In recent years, cryptocurrency theft operations have evolved far beyond isolated phishing pages and fake NFT mint scams. What once consisted mainly of individual actors running malicious wallet-connection pages has increasingly developed into a structured underground service economy built around “Drainer-as-a-Service” (DaaS) platforms.

Unlike traditional malware operations, crypto drainers typically rely on social engineering rather than device compromise. Victims are lured to fake crypto, NFT, airdrop, or DeFi websites and asked to connect their wallets. Once a malicious transaction or wallet signature is approved, the drainer can transfer cryptocurrency assets directly from the victim’s wallet, often within seconds.

An analysis conducted by Flare researchers of approximately 700 posts collected from underground forums, chats, and channels related to the "Lucifer DaaS" between January 2025 and early 2026 provides a rare look into how modern drainer operations function internally.

The findings reveal an increasingly professionalized ecosystem focused on affiliate growth, automation, phishing scalability, wallet-security bypasses, and operational resilience.

The analyzed data suggests that modern drainer operations increasingly function similarly to legitimate SaaS businesses. Actors behind Lucifer discussed software releases, bug fixes, affiliate commissions, customer support, hosting recommendations, deployment automation, website cloning, and referral systems, offering a deep dive into how DaaS ecosystems are evolving inside underground communities.

What is a Drainer and How Does it Work

A crypto drainer is a tool designed to steal cryptocurrency assets directly from victims’ wallets by abusing wallet permissions and transaction approvals. Instead of hacking the wallet itself, attackers typically lure victims to fake crypto, NFT, airdrop, DeFi, or token-claim websites and trick them into connecting their wallets and approving malicious requests or signatures.

Once permission is granted, the drainer can automatically transfer tokens, NFTs, or other digital assets from the victim’s wallet to attacker-controlled wallets, often within seconds and across multiple blockchains.

Drainer-as-a-Service

In this model, the operator develops and maintains the draining infrastructure, while affiliates bring victims. The affiliate’s job is to generate traffic through phishing links, fake websites, compromised social media accounts, ads, spam, or direct messages. The DaaS operator handles the wallet interaction, transaction logic, alerts, and asset-draining flow.

The Lucifer dataset shows this model clearly. In one promotional post, the actor explains that affiliates provide “traffic through phishing links, fake websites, and similar methods,” while the service manages “signatures, approvals, and token transfers.” The same post describes the service as commission-based and presents Lucifer Drainer as a “professional solution” with ERC20 support, Permit2, off-chain signatures, wallet-security bypasses, multichain support, and continued product updates.

That language is important. The operators are not selling a one-time malware kit. They are selling participation in a platform.

Their Telegram channel reinforces the same point. Lucifer repeatedly states that the software is “not for sale,” and that the operators take a 20% commission from successful “hits.” In May 2025, the channel wrote that it does not sell or lease the software and only splits “20% per hit.” 

This is closer to the ransomware affiliate model than to old-school phishing kits. While the developers maintain the product, the affiliates bring traffic to monetize the operation and the profits are shared.

Lucifer as a Case Study

The Lucifer channel shows a drainer operation evolving publicly into a structured DaaS platform.

In March 2025, the group announced version 6.6.6, advertising ERC20 support, Permit2 abuse, off-chain signatures, Telegram notifications, wallet-security bypasses, and multichain functionality. The same announcement again emphasized that the software was not for sale and that the operators take a 20% commission from successful “hits.”

From then on, the channel increasingly resembled a software development feed more than a typical malware operation. The operators announced bug fixes, wallet compatibility updates, Telegram-browser support, deployment improvements, and hosting features.

One of the most notable additions was a website-cloning feature that allowed affiliates to clone phishing pages and receive ZIP files preloaded with the latest Lucifer code.

Over time, the operation moved heavily toward automation. Later updates introduced “Zero Config” deployment workflows, allowing affiliates to upload static files, automatically generate phishing-ready packages, and deploy infrastructure with minimal manual work. This significantly lowered the technical barrier for affiliates.

The broader dataset also shows Lucifer actively recruiting across underground communities where other drainer brands such as Inferno, Angel, Venom, Nova, Ghost, Medusa, Vega, and Monkey were discussed. A recurring theme across the posts was “traffic.” The operators repeatedly emphasized that affiliates needed victims and phishing distribution capabilities more than advanced technical skills.

However, the group also warned that complete beginners were not welcome, suggesting the operators prioritized experienced affiliates capable of generating reliable phishing traffic with limited operational overhead.

