Cointime

Cointime

Download App
iOS & Android

New scam service Vanilla Drainer takes $5M in three weeks

A blockchain investigator has attributed at least $5.27 million in crypto stolen over three weeks to a rising scam service known as Vanilla Drainer.

Drainers are entities that provide scam software to fraudsters, often paired with phishing tactics to access victims’ funds. Vanilla is part of a new generation of these groups and has largely flown under the radar, but recent high-value thefts have drawn attention from blockchain sleuths.

Draining scams peaked in 2024, when victims lost almost $500 million to top services, such as Angel, Inferno and Pink, according to Scam Sniffer. Draining still occurs frequently, though volumes have dropped due to new security technologies. However, blockchain investigator Darkbit warns that drainers are adapting.

“I see [Vanilla] taking over many Inferno customers,” Darkbit told Cointelegraph. “Most of the large six- and seven-figure drains of late can be attributed to Vanilla Drainer.”

A simplified fund flow sample of a Vanilla scam trail shows a 15%-20% cut for the drainer provider. Source: Darkbit

One victim lost $3 million in crypto to Vanilla Drainer

Earlier Vanilla thefts can be traced back to October 2024, but its earliest known public advertisement was posted on Dec. 8, 2024, though it has since become inaccessible. The ad claimed Vanilla could bypass Blockaid, a fraud detection platform often cited by drainers as a major factor behind declining proceeds and, in some cases, their shutdown.

A December Vanilla advert promises an “advanced algorithm” to avoid Blockaid detection. Source: Vanilla Drainer/Carder Market

The service starts with a 20% cut of scam proceeds for the drainer provider, which is considered the standard split in the draining world. According to Vanilla’s advert, the percentage could drop for larger hauls.

The largest theft attributed to Vanilla occurred on Aug. 5, when a victim lost $3.09 million in stablecoins. In this case, Vanilla’s operators appear to have received a $463,000 fee for providing the tools, or about 17% of the stolen funds.

Vanilla operators received a $463,000 cut from their largest known haul. Source: Darkbit

Once the split is taken, Vanilla typically converts tokens into the blockchain’s native cryptocurrency, like Ether , before transferring them to a final fee wallet (0x9d3…E710d), where most of the scam fees are parked, according to Darkbit. Around $1.6 million in this wallet has been converted to DaiDAI$0.9998, a decentralized stablecoin pegged to the US dollar that cannot be frozen like its centralized counterparts, USDtUSDT$0.9999or USDCUSDC$0.9998. At the time of writing, the wallet held $2.23 million in tokens, mostly in DAI and ETH.

Crypto drainers and phishing scams rebound

Several drainers have shut down as security tools dampened the draining industry, but lately, drainers have been catching up with new tactics of their own. 

According to Darkbit, one method Vanilla uses to stay ahead of the curve is cycling through domains without remaining in one spot for too long.

“I’m starting to see fresh malicious contracts created for every malicious website and domain to avoid staying on the radar,” Darkbit said.

Related: Crypto drainers are retiring as investigators start to close in

In July, phishing scams stole $7.09 million from victims, a 153% increase from June. The number of victims also rose 56% to 9,143, according to Scam Sniffer data.

The largest single loss in July was $1.23 million. Blockchain trails show that the draining fees collected from this scam totaled 54 ETH, valued at $204,074 at the time. The fees were ultimately transferred to the same suspected Vanilla fee wallet linked to the $3.09-million incident in August.

Fund trail in the largest July loss leads to Vanilla Drainer’s fee wallet. Source: Scam Sniffer

Blockchain analysis also links Vanilla Drainer to two other six-figure incidents in July, bringing the drainer’s responsibility to an estimated $2.19 million — over 30% of the month’s phishing total.

Crypto drainers shut down but don’t die

Between July 15 and Aug. 5, Vanilla was used in at least four major scams totaling $5.27 million, each resulting in six to seven-figure losses.

Vanilla has quickly established itself in a shrinking but still dangerous corner of crypto crime. Even as overall draining volumes have slowed since 2024, Vanilla is pulling in millions and attracting former Inferno users. Darkbit claims that its operators remain agile, cycling through domains and contracts to stay ahead of detection.

