THREAT REPORT

Lucifer Drainer-as-a-Service: inside a crypto drainer kit

Flare researchers read roughly 700 underground-forum posts to map Lucifer, a wallet drainer sold like software. The product is not the malware. The product is the assembly line that prints phishing clones.

SB

SafeBrowz Threat Research Security ResearchJune 10, 20269 min read

What is Drainer-as-a-Service?

A crypto wallet drainer is malicious JavaScript that empties a self-custody wallet the moment the victim signs the wrong message. It never touches the seed phrase and never breaks any cryptography. It simply gets the user to authorize a transfer or approval, then exercises that permission. We covered the full mechanism in our wallet drainer guide.

Drainer-as-a-Service is the business model wrapped around that code. The developer who writes and maintains the drainer does not run phishing sites. They license the kit to dozens or hundreds of affiliates, the same way a SaaS company licenses a dashboard. Affiliates handle the dirty, scalable work: registering lookalike domains, buying ads, spamming Telegram, and cloning real dApps. When a victim signs, the drainer infrastructure sweeps the wallet, routes the developer's cut automatically, and forwards the rest to the affiliate. The standard developer cut sits around 20%.

This split is why drainer activity scales the way it does, and why the same families (Inferno, Angel, and now kits like Lucifer) reappear under fresh domains week after week. One coder supports an army. The malware is centralized. The phishing surface is not.

Inside Lucifer: what Flare's 700 forum posts revealed

In late May 2026, Flare published an analysis of an active DaaS operation it tracked as Lucifer, summarized by BleepingComputer under the headline "Inside a Crypto Drainer." Flare's analysts pieced the operation together from roughly 700 posts across underground forums and Telegram channels, where the operators advertised features, posted "proof of work" theft screenshots, and recruited affiliates. The picture that emerges is not a lone hacker. It is a product team with a roadmap.

Several capabilities stood out:

• An ERC-20 and Permit2 drainer module. The kit specializes in off-chain signature theft - getting the victim to sign a gas-free Permit2 or EIP-2612 approval rather than send an obvious transaction. We will break down why that matters in the next section.
• Wallet-security bypasses. The operators marketed the kit's ability to evade transaction-warning prompts and spender blocklists by rotating contract and spender addresses, so any single address a wallet plugin blacklists is replaced quickly.
• Telegram alerts to affiliates. When a victim connects a wallet or a drain succeeds, the affiliate gets an instant Telegram notification with the wallet balance, so they can prioritize the high-value targets in real time.
• A roughly 20% commission on hits. The developer's contract is enforced in the draining infrastructure itself - the cut is skimmed on-chain before the affiliate ever sees the funds.
• A website-cloning feature. This is the part that should worry defenders most. The kit can clone a target dApp or exchange front-end and package it as a ready-to-deploy phishing ZIP, drainer JavaScript already wired in. An affiliate with no coding skill uploads the ZIP to any host and is live in minutes.

Put those together and you get the central thesis of this report: because Lucifer is a service with a clone-and-deploy button, thousands of near-identical phishing pages can appear in a single day. They wear different brand logos and sit on different throwaway domains, but underneath they share the same drainer JavaScript and the same Permit2 approval-request patterns.

Why "just signing" empties the wallet

The single most important thing a non-expert can understand about modern drainers is this: you do not have to send money for money to leave. You only have to sign.

When you interact with a normal dApp, two different things can happen in your wallet. A transaction costs gas, shows a slow confirmation screen, and visibly moves funds or changes state on-chain. A signature is free, instant, and feels harmless - it looks like "logging in" or "verifying." Drainers live almost entirely in that second category.

Here is the trick. Standards like Permit2 (a Uniswap contract) and EIP-2612 let you approve token spending with an off-chain signature instead of an on-chain transaction. You sign a message that says, in effect, "this spender may move up to this many of my tokens until this deadline." The signature itself costs nothing and never appears on the blockchain. But it is a signed, valid permission slip. The attacker takes that signature, submits it themselves, and pulls every approved token out of your wallet - sometimes seconds later, sometimes days later, which makes the timing hard to connect back to the page that tricked you. We walk through the exact field-by-field flow in the Permit2 signature attack explainer.

