Full Report
Modern crypto drainers don't hack wallets. They trick users into approving malicious transactions. Flare explores how the Lucifer DaaS platform scales wallet theft through phishing and automation. [...]
Analysis Summary
# Tool/Technique: Lucifer Drainer (Drainer-as-a-Service)
## Overview
Lucifer is a sophisticated "Drainer-as-a-Service" (DaaS) platform used to automate the theft of cryptocurrency and digital assets. Unlike traditional malware that compromises a device, Lucifer facilitates social engineering attacks where victims are tricked into granting permission to malicious smart contracts or signing fraudulent off-chain messages. This allows attackers to bypass certain wallet security features and clear out assets across multiple blockchains.
## Technical Details
- **Type:** Drainer-as-a-Service (DaaS) / Phishing Framework
- **Platform:** Web-based (Targeting browser-based and mobile crypto wallets such as MetaMask, Trust Wallet, Coinbase Wallet, etc.)
- **Capabilities:** Multichain support, ERC20 draining, Permit2 support, off-chain signature abuse, and automated asset transfer.
- **First Seen:** Active presence observed in underground forums between early 2025 and 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]
- **[TA0002 - Execution]**
- [T1204.001 - User Execution: Malicious Link]
- **[TA0006 - Credential Access]**
- [T1557 - Adversary-in-the-Middle] (Intercepting wallet signatures)
- **[TA0010 - Exfiltration]**
- [T1567 - Exfiltration Over Web Service] (Automated transfer of tokens via smart contracts)
## Functionality
### Core Capabilities
- **Transaction Approval Abuse:** Forces victims to approve "SetApprovalForAll" or "Approve" transactions, granting the drainer control over specific tokens or NFTs.
- **Off-chain Signatures:** Utilizes malicious signatures (like eth_sign) that are harder for users to decode and often bypass basic wallet warnings.
- **Multichain Support:** Capable of detecting and draining assets across various EVM-compatible chains (Ethereum, BSC, Polygon, etc.).
- **Automated Asset Transfer:** Once permission is granted, assets are instantly routed to attacker-controlled "hit" wallets.
### Advanced Features
- **Permit2 Integration:** Leverages the Uniswap Permit2 smart contract to simplify token approvals and bypass certain security alerts.
- **Wallet-Security Bypasses:** Updates logic to stay ahead of security warnings implemented by popular wallet providers.
- **DaaS Architecture:** Includes a professionalized backend for affiliates, featuring website cloning tools, deployment automation, and a 20% commission-based tracking system.
## Indicators of Compromise
- **File Hashes:** N/A (Web-based script; typically obfuscated JavaScript).
- **File Names:** `drainer.js`, `main.js`, `init.js` (Generic names used in phishing templates).
- **Network Indicators:**
- `lucifer-drainer[.]io` (Defanged)
- `lucifer-api[.]com` (Defanged)
- `luciferconnect[.]xyz` (Defanged)
- Various temporary phishing domains mimicking NFT mints, airdrops, or DeFi platforms.
- **Behavioral Indicators:** Sudden requests for "SetApprovalForAll" on suspicious websites; unexpected "Sign Message" prompts immediately upon connecting a wallet.
## Associated Threat Actors
- **Lucifer DaaS Operators:** The primary developers/administrators.
- **Affiliates:** Unnamed individual threat actors who drive traffic via social media (X/Twitter), Discord, and Telegram.
## Detection Methods
- **Signature-based detection:** Monitoring for specific JavaScript obfuscation patterns or unique logic used in Lucifer’s transaction scripts.
- **Behavioral detection:** Analyzing web traffic for connections to known DaaS backend APIs and identifying "Approval" transactions sent to newly created or blacklisted contract addresses.
- **Real-time Monitoring:** Using wallet extensions or security tools that simulate transactions to identify if a signature will result in asset loss.
## Mitigation Strategies
- **Prevention measures:** Use of "burn" wallets (wallets with minimal funds) when interacting with new or unverified Web3 sites.
- **Hardening recommendations:** Use of security extensions (e.g., Wallet Guard, Rabby Wallet, Pocket Universe) that decode transaction data and warn of "drainer" behavior.
- **Revocation:** Regularly monitoring and revoking active token allowances via tools like Revoke.cash.
## Related Tools/Techniques
- **Monkey Drainer:** A predecessor in the DaaS space.
- **Inferno Drainer:** A prominent contemporary using similar affiliate models.
- **Pink Drainer:** Another widespread DaaS framework targeting crypto users.