History suggests that even a public shutdown rarely means the end. Inferno Drainer, for example, announced its closure in November 2023, only to resurface throughout 2024 before handing operations to Angel Drainer later that year. Despite those announcements, Inferno-linked activity has continued into 2025 and has been tied to more than $9 million in losses over six months.

Security experts continue attributing scams to services that have publicly announced shutdowns. Source: Blockaid

Vanilla’s rapid growth alongside Inferno’s persistence shows that drainer services rarely disappear — they adapt, rebrand or pass their tools to new operators. For investigators, the challenge is keeping pace with an ecosystem that refuses to die.

Comments

All Comments

Recommended for you

  • ETH Surpasses $2400

    Market data shows that ETH has surpassed $2400, currently priced at $2400.99, with a 24-hour increase of 3.69%. The market is experiencing significant volatility, so please ensure proper risk management.

  • US Media: Iran Proposes Agreement to Reopen Strait but Delays Nuclear Talks

    On April 27, AXIOS reported, citing a U.S. official and two informed sources, that Iran has proposed a new initiative to the United States, suggesting prioritizing an agreement on reopening the Strait of Hormuz and lifting maritime blockades, while postponing nuclear negotiations to a later stage. This new proposal aims to break the current deadlock in negotiations and circumvent internal disagreements within the Iranian leadership regarding the extent of nuclear concessions they are willing to make to reach an agreement with the Trump administration. According to three U.S. officials, President Trump is expected to hold a war room meeting with his senior national security and foreign policy team on Iran issues on Monday. One official indicated that the meeting is anticipated to discuss the current stalemate in negotiations with Iran and potential next steps regarding military action.

  • BTC Surpasses $79,000

    Market data shows that BTC has surpassed $79,000, currently priced at $79,003.66, with a 24-hour increase of 1.84%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Iranian Official Says Second Round of Talks with US Possible in Coming Days

    On April 26, a day earlier in local time, an Iranian diplomatic official stated that Iran and the US delegation might hold a second round of negotiations in the coming days. It is understood that Iran has conveyed a message to the US, requesting President Trump to reduce threatening rhetoric. The official also indicated that if the US stance becomes more conciliatory, hardliners within Iran would be more likely to support participation in the negotiations. (CCTV News)

  • Trump: Uncertain if He Was Target of Shooter's Attack

    On April 27, President Trump was interviewed by CBS and was asked whether he was the target of the attacker at the White House Correspondents' Dinner. He responded, 'I don't know. It sounds like he is an extreme person. From what he has written, he has been through a lot. His brother has complaints about him, and his sister is also dissatisfied with him. His family is very concerned about him. He is likely a person with very poor mental health.' (Dongxin News Agency)

  • Iran Proposes Three-Phase Negotiation Plan

    On April 27, according to CCTV, sources from Iran stated that Iran has conveyed a three-phase negotiation plan to the U.S. through intermediaries. The focus of the first phase of negotiations is to completely end the war and obtain guarantees to prevent the resumption of hostilities against Iran and Lebanon. If an agreement is reached in the first phase, the parties will move into the second phase, which will specifically address the management of the Strait of Hormuz. The third phase will involve discussions related to nuclear issues, but Iran will not engage in nuclear negotiations until agreements are reached in the first two phases.

  • BTC Falls Below $78,000

    Market data shows that BTC has fallen below $78,000, currently priced at $77,999.41, with a 24-hour increase of 0.76%. The market is experiencing significant fluctuations, so please ensure proper risk management.

  • Michael Saylor Releases New Bitcoin Tracker Information, Potential Disclosure of Increased Holdings Next Week

    On April 26, Strategy founder Michael Saylor released new information related to the Bitcoin Tracker, captioned: 'The ₿eat Goes On..'. According to previous patterns, Strategy typically discloses information about increased Bitcoin holdings the day after relevant news is released.

  • BTC Surpasses $78,000

    Market data shows that BTC has surpassed $78,000, currently priced at $78,042.78, with a 24-hour increase of 0.69%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Trump: Does Not Believe Shooting Incident is Related to Iran Conflict

    On April 26, U.S. President Trump stated (when asked if the shooting incident was related to the Iran conflict) that he does not believe so. (Jinshi)

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company