOzOFIAYpU9XTtZJfACYULun2rz7zaju2HPfVS94utvtRO6Id9h7cV5z5XOfVvHQk/u4cB7jlS0luARIAbCrx07OP+/f5rMbbuljSel5UEr3afOQ6lpybut26iKPqK1jRfPMWi5gBl9Po/tdEFW3TwFQciP+OJC8lh+KqHuM89SMgTjM"
# Base64 Decoding
data = base64.b64decode(unwrap)
# Check OpenSSL salted format
if data[:8] != b"Salted__":
raise ValueError("Invalid data: missing OpenSSL Salted__ header")
# Extract salt and ciphertext
salt = data[8:16]
ciphertext = data[16:]
# Derive key and IV
key, iv = evp_bytes_to_key(b"tx", salt)
# AES-256-CBC Decryption
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(ciphertext)
# Remove PKCS7 padding
pad_len = plaintext[-1]
plaintext = plaintext[:-pad_len]
return plaintext.decode()
if __name__ == "__main__":
result = decrypt_discord_url()
print(result)
Similar to the behavior of CryptoJS.AES.decrypt(), we implemented a custom script to recover the original Discord webhook URL. The encrypted string (unwrap) was first Base64-decoded, revealing data in the OpenSSL salted format (Salted__ | [8-byte salt] | [ciphertext]). Using the extracted salt and the known password, we derived the encryption key and IV via the EVP_BytesToKey function. The ciphertext was then decrypted using AES-256-CBC, resulting in the original Discord webhook URL used for data exfiltration.After decryption Discord Webhook URL is hxxps://discord.com/api/webhooks/1411056528018112634/6SeAntJD8PfBeKbT23dJnwdkk_xuGMosIcjeCH0bXPYoQCHfLIHV8hJpK0nvHxDVkrlr
It continuously reads the .env file and monitors it for any changes. Whenever updates occur, the new data is sent out again. This enables ongoing data theft and persistent surveillance of sensitive information.
envtypically contains:
Effective detection requires correlating endpoint, network, and blockchain activity.
Outbound HTTPS POST requests to: approve() transactionssetApprovalForAll() callsCorrelate execution of Lua-based interpreters with outbound HTTPS requests to Discord webhook endpoints, combined with repeated access to sensitive configuration files such as .env.
Individually, these signals may appear benign; however, their temporal correlation significantly increases detection confidence.
This multi-layered approach enables detection of both purely transaction-based drainers and malware-assisted variants within a unified analytical framework.”
MITRE ATT&CK Mapping:
• T1566 - Phishing
• T1204 - User Execution
• T1552 - Unsecured Credentials (.env access)
• T1041 - Exfiltration Over Web Services
• T1059 - Command and Scripting Interpreter (Lua execution)
Gurucul enables detection of crypto drainer campaigns by correlating user behavior, endpoint activity, and network telemetry, which is critical for identifying both traditional wallet-based attacks and malware-assisted variants.
Outcome: Enables SOC teams to detect, prioritize, and respond to crypto drainer threats through behavioral analytics and multi-layered visibility, rather than relying on isolated indicators.
Crypto drainers have evolved from purely transaction-based social engineering attacks into hybrid threat models that combine phishing, malicious smart contract interaction, and endpoint-level data exfiltration.
This convergence increases both the scale and impact of such campaigns. Defenders must move beyond isolated detection strategies and instead correlate:
Only through this multi-layered visibility can organizations effectively detect and mitigate modern Web3-targeted threats.
Contributors:
Siva Prasad Boddu
Pandurang Terkar
Rudra Pratap
