FacebookTwitterLinkedIn

$494 Million Stolen From Crypto Wallets By Drainers In 2024

Karolis Liucveikis Written by on

According to a recent blog post by Scam Sniffer, a cryptocurrency monitoring service specializing in tracking illicit activity across blockchains, wallet drainers have been used to steal 494 million USD from crypto wallets in 2024.

Wallet drainers are a family of malware typically deployed on phishing websites that steal crypto assets by tricking users into signing off on malicious transactions.

$494 Million Stolen From Crypto Wallets By Drainers In 2024

Scam Sniffer reports that year-on-year, incidents in, 2024 increased by 67%. The number of victims also increased by 3.7% over 2023, with over 332,000 wallet addresses having funds stolen from them in 2024.

Other alarming numbers given by Scam Sniffer include that in 2024, there were 30 large-scale attacks; these are classified as amounting to losses of over 1 million USD per attack. The largest of these attacks resulted in a loss of 55.4 million USD. This attack occurred at the start of the year when Bitcoin's price was trending upwards, driving phishing attacks.

Scam Sniffer divided the year into three attack phases based on the data they accrued. The firm went on to define those three phases as follows:

  • The first quarter saw the heaviest losses, reaching 187.2 million USD with 175,000 victims. March recorded the highest losses at 75.2 million USD.
  • The second and third quarter's combined losses totaled 257 million USD, with victims decreasing to 90,000.
  • Fourth quarter losses dropped to 51 million USD, with victims reducing to 30,000, indicating improved security.

As for theft analysis trends, particularly involving large-scale attacks, the firm discovered that the first half of the year saw frequent but smaller-scale incidents, with individual losses ranging from one to eight million USD.

The peak activity occurred during July and September, with major losses of 55.48 million USD and 32.51 million USD in August and September, respectively. This accounted for 52% of the year's total large-scale losses.

The final quarter showed a significant reduction in the frequency and scale of attacks, with individual losses mostly ranging from two to six million USD, indicating an overall improvement in market security awareness.

As for the future outlook, Scam Sniffer stated,

As of 2024, known losses from phishing signature attacks have reached $790 million. Although these types of attacks decreased in the second half of the year, this might indicate that attackers are shifting towards other attack methods, such as malware and other more covert approaches…As the Web3 ecosystem continues to develop, the challenges of protecting user assets remain. Regardless of how attack methods evolve, continuous security awareness and building protective capabilities remain key to safeguarding assets.

Evolution of Wallet Drainers

Wallet Drainers were deployed to compromised WordPress sites in thousands in 2024. Still, security researchers are particularly interested in the evolution of wallet drainers and different attack methodologies.

As mentioned above, the first half of the year was the most prolific in terms of attacks. This is due in part to popular wallet-draining malware like Pink Drainer being used extensively. There was a considerable drop-off in activity from the second quarter when Pink Drainer announced their exit.

Pink Drainer relied on impersonating journalists in phishing attacks to compromise Discord and Twitter accounts for cryptocurrency-stealing attacks. One such attack resulted in Pink Drainer successfully compromising the accounts of 1,932 victims to steal roughly three million USD worth of digital assets through Mainnet and Arbitrum platforms.

Once the attacker has gained the potential victim's trust, the attacker tells the targets they must conduct a KYC (know your customer) validation to prove their identity. The victim is then guided to websites used to steal Discord authentication tokens.

These sites impersonate malicious bots like a Carl verification bot, where they are told to add bookmarks containing malicious JavaScript code using a "Drag Me" button on the malicious page. This code steals Discord tokens, enabling the attackers to hijack the accounts without knowing the user credentials or having a way to intercept the two-factor authentication code.

Following Pink Drainer's exit, activity dropped generally until the mid-third quarter, when a spike in Inferno wallet drainer activity occurred. The malware was behind the thefts of approximately 110 million USD during August and September.

Finally, the activity subsided in the year's final quarter, which only accounted for about 10.3% of the total losses recorded in 2024. At that time, Ace Drainer also emerged as a major player, taking 20% of the drainer market, according to data.

Inferno Drainer is offered as a malware-as-a-service, while threat actors have deployed Ace Drainer by compromising popular libraries and frameworks developers use in the Web3 space. If you have crypto assets stored in popular web-based wallets, Kaspersky provides the following advice to secure those assets as best as possible:

  • Don't put all your eggs in one basket: try to keep only a portion of your funds that you need for day-to-day project management in hot crypto wallets and store the bulk of your crypto assets in cold wallets.
  • To be on the safe side, use multiple hot wallets: one for your Web3 activities, such as drop hunting, another to keep operating funds for these activities, and transfer your profits to cold wallets. You'll have to pay extra commission for transfers between the wallets, but malicious actors could hardly steal anything from the empty wallet used for airdrops.
  • Keep checking the websites you visit repeatedly. Any suspicious detail should prompt you to stop and double-check everything.
  • Don't click on sponsored links in search results: only use links in organic search results – those that aren't marked "sponsored".

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog