A blockchain investigator has linked at least $5.27 million in crypto theft over three weeks to a burgeoning scam service called Vanilla Drainer.
Drainers are operations that supply scam software to criminals, often using phishing strategies to access victims’ funds. Vanilla is a part of a new wave of these entities and has remained mostly unnoticed, but recent significant thefts have attracted the attention of blockchain investigators.
Draining scams peaked in 2024, with victims losing nearly $500 million to prominent services like Angel, Inferno, and Pink, according to Scam Sniffer. While draining incidents continue, the total amount has decreased due to enhanced security measures. However, blockchain investigator Darkbit warns that drainers are evolving.
“I see [Vanilla] taking over many Inferno customers,” Darkbit shared with Cointelegraph. “Most of the significant six- and seven-figure drains recently can be traced back to Vanilla Drainer.”
One victim lost $3 million in crypto to Vanilla Drainer
The earliest known thefts linked to Vanilla date back to October 2024, but its first public advertisement was posted on December 8, 2024, although it is no longer accessible. The ad claimed Vanilla could circumvent Blockaid, a fraud detection platform often mentioned by drainers as a key reason for dwindling profits and, in some cases, their shutdown.
The service begins with a 20% fee from scam earnings for the drainer provider, which is typical in the draining sector. According to Vanilla’s advertisement, this percentage could decrease for larger thefts.
Related: One year since Durov’s arrest: What’s happened and what’s ahead?
The most substantial theft attributed to Vanilla happened on August 5, when a victim lost $3.09 million in stablecoins. In this case, Vanilla’s operators reportedly received a $463,000 fee for supplying the tools, which is about 17% of the stolen amount.
After splitting the proceeds, Vanilla usually transforms tokens into the native cryptocurrency of the blockchain, such as Ether (ETH), before moving them to a final fee wallet (0x9d3…E710d), where the majority of scam fees are stored, according to Darkbit. Approximately $1.6 million in this wallet has been converted to Dai (DAI), a decentralized stablecoin linked to the US dollar and resistant to freezing like its centralized counterparts, USDt (USDT) or USDC (USDC). As of the latest update, the wallet contained $2.23 million in tokens, predominantly in DAI and ETH.
Crypto drainers and phishing scams rebound
Numerous drainers have ceased operations as security tools have slowed the draining industry, yet recently, drainers are adapting with new strategies.
Darkbit noted that one tactic Vanilla employs to maintain an advantage is rotating through domains without lingering at one for too long.
“I’m beginning to observe new malicious contracts created for every harmful website and domain to avoid detection,” Darkbit remarked.
Related: Crypto drainers are retiring as investigators start to close in
In July, phishing scams swindled $7.09 million from victims, marking a 153% rise from June. The victim count also surged by 56%, totaling 9,143, based on Scam Sniffer data.
The biggest single loss in July was $1.23 million. Blockchain tracking indicates that the draining fees accrued from this scam amounted to 54 ETH, worth $204,074 at the time. The fees were eventually sent to the same suspected Vanilla fee wallet linked to the $3.09-million theft in August.
Blockchain analysis also connects Vanilla Drainer to two additional six-figure incidents in July, raising the drainer’s total responsibility to an estimated $2.19 million — over 30% of the phishing total for the month.
Crypto drainers shut down but don’t die
Between July 15 and August 5, Vanilla was implicated in at least four significant scams totaling $5.27 million, each leading to six- to seven-figure losses.
Vanilla has swiftly positioned itself in a diminishing yet still perilous area of crypto crime. Despite a slowdown in overall draining volumes since 2024, Vanilla continues to accumulate millions and attract former Inferno users. Darkbit asserts that its operators remain nimble, rotating through domains and contracts to evade detection.
Historical trends indicate that even a public shutdown rarely equates to the end. For instance, Inferno Drainer declared its closure in November 2023 but reemerged throughout 2024 before transferring operations to Angel Drainer later that year. Despite such announcements, Inferno-associated activities have persisted into 2025, linked to more than $9 million in losses over six months.
Vanilla’s swift development alongside Inferno’s continual presence illustrates that drainer services seldom vanish — they adapt, rebrand, or transfer their tools to new operators. For investigators, the challenge lies in keeping up with an ecosystem that refuses to disappear.
Magazine: Pink Drainer creator defends his wallet draining crypto scam kit
