A blockchain investigator has attributed at least $5.27 million in crypto stolen over three weeks to a rising scam service known as Vanilla Drainer.

Drainers are entities that provide scam software to fraudsters, often paired with phishing tactics to access victims’ funds. Vanilla is part of a new generation of these groups and has largely flown under the radar, but recent high-value thefts have drawn attention from blockchain sleuths.

Draining scams peaked in 2024, when victims lost almost $500 million to top services, such as Angel, Inferno and Pink, according to Scam Sniffer. Draining still occurs frequently, though volumes have dropped due to new security technologies. However, blockchain investigator Darkbit warns that drainers are adapting.

“I see [Vanilla] taking over many Inferno customers,” Darkbit told Cointelegraph. “Most of the large six- and seven-figure drains of late can be attributed to Vanilla Drainer.”

A simplified fund flow sample of a Vanilla scam trail shows a 15%-20% cut for the drainer provider. Source: Darkbit

One victim lost $3 million in crypto to Vanilla Drainer

Earlier Vanilla thefts can be traced back to October 2024, but its earliest known public advertisement was posted on Dec. 8, 2024, though it has since become inaccessible. The ad claimed Vanilla could bypass Blockaid, a fraud detection platform often cited by drainers as a major factor behind declining proceeds and, in some cases, their shutdown.

A December Vanilla advert promises an “advanced algorithm” to avoid Blockaid detection. Source: Vanilla Drainer/Carder Market

The service starts with a 20% cut of scam proceeds for the drainer provider, which is considered the standard split in the draining world. According to Vanilla’s advert, the percentage could drop for larger hauls.

The largest theft attributed to Vanilla occurred on Aug. 5, when a victim lost $3.09 million in stablecoins. In this case, Vanilla’s operators appear to have received a $463,000 fee for providing the tools, or about 17% of the stolen funds.

Vanilla operators received a $463,000 cut from their largest known haul. Source: Darkbit

Once the split is taken, Vanilla typically converts tokens into the blockchain’s native cryptocurrency, like Ether , before transferring them to a final fee wallet (0x9d3…E710d), where most of the scam fees are parked, according to Darkbit. Around $1.6 million in this wallet has been converted to DaiDAI$0.9998, a decentralized stablecoin pegged to the US dollar that cannot be frozen like its centralized counterparts, USDtUSDT$0.9999or USDCUSDC$0.9998. At the time of writing, the wallet held $2.23 million in tokens, mostly in DAI and ETH.

Crypto drainers and phishing scams rebound

Several drainers have shut down as security tools dampened the draining industry, but lately, drainers have been catching up with new tactics of their own. 

According to Darkbit, one method Vanilla uses to stay ahead of the curve is cycling through domains without remaining in one spot for too long.

“I’m starting to see fresh malicious contracts created for every malicious website and domain to avoid staying on the radar,” Darkbit said.

Related: Crypto drainers are retiring as investigators start to close in

In July, phishing scams stole $7.09 million from victims, a 153% increase from June. The number of victims also rose 56% to 9,143, according to Scam Sniffer data.

The largest single loss in July was $1.23 million. Blockchain trails show that the draining fees collected from this scam totaled 54 ETH, valued at $204,074 at the time. The fees were ultimately transferred to the same suspected Vanilla fee wallet linked to the $3.09-million incident in August.

Fund trail in the largest July loss leads to Vanilla Drainer’s fee wallet. Source: Scam Sniffer

Blockchain analysis also links Vanilla Drainer to two other six-figure incidents in July, bringing the drainer’s responsibility to an estimated $2.19 million — over 30% of the month’s phishing total.

Crypto drainers shut down but don’t die

Between July 15 and Aug. 5, Vanilla was used in at least four major scams totaling $5.27 million, each resulting in six to seven-figure losses.

Vanilla has quickly established itself in a shrinking but still dangerous corner of crypto crime. Even as overall draining volumes have slowed since 2024, Vanilla is pulling in millions and attracting former Inferno users. Darkbit claims that its operators remain agile, cycling through domains and contracts to stay ahead of detection.

History suggests that even a public shutdown rarely means the end. Inferno Drainer, for example, announced its closure in November 2023, only to resurface throughout 2024 before handing operations to Angel Drainer later that year. Despite those announcements, Inferno-linked activity has continued into 2025 and has been tied to more than $9 million in losses over six months.

Security experts continue attributing scams to services that have publicly announced shutdowns. Source: Blockaid

Vanilla’s rapid growth alongside Inferno’s persistence shows that drainer services rarely disappear — they adapt, rebrand or pass their tools to new operators. For investigators, the challenge is keeping pace with an ecosystem that refuses to die.