Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users

Researchers at Cyble Research and Intelligence Labs (CRIL) have exposed a worrying nexus between recent Solana wallet draining attacks and the notorious MS Drainer malware. This discovery comes on the heels of the Solana Drainer’s source code being leaked on a cybercrime forum. Analysis reveals a collaborative development effort and highlights the accelerating threat these malicious tools pose to the cryptocurrency community.

The Evolving Threat Landscape

TA Selling Twitter (X) Accounts

Crypto drainers are scripts designed to rapidly siphon crypto assets from targeted wallets. Their evolution has been swift – initially compromising browser-based wallets like MetaMask and expanding to various platforms. Threat actors (TAs) rely on social engineering, fake websites, phishing pages, and malicious ads propagated via platforms like Google and Twitter to lure victims.

Spreading the Infection

Google ads and Twitter are primary vectors for drainer distribution:

• Compromised Accounts: High-profile accounts are hacked to spread fake airdrops or giveaways linked to drainers. (Example: the March 2024 Trezor incident).
• Counterfeit Profiles: Fake accounts mimicking legitimate entities are used for phishing schemes.
• Malicious Ads: TAs exploit advertising networks to deliver malware-laden links.

Impact of the Code Leak

Leaked crypto drainer source code has far-reaching consequences:

• New Variant Proliferation: Malicious actors can build upon existing code to create more sophisticated and evasive drainers.
• Lower Barrier to Entry: Less technical TAs can now repurpose leaked code for their attacks.
• Solana Drainer Exposed: The leaked code, linked to MS Drainer developers, includes detailed setup instructions, aiding in the drainers’ wider deployment.

The Solana Drainer in Action

The leaked code provides disturbing insights:

• Seed Phrase Theft: The drainer targets seed phrases, enabling complete wallet takeover.
• Telegram Integration: Stolen assets are funneled away, often utilizing Telegram for communication and control.
• Testing Phase: CRIL identified a phishing site linked to the Solana Drainer, indicating potential for large-scale campaigns.

The MS Drainer Legacy

MS Drainer has a dark history:

• Massive Theft: Linked to the theft of approximately $59 million across multiple attacks in 2023.
• Significant Losses: Individual victims have reported losses exceeding $20 million in some cases.

The Takeaway

The Solana Drainer leak reveals the ongoing cat-and-mouse game between crypto attackers and security experts. As source code proliferates and techniques are shared, cryptocurrency holders and platforms alike must remain vigilant and invest in proactive defense strategies.

For in-depth analysis and Indicators of Compromise (IoCs), refer to the full CRIL report.