A blockchain investigator has attributed at least $5.27 million in stolen cryptocurrency over the past three weeks to the rise of a scam service known as Vanilla Drainer.
Drainers refer to entities that provide scam software to fraudsters, often in conjunction with phishing techniques, to obtain victims' funds. Vanilla is part of a new generation of such groups. It had not previously attracted widespread attention, but recent high-value thefts have caught the eye of blockchain investigators.
According to Scam Sniffer data, 2024 is a peak year for scams, with victims losing nearly $500 million due to top services like Angel, Inferno, and Pink. Although emerging security technologies have led to a decrease in the outflow of scam funds, fraud remains frequent. However, blockchain investigator Darkbit warns that drainers are continuously adapting to changes.
“I see [Vanilla] taking over many of Inferno's clients,” Darkbit said in an interview with Cointelegraph. “Most of the recent six-figure and seven-figure outflows can be attributed to Vanilla Drainer.”
The early thefts associated with Vanilla date back to October 2024, but its first known public advertisement was posted on December 8, 2024, and is no longer accessible. The ad claimed that Vanilla could bypass Blockaid—a fraud detection platform often mentioned by drainers and believed to have caused a decline in their earnings or even shutdowns.
The initial revenue split for drainer service providers was 20% of the scam proceeds, which is the standard in the drainer industry. According to Vanilla's advertisement, if the amount stolen is large, the revenue share could be further reduced.
The largest theft involving Vanilla occurred on August 5, with the victim losing $3.09 million in stablecoins. In this case, the operators of Vanilla allegedly received a $463,000 cut for providing the tools, accounting for about 17% of the stolen funds.
After the cut is taken, Vanilla typically converts the tokens into blockchain-native cryptocurrencies, such as Ethereum (ETH), and then transfers them to a final receiving wallet (0x9d3…E710d). According to Darkbit, most of the scam proceeds are stored in this wallet. Approximately $1.6 million in that wallet has been converted to Dai (DAI), a decentralized stablecoin pegged to the US dollar that cannot be frozen, while centralized stablecoins like USDT (Tether) and USDC (USDC) carry freezing risks. As of the time of writing, the wallet holds $2.23 million in tokens, primarily DAI and ETH.
With the proliferation of security tools, many crypto scam services have shut down, leading to a contraction in the industry, but recently drainers are catching up with new strategies.
Darkbit points out that one of Vanilla's strategies to stay ahead is frequently changing domain names to avoid lingering in the same place for too long.
“I've started to notice that every malicious website and domain creates new malicious contracts to avoid continuous exposure to regulatory scrutiny,” Darkbit said.
In July, phishing scams stole a total of $7.09 million, a 153% increase from June. Scam Sniffer data shows that the number of victims also grew by 56%, reaching 9,143 people.
The largest single loss in July was $1.23 million. Blockchain fund flows indicate that the drainer fees charged for this scam totaled 54 ETH, worth $204,074 at the time. Ultimately, these fees were transferred to the same suspected Vanilla receiving wallet associated with the $3.09 million case in August.
Blockchain analysis also linked Vanilla Drainer to two other six-figure incidents in July, estimating the drainer's responsibility at $2.19 million, accounting for over 30% of the total phishing amount for that month.
Between July 15 and August 5, Vanilla was used in at least four major scams, with a total amount involved of $5.27 million, each case resulting in six-figure to seven-figure losses.
Against the backdrop of a gradually contracting but still dangerous landscape in crypto crime, Vanilla has quickly established itself. Despite a slowdown in overall scam fund outflows since 2024, Vanilla continues to attract funds and draw in many former Inferno users. Darkbit states that its operators remain agile, continuously changing domain names and contracts to evade detection.
History shows that even public announcements of shutdowns rarely mean the end. For example, Inferno Drainer announced its closure in November 2023, but reappeared multiple times in 2024, ultimately handing over its operations to Angel Drainer later that year. Despite these announcements, Inferno-related activities continued into 2025, causing losses exceeding $9 million within six months.
The rapid growth of Vanilla and the ongoing presence of Inferno indicate that drainer services rarely disappear—they adapt, rebrand, or pass their tools to new operators. For investigators, the challenge lies in keeping up with an ecosystem that refuses to die.
Related: Even with BTC declines, Bitcoin futures demand continues to rise: What’s behind it?
Original article: “Emerging Scam Service Vanilla Drainer Steals $5 Million in Three Weeks”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