So when a "connect," "verify," or "claim" page asks you to sign something - and it is not a swap you explicitly set up with a token and an amount - treat that signature as a wire transfer authorization. Because that is what it can be.

What a Lucifer-built clone looks like

Because affiliates use the same cloning feature, the clones rhyme. The brand changes week to week, but the shape is consistent. A typical flow:

• You arrive from a Telegram DM, a Twitter reply, a Google or X ad, or a "your wallet is eligible" message - never from typing the real URL yourself.
• The page is a near-pixel-perfect clone of a real exchange or DeFi front-end, because it literally is a clone of it.
• The domain is a throwaway: a brand keyword plus a hyphen or an unusual TLD, for example an illustrative clone like uniswap-claim-portal[.]app or ledger-restore-verify[.]xyz. We write these defanged on purpose - do not visit them.
• Within seconds of connecting, the page triggers a wallet popup asking you to sign a Permit2 approval or an "unlimited" token approval, often framed as "verify wallet" or "claim reward."

The defensive habit is to verify the brands you actually use against their real domains, and only ever reach a dApp through a bookmark you set yourself. The real, official domains below are safe to confirm against - paste any suspicious link into the checker to compare:

The official domains worth bookmarking and verifying against include app.uniswap.org, ledger.com, metamask.io, and revoke.cash for auditing approvals. If a page wears one of these brands but lives on any other domain, it is a clone.

Red flags: spotting a DaaS clone before you sign

A Lucifer clone does not look broken. It looks correct, because it is a copy. The tells are behavioral, not visual.

• You did not type the URL yourself. Every clone depends on you arriving via a link in a DM, ad, reply, or search result. No legitimate airdrop or "wallet upgrade" is announced by cold DM.
• A signature request appears within seconds of connecting. Real dApps ask you to pick a network, a token, and an amount first. The signature comes last. An immediate "sign to verify" prompt is the drainer.
• The popup says "approve" with an unlimited amount, or shows a number with many trailing nines, or a Permit2 batch you never set up. A real swap approves the exact amount you are trading.
• The brand is right but the domain is wrong. A hyphenated or odd-TLD version of a real name (a brand keyword plus .xyz, .app, .fun, -claim, -verify) is the affiliate's throwaway host.
• "Claim," "reward," "eligibility," or "verify wallet" framing attached to a connect flow. These words exist to manufacture urgency around the signature.
• The only contact is an anonymous Telegram channel. Real protocols publish team, audits, and verified social handles.

What to do if you already signed

If you connected and signed on a page that now feels wrong, move fast.

• Move remaining funds out of the affected wallet to a fresh wallet you control, before the attacker executes a pending approval.
• Revoke approvals. Open revoke.cash, connect the wallet, and revoke every approval and Permit2 allowance you do not recognize, especially unlimited ones and far-future deadlines. An off-chain Permit2 signature you already gave can be revoked by revoking the underlying allowance.
• Report the URL. File it with Chainabuse (chainabuse.com) and your national cybercrime unit - in the US, the FBI's IC3 at ic3.gov. Reports help take the clone offline and warn the next target.
• Retire the wallet. Treat a wallet that signed a drainer message as permanently untrusted. Do not reuse it for meaningful balances.

How SafeBrowz blocks this threat

This is exactly the threat shape SafeBrowz is built for, and the DaaS model is what makes our detection method work better than a blocklist alone. SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. The architecture is exactly three layers, never four.