Resilience After Takedowns

Like other underground services, Lucifer also shows signs of operational resilience.

In August 2025, their Telegram bots were banned, so they instructed users in their channel to create new bots and grant them admin privileges. The group also gave instructions for resolving configuration problems after migration.

In November 2025, Lucifer said a documentation domain hosted on Google Firebase had been suspended after research reports. The group responded by moving documentation to InterPlanetary File System (IPFS is a decentralized, peer-to-peer file-sharing protocol used to store and distribute data), presenting decentralization as a way to keep operations running after takedowns.

This mirrors behavior seen across the wider drainer ecosystem. Check Point’s research on "Inferno Drainer" described how the operation continued adapting despite wallet warnings, blacklists, and anti-phishing defenses. 

Why Drainers Became So Attractive for Cybercriminals

Drainers became popular because they match the structure of modern crypto crime.

Crypto assets are liquid, fast-moving, and often irreversible once transferred. Attackers do not need to compromise a bank portal or wait for a mule account. A successful wallet approval can immediately "drain" assets.

They also benefit from user confusion. Wallet prompts, approvals, signatures, permits, and token allowances are still difficult for many users to understand. Attackers exploit that complexity by making malicious prompts look like routine Web3 interactions.

The abuse of the authorization mechanisms Permit and Permit2 became especially attractive because these mechanisms can allow token transfers through signed permissions rather than obvious direct transfers. That makes the user interaction feel less alarming, while still giving attackers a path to assets.

Beyond Lucifer

The findings suggest that Lucifer is part of a much broader underground ecosystem that includes operations and other wallet-draining services competing for affiliates, traffic, and visibility across underground communities.

The analyzed Lucifer dataset provides a rare public look into how modern DaaS operations function behind the scenes. The collected posts reveal an ecosystem focused on continuous development, affiliate retention, infrastructure resilience, automation, and operational scalability. 

The findings also highlight how modern crypto-drainer operations increasingly resemble legitimate SaaS businesses. Rather than selling a static phishing kit, DaaS operators now maintain active platforms designed to simplify deployment, reduce technical barriers, and maximize affiliate efficiency.

Features such as website cloning, automated ZIP deployment, “Zero Config” workflows, affiliate commissions, and support channels demonstrate how operational maturity has become a competitive advantage within the ecosystem.

Crypto drainers are no longer isolated phishing pages operated by individual actors, but increasingly structured service platforms built around scalability and repeatability. As these ecosystems continue lowering the technical barrier for affiliates, wallet theft operations may become more accessible, more automated, and more difficult to disrupt at scale.

How to Spot a Crypto Drainer Before it Empties Your Wallet

DaaS platforms are designed to make malicious wallet interactions look routine. Knowing what to look for is the first line of defense. Watch for these warning signs before connecting your wallet to any crypto site:

• Wallet connection requested immediately on a crypto/NFT/airdrop site.

• Unexpected signature or “Approve” requests before receiving anything.

• Requests for unlimited token approvals or Permit/Permit2 permissions.

• “Gasless claim” or “off-chain signature” prompts that still require wallet approval.

• Fake urgency: “claim now,” “wallet verification,” “limited mint,” “expiring rewards.”

• Links received through Telegram, Discord, X/Twitter DMs, or fake support accounts.

• Recently created or suspicious-looking crypto domains.

• Websites cloned from legitimate DeFi, NFT, or exchange platforms.

• Multiple redirects before reaching the wallet prompt.

• Wallet warnings ignored or bypassed.

• Using a main wallet with large holdings for unknown Web3 sites.

• Repeated prompts to reconnect or re-sign transactions.

• Influencer or project accounts suddenly pushing unexpected mint/claim links.

• Browser tabs opening new wallet approval windows automatically.

• Transaction details that are vague, empty, or difficult to understand.

• “Free NFT” or “free token” campaigns requiring approvals first.

• Discord or Telegram admins privately messaging users first.

• Websites asking users to disable wallet security protections.

• Wallet drained immediately after signing a message instead of sending funds manually.

• Any platform pressuring users to act fast before verifying legitimacy.

How Flare Can Help

Flare provides early visibility into fraud operations before they reach victims. By monitoring underground forums, Telegram channels, and marketplaces, Flare detects leaked data, victim lists, and recruitment activity tied to Caller-as-a-Service campaigns.

This allows organizations to proactively respond (reset credentials, alert users, and strengthen defenses) before attackers strike, reducing both risk and impact.

Learn more by signing up for our free trial.

Sponsored and written by Flare.