A recent phishing campaign has emerged, targeting cryptocurrency enthusiasts through the popular communication platform Discord. This sophisticated attack has affected over 30,000 users worldwide, leading to financial losses exceeding $9 million in the past six months. Notably, the campaign reveals the continued operation of the notorious Inferno Drainer, a malicious service that had previously announced its shutdown in 2023.
Attack Methodology
Researchers from Check Point have identified that attackers are leveraging social engineering tactics in conjunction with Discord’s platform features to execute highly convincing scams. In January 2025, it was discovered that members of prominent cryptocurrency communities were being targeted when attempting to access Discord support servers from legitimate Web3 websites.
Instead of connecting to authentic support channels, users were redirected to servers hosting counterfeit Collab.Land verification bots. Collab.Land is a legitimate service widely used in crypto communities to verify wallet holdings and grant access to exclusive channels. The attackers’ use of fake Collab.Land bots added a layer of credibility to their scheme, making it challenging for even experienced users to detect the fraud.
The fraudulent verification process led victims to phishing websites that closely mimicked the legitimate Collab.Land interface. Upon connecting their wallets, users were prompted to sign transactions that appeared legitimate but, in reality, authorized attackers to drain their cryptocurrency assets.
Advanced Evasion Techniques
This campaign is particularly concerning due to its association with Inferno Drainer, one of the most sophisticated cryptocurrency drainers in operation. Despite publicly announcing its shutdown in November 2023, the service has continued to operate with enhanced capabilities.
The attackers employ multiple advanced techniques to evade detection:
– Single-use and short-lived smart contracts: These contracts are designed to bypass wallet security warnings by being used only once and existing for a brief period.
– Blockchain-stored encrypted configurations: By storing command server addresses on the blockchain in an encrypted format, attackers obscure their infrastructure from security tools.
– Proxy-based communication infrastructure: This setup makes tracing the attackers’ activities nearly impossible, as it masks the origin of communications.
– Domain rotation and conditional redirection: Attackers frequently change their phishing domains and use conditional redirection to evade automated security tools that rely on static indicators.
One particularly effective tactic involves hijacking expired vanity invite links. Many Discord servers use custom URLs (e.g., discord.gg/projectname) that become available for anyone to claim if a server loses its boost status. Attackers monitor and wait for high-value vanity links to expire. The moment a link becomes free, they instantly register it for their malicious server. This method is especially effective because users may still have old invite links saved in announcements, websites, or social media posts, inadvertently leading them to attackers’ servers instead of legitimate ones.
Protective Measures
To safeguard against such sophisticated phishing attacks, Check Point researchers recommend the following precautions:
– Verify Discord bots: Ensure that Discord bots have the Verified App checkmark before interacting with them. This verification indicates that the bot has been reviewed and approved by Discord.
– Use bookmarks for crypto websites: Instead of clicking on links from untrusted sources, use bookmarks to access cryptocurrency websites. This practice reduces the risk of being redirected to phishing sites.
– Scrutinize wallet transactions: Never rush through wallet transactions. Carefully inspect the details before signing any transaction to ensure its legitimacy.
– Utilize separate burner wallets: When testing new projects or participating in airdrops, use separate wallets with limited funds. This approach minimizes potential losses if the project turns out to be malicious.
– Monitor official project channels: Stay informed by regularly checking official project channels for security updates and announcements.
The combination of technical sophistication and convincing social engineering continues to make these attacks successful, despite advances in wallet security and anti-phishing solutions. As the cryptocurrency landscape evolves, users must remain vigilant and adopt proactive security measures to protect their assets.