• Layer 1 - Local detection: 60+ URL pattern checks plus 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) plus community whitelist/blacklist, all running inside the extension before the page renders. A brand keyword on a domain that is not that brand's official one is flagged content-free, which catches the affiliate's throwaway host whatever brand it is wearing that week.
• Layer 2 - API checks: server-side cross-reference against Google Safe Browsing, PhishTank, URLhaus, and 30+ scam TLDs, so a clone already reported upstream is blocked even before our own content scan runs.
• Layer 3 - AI deep scan (Premium): the page content itself is analyzed for wallet-connect prompts, Permit2 SDK imports, drainer-toolkit JavaScript signatures, and "approve to claim" language in 100+ languages.

The DaaS insight: because every Lucifer affiliate reuses the same cloning feature, the clones share the same drainer JavaScript signatures and the same Permit2 and approval-request patterns underneath the swapped-out branding. SafeBrowz's content-level drainer-JavaScript detection plus the brand-on-wrong-domain flag identify a clone regardless of which brand it impersonates this week, and regardless of whether that specific throwaway URL has made it onto any blocklist yet. A blocklist sees one dead domain. Reading the JavaScript catches the whole assembly line.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history. Page contents are processed for detection and never retained.

Install SafeBrowz free

Add the browser extension that reads every page for drainer JavaScript and Permit2 patterns before it renders, and warns you before your wallet popup ever appears. Free forever, with AI deep scan on Premium at $14.99 per year.

Add to Chrome Add to Firefox Add to Edge

Frequently asked questions

What is Drainer-as-a-Service (DaaS)?

Drainer-as-a-Service is a crypto-theft business model where a developer builds and maintains wallet-draining JavaScript, then rents it to affiliates who run the actual phishing sites. The developer supplies the kit, Telegram alerts, and often a cloning tool, and takes a commission (around 20%) of every wallet drained. The affiliates handle domains, ads, and victim traffic. Lucifer, exposed by Flare in May 2026, is one such service.

What is the Lucifer drainer and who exposed it?

Lucifer is a Drainer-as-a-Service operation active through 2025 into early 2026. Researchers at Flare analyzed roughly 700 underground-forum and Telegram posts to map its features, and BleepingComputer reported it in late May 2026 under "Inside a Crypto Drainer." The kit includes an ERC-20 and Permit2 drainer, wallet-security bypasses, affiliate Telegram alerts, a roughly 20% commission, and a website-cloning feature that packages ready-to-deploy phishing ZIPs.

Why does just signing a message drain my wallet?

An off-chain signature under standards like Permit2 or EIP-2612 is a free, gas-less message that grants a spender permission to move your tokens up to a limit and deadline. The signature never appears on-chain, so it feels harmless, but it is a valid permission slip. The attacker submits it themselves and pulls your approved tokens out, sometimes seconds later, sometimes days later. You authorized the transfer by signing, even though you never sent a transaction.

Why does a drainer service create so many phishing sites?

Because it is a service with a cloning feature. Any affiliate can clone a real dApp front-end and deploy it as a packaged phishing site in minutes, with the drainer JavaScript already wired in. Hundreds of affiliates each spinning up new clones daily produces thousands of near-identical phishing pages, all wearing different brands and sitting on different throwaway domains but sharing the same underlying drainer code.

How can a scanner catch clones that are brand new and not on any blocklist?

A blocklist only knows domains that have already been reported, so it always lags behind a service that spins up fresh domains daily. SafeBrowz reads the page content instead: because every clone from the same kit reuses the same drainer JavaScript signatures and Permit2 or approval-request patterns, and because a real brand on a non-official domain is flagged content-free, a clone is caught regardless of which brand it wears or whether its specific URL is on any list yet.

What do I do if I already signed on a drainer clone?

Act immediately. Move any remaining funds to a fresh wallet you control. Then go to revoke.cash, connect the affected wallet, and revoke every approval and Permit2 allowance you do not recognize, especially unlimited ones. Report the URL to Chainabuse and your local cybercrime unit, such as ic3.gov in the US. Finally, retire the compromised wallet and never reuse it for meaningful balances.