A blockchain investigator has identified over $5.27 million in cryptocurrency stolen within three weeks, linked to a rising scam service called Vanilla Drainer.
Drainers are organizations offering fraudulent software to scammers, often using phishing techniques to steal funds from victims. Vanilla is part of a new wave of these groups that has mostly escaped detection, but significant recent thefts have attracted the scrutiny of blockchain investigators.
The frequency of draining scams peaked in 2024, with victims losing nearly $500 million to leading services like Angel, Inferno, and Pink, according to Scam Sniffer. While draining remains common, total volumes have declined due to enhanced security technologies. Nonetheless, blockchain investigator Darkbit warns that drainers are evolving.
“I see [Vanilla] taking over many Inferno customers,” Darkbit told Cointelegraph. “Most of the recent large six- and seven-figure drains can be traced back to Vanilla Drainer.”
One victim lost $3 million in crypto to Vanilla Drainer
Initial thefts by Vanilla can be traced back to October 2024, with its first known public advertisement emerging on Dec. 8, 2024, although this ad is no longer accessible. It claimed that Vanilla could evade Blockaid, a fraud detection tool often cited by drainers as a significant reason for reduced earnings and, in some cases, their shutdown.
The service starts with a 20% cut of scam profits for the drainer provider, which is seen as the typical split in the draining ecosystem. Vanilla’s advertisement stated that the percentage might decrease for larger thefts.
Related: One year since Durov’s arrest: What’s happened and what’s ahead?
The largest theft attributed to Vanilla occurred on Aug. 5, when a victim lost $3.09 million in stablecoins. In this instance, Vanilla’s operators reportedly received a $463,000 fee for supplying tools, or about 17% of the stolen sum.
Once the split is settled, Vanilla usually converts tokens into the native cryptocurrency of the blockchain, such as Ether (ETH), before transferring them to a final fee wallet (0x9d3…E710d), where the majority of the scam fees are stored, according to Darkbit. Approximately $1.6 million in this wallet has been converted to Dai (DAI), a decentralized stablecoin linked to the US dollar that cannot be frozen like centralized alternatives, USDt (USDT) or USDC (USDC). At the time of writing, the wallet held $2.23 million in tokens, predominantly in DAI and ETH.
Crypto drainers and phishing scams rebound
While several drainers have ceased operations due to enhanced security measures, some have adapted with new strategies.
According to Darkbit, one tactic Vanilla employs to maintain an edge is frequently changing domains without lingering in one place for too long.
“I’m observing fresh malicious contracts being created for every rogue website and domain to evade detection,” Darkbit noted.
Related: Crypto drainers are retiring as investigators start to close in
In July, phishing scams resulted in losses of $7.09 million, marking a 153% increase from June, with victim numbers rising 56% to 9,143, according to Scam Sniffer data.
The largest single loss in July amounted to $1.23 million. Blockchain records indicate that draining fees from this scam totaled 54 ETH, valued at $204,074 at that time. These fees were eventually transferred to the same suspected Vanilla fee wallet connected to the $3.09-million theft in August.
Blockchain investigations also connect Vanilla Drainer to two other six-figure incidents in July, contributing to an estimated $2.19 million in drainings — over 30% of the month’s phishing total.
Crypto drainers shut down but don’t die
From July 15 to Aug. 5, Vanilla was involved in at least four major scams totaling $5.27 million, each leading to six to seven-figure losses.
Vanilla has quickly carved a niche in a reducing yet still hazardous segment of crypto crime. Even as overalls draining volumes have slowed since 2024, Vanilla has been amassing millions and attracting ex-Inferno users. Darkbit asserts that its operators remain nimble, continuously cycling through domains and contracts to elude detection.
History indicates that even a public shutdown seldom signifies the end. For instance, Inferno Drainer announced its closure in November 2023, only to resurface throughout 2024 before transferring operations to Angel Drainer later that year. Notwithstanding those announcements, Inferno-related activity has persisted into 2025, linked to over $9 million in losses over six months.
Vanilla’s rapid expansion alongside Inferno’s persistence demonstrates that drainer services rarely vanish — they adapt, rebrand, or pass their tools to new operators. For investigators, the challenge lies in keeping pace with an evolving ecosystem that refuses to fade away.
Magazine: Pink Drainer creator defends his wallet draining crypto scam kit
