Crypto Drainers as a Service: Inside the Ecosystem

--

To fight scams and phishing attacks, users need to understand how these bad actors operate from the inside. In this article, we’ll show you how crypto drainers work in real time.

As crypto adoption grows, drainer and phishing activity grows with it. There are now multiple “drainer-as-a-service” providers where users don’t need any technical skills. They get access to ready infrastructure and share a cut of the stolen funds with the developers.

As shown in this article, anyone can launch these attacks with almost no experience, and it takes only a few minutes. That’s exactly why Web3 security is crucial, without strong protections in place, even simple exploits can lead to serious losses.

Two of the most active operations right now are Angel Drainer and RublevkaTeam. Angel targets both EVM and Solana chains, while RublevkaTeam focuses mainly on Solana.

For this analysis, we used a bit of social engineering to gain private access to the RublevkaTeam system and see how it actually works from the inside.

Once inside, the setup is straightforward. Users are given access to a Telegram bot that acts as a control panel. No coding, no setup from scratch.

They get:

• ready-made domains
• prebuilt phishing landing pages
• traffic cloaking options to hide from scanners
• wallet targeting configurations
• basic analytics

The entire process is structured like a product, not a hack. You configure, deploy, and run.

Here is the main interface of the drainer setup bot:

Press enter or click to view image in full size

So we started with a shared domain. We picked up a subdomain, in this case “testing”, and the system instantly generates a full domain like:

testing.solnest.cc

Next step is choosing a ready-made landing page and adjusting basic settings.

There are dozens of templates already available. For this test, we selected a Kamino-style swap interface. It looks identical to the real one, same layout, same flow.

Then comes the drainer configuration.

This is where it gets more aggressive.

There are options like:

• fake SOL receive, shows the user they are receiving funds instead of sending
• fake token display pulled from Dexscreener
• custom token claims, often used for fake presales

From the user’s perspective, everything looks normal. They think they’re claiming tokens or receiving assets. In reality, the transaction is draining their wallet.

Another option is the Phantom bypass mode.

There are multiple variants available, each designed to reduce friction during signing. In practice, it only takes one or two confirmations before funds are gone.

As shown in the image, it looks like the user is receiving tokens, when in fact they are approving a transaction that grants full access to their funds.

Press enter or click to view image in full size

That’s it, everything is ready. The whole setup takes a few minutes. No technical background needed.

Now we open the site and test it, see the video below.

As shown, the website is fully functional and the drainer executes as configured. (CYB AntiPhish real-time blocking was disabled, but Copilot still shows warnings through the chat assistant popup.)

Once CYB AntiPhish real-time blocking enabled, the site gets blocked instantly.

Our AI-powered AntiPhish system is trained on a large dataset of phishing domains and drainer code patterns. It can detect and stop most draining attempts, including private and more sophisticated setups.

As shown in this article, anyone can launch these attacks with almost no experience, and it takes only a few minutes.

That’s why real-time protection matters in Web3.

The main ways drainers are distributed, and how to stay protected

1. Spam through social channels
A low-quality method that is easy to avoid if users stay alert and avoid interacting with suspicious profiles and unknown domains.

2. Phishing through email
Hacked user databases are often sold on underground forums, allowing attackers to run targeted phishing campaigns against Web3 users. This is a more sophisticated method that requires experience, as bypassing spam filters on providers like Gmail or Outlook is difficult. Emails are often spoofed to appear as if they come from legitimate Web3 domains.
Users can avoid this by carefully checking domain names and using burn wallets.

3. Fake Web3 projects promoted on search and social platforms
Attackers promote malicious websites through platforms like Google Search, Facebook, X, or Instagram. This is a more advanced method.
Always stay skeptical of promoted links and use a burn wallet when connecting to unknown websites.

4. Fake utility projects
A long-term attack vector where scammers build legitimate-looking projects, gain traction, and attract active users. Later, they introduce a malicious website that requires wallet connection to access the “utility.”
Users should always use a burn wallet when interacting with such projects.

5. Fake presales
A sophisticated and harder-to-detect method. Attackers run fake token presales, and when users attempt to claim their tokens, they are instead drained. As shown earlier, it’s easy to make it appear as if users are receiving tokens.
Always use a burn wallet for presales and never connect wallets holding significant funds.

6. Pig butchering scams
A long-term investment scam where fraudsters build trust with victims over time, then convince them to invest in fake crypto assets or connect wallets to malicious platforms.
Again, always use a burn wallet and avoid connecting wallets to random or unverified websites.

In Web3, one mistake can cost everything, stay cautious, stay informed, and always protect your assets.