A blockchain investigator has linked at least $5.27 million in cryptocurrency stolen over three weeks to an emerging scam service known as Vanilla Drainer.
Drainers are organizations that offer scam software to criminals, often combined with phishing strategies to gain access to victims’ funds. Vanilla represents a new wave of these groups and has mostly evaded detection, but recent high-value thefts have garnered attention from blockchain investigators.
Draining scams peaked in 2024, with victims losing nearly $500 million to prominent services like Angel, Inferno, and Pink, as reported by Scam Sniffer. Although draining incidents are still common, volume has decreased due to advancements in security technologies. Nevertheless, blockchain investigator Darkbit warns that drainers are evolving.
“I see [Vanilla] taking over many Inferno customers,” Darkbit told Cointelegraph. “Most of the significant six- and seven-figure drains recently can be tied back to Vanilla Drainer.”
A simplified fund flow sample of a Vanilla scam trail shows a 15%-20% cut for the drainer provider. Source: Darkbit
One victim lost $3 million in crypto to Vanilla Drainer
Initial Vanilla thefts can be traced back to October 2024, but its earliest known public advertisement surfaced on Dec. 8, 2024, although it has since been removed. The ad claimed Vanilla could circumvent Blockaid, a fraud detection service often cited by drainers as a major factor in their declining profits and, in some cases, their shutdown.
A December Vanilla advertisement promises an “advanced algorithm” to evade Blockaid detection. Source: Vanilla Drainer/Carder Market
The service commences with a 20% cut of scam profits for the drainer provider, which is regarded as the standard division in the draining community. Vanilla’s advertisement states that this percentage might decrease for larger thefts.
Related: One year since Durov’s arrest: What’s happened and what’s ahead?
The largest theft linked to Vanilla occurred on Aug. 5, when a victim lost $3.09 million in stablecoins. In this incident, it appears Vanilla’s operators received a $463,000 fee for providing the tools, equating to about 17% of the stolen funds.
Vanilla operators received a $463,000 cut from their largest known haul. Source: Darkbit
After the division is taken, Vanilla usually converts tokens into the blockchain’s native cryptocurrency, such as Ether (ETH), before transferring them to a final fee wallet (0x9d3…E710d), where most of the scam fees are accumulated, according to Darkbit. Approximately $1.6 million in this wallet has been converted to Dai (DAI), a decentralized stablecoin tied to the US dollar that cannot be frozen like its centralized counterparts, USDt (USDT) or USDC (USDC). At the time of writing, the wallet held $2.23 million in tokens, predominantly in DAI and ETH.
Crypto drainers and phishing scams rebound
While several drainers have shut down due to security measures, many have recently adapted with new tactics of their own.
According to Darkbit, one strategy Vanilla employs to stay ahead is frequently switching domains without lingering on one too long.
“I’m starting to see fresh malicious contracts created for every malicious website and domain to avoid staying on the radar,” Darkbit noted.
Related: Crypto drainers are retiring as investigators start to close in
In July, phishing scams stole $7.09 million from victims, representing a 153% increase from June. The number of victims also rose by 56% to 9,143, according to Scam Sniffer data.
The largest single loss in July amounted to $1.23 million. Blockchain trails indicate that the draining fees collected from this scam totaled 54 ETH, valued at $204,074 at the time. The fees were ultimately transferred to the same suspected Vanilla fee wallet associated with the $3.09 million incident in August.
Fund trail in the largest July loss leads to Vanilla Drainer’s fee wallet. Source: Scam Sniffer
Blockchain analysis further links Vanilla Drainer to two other six-figure incidents in July, bringing the drainer’s total responsibility to an estimated $2.19 million — over 30% of the month’s phishing total.
Crypto drainers shut down but don’t die
Between July 15 and Aug. 5, Vanilla was implicated in at least four significant scams totaling $5.27 million, each resulting in six to seven-figure losses.
Vanilla has quickly carved out a niche in a diminishing but still perilous sector of crypto crime. Even as overall draining volumes have slowed since 2024, Vanilla continues to pull in millions and attract former Inferno users. Darkbit asserts that its operators remain agile, frequently cycling through domains and contracts to evade detection.
History indicates that even a public shutdown seldom signifies the end. For example, Inferno Drainer announced its closure in November 2023, only to resurface throughout 2024 before turning operations over to Angel Drainer later that year. Despite those proclamations, Inferno-linked activity has persisted into 2025 and has been tied to over $9 million in losses over six months.
Security experts continue to link scams to services that have publicly declared shutdowns. Source: Blockaid
Vanilla’s rapid expansion in tandem with Inferno’s resistance illustrates that drainer services rarely vanish — they adapt, rebrand, or transfer their tools to new operators. For investigators, the ongoing challenge is keeping up with an ecosystem that refuses to die.
Magazine: Pink Drainer creator defends his wallet draining crypto scam kit
