A recent wave of Twitter/X account takeover attacks has seen multiple high-profile social media accounts compromised and used to spread malicious content aimed at stealing cryptocurrency. Some recent high-profile victims include the SEC and Mandiant. The attacks use a family of malware known as crypto-drainers and often supplied through Drainer-as-a-Service (DaaS) platforms.

Crypto Drainers and Drainers as a Service have received little attention from security researchers to date despite having been around since at least 2021. SentinelLabs turns the spotlight on Crypto Drainers and DaaS to raise awareness of this family of threats and how it impacts organisations.

Introduction to DaaS and crypto drainers

A crypto drainer is a malicious tool or script that is specially designed to transfer or redirect cryptocurrency from a victim’s wallet to that under the control of an attacker. Drainers targeting MetaMask first appeared around 2021, where they were openly marketed in underground forums and marketplaces.


Crypto drainers are often provided through a Drainer-as-a-Service model, with DaaS vendors offering software and support to cybercriminals for a percentage of the stolen funds.

The stolen cryptocurrency is split between affiliates (users of the DaaS) and the Daas operators. Typically, operators take anywhere between 5% and 25% of the cut, depending on the services provided.

The Threat of Account Takeover Attacks

Crypto draining can be hugely profitable for threat actors when they successfully take over high-profile social media accounts and use these to push malicious content to large audiences from what appears to be a trusted source, as recently happened to Mandiant and the U.S. Securities and Exchange Commission.

Other high-profile account takeovers include CertiK and Bloomberg Crypto. In late December, it was reported that a crypto drainer stole $59 million from 63,000 individuals using over 10,000 phishing websites.

These attacks typically begin with a brute-force password attack. This involves systematically attempting all possible passwords until the correct one is found. Accounts that lack 2FA or MFA are particularly vulnerable to this kind of attack.

Once an attacker gains access to the account, they are able to distribute phishing links to websites hosting drainers. For example, they may post content from the account offering free NFTs or other rewards to people who visit the site and sign a transaction. Unwitting victims, believing they will receive something of worth, are all too ready to connect their wallets, little knowing that the site contains a drainer script to empty their wallets.

Crypto Drainers Are on the Increase

Crypto drainers have become increasingly prominent since 2023 and many are now advertised across underground markets and Telegram channels. Mandiant identified Chick Drainer and Rainbow Drainer as two DaaS offerings using CLINKSINK. However, it is also suspected that the CLINKSINK source code may have leaked and be in use by multiple other threat actors.

Preventing Drainer Attacks

Although crypto drainers primarily aim to steal crypto assets from individuals, enterprises and organisations should be alert as their social media accounts can become part of the attack chain. Employees or business units within the organisation that deal with cryptocurrency assets could also be at risk.

To combat the threat of attacks from crypto drainers, it is important to ensure that 2FA or MFA is enabled for all social media accounts. Cryptocurrency users are advised to exercise the same kind of caution and be alert for social engineering attempts with NFTs, ‘airdrops’ and other crypto advertisements as they would with emails and other communication channels. Users should also consider adopting hardware-based wallets for added security.