1.23M Stolen (Vanilla Drainer)
 |
There's a new wallet drainer on the loose that's claiming a number of six and seven figure thefts of late. Lately, I've been investigating a number of drain thefts that appear to have commonalities. Recently, a single victim lost over 1.23M in two Uniswap v3 Position NFTs. Wallet drains happen daily, but this one is unique as it's from a recently launched wallet drainer, Vanilla Drainer.
In this instance, a malicious contract was signed that allowed the attacker full access to the victim's Uniswap v3 Positions. Once the victim gave approval, the assets were transferred to the Malicious Contract then a wallet owned by the scammer – 0x3Dc4b980FeF45ab22f8A55b025aE9D19001d97b3. Interestingly, all of the victim's funds are accounted for and are currently sitting in the scammer's wallet in DAI. New anti-phishing technology like Blockaid helps prevent these large 6 and 7 figure single victim drains that happened daily in 2023-2024. However, the scammers are smart and adapt. I'm starting to see more large wallet drains from new sophisticated methods. I looked at some of the transaction history of the Scammer Wallet d97b3 and noticed some interesting inflow from another scammer wallet – 0x9d38606C16E6C4F7B1ed4224eA5724FF5C6E710d (Etherscan gave it a label of Fake_Phishing130777, a known phishing wallet). This wallet also appears to have significant assets, mostly in DAI. (At the time of this writing I'm showing close to 1.6M). This wallet and others lead to a new drainer, Vanilla Drainer. What is Vanilla Drainer?Vanilla Drainer appears to follow in the footsteps of Inferno/Angel Drainer. I'm seeing similarities between the two and many on-chain interactions between Inferno and Vanilla Drainer. Vanilla may be a spin-off, a stripped down version of Inferno Drainer (thus the name Vanilla!), or it could be it's own separate entity. To attract more Customers, Vanilla Drainer appears to be taking 15% of the drained assets vs Inferno Drainer's 20%. The main ENS wallet of Vanilla Drainer is: 0xbadC0dE628760964219B6b45eed756F6b5405026 with registered ENS addresses of vanilladrainer.eth and vanilla-drainer.eth Both ENS addresses were registered on 4/10/25. I LOLed at the prefix for this wallet, 0xbad. This post appears to be made in Dec of 2024. I'm showing on-chain txns of Vanilla Drainer related thefts going back to as early as Oct 2024. How does Vanilla Drainer Work?Vanilla is one of many SaaS Platforms out there (Scams As a Service). The process is mostly automated with some initial setup work to register the domain, build the website, and promote in search engines & social media. In many instances, fake websites around recently hyped token launches attract a lot of drainer activity. The user is tricked into approving token transactions that drain their wallet instead of receiving their rewards. Vanilla Drainer appears to be bypassing anti-phishing methods by deploying new phishing contracts at scale while simultaneously rotating fresh domains that host the malicious website. While still relatively new on the market, I'm starting to see a number of big six and seven figure thefts attributed to Vanilla Drainer. For example, last week a victim lost about 340K USD0++ in a similar way to the victim who lost 1.23M. The victim signed a malicious phishing transaction that drained his wallet of USD0++. Here's the affected wallets:
This victim and the 1.23M victim are connected through the same wallet drainer. There's countless other large thefts attributed to Vanilla Drainer and more to come, unfortunately. Stay safe out there! submitted by /u/jbtravel84 |
