Self Assessment

Russian Threat Actors Abuse Cloudflare and Freenom Services to run DaaS Program

Published On : 2024-01-29
Share :
Russian Threat Actors Abuse Cloudflare and Freenom Services to run DaaS Program


The CYFIRMA research team has discovered a Drainer-as-a-service (DaaS) project in the wild that is open to all and is being advertised over hacking forums and telegram channels. The project is gaining popularity amongst attackers due to its ease of access and simplicity of operations, which have been facilitated by the operators using free guides, free phishing templates, automatic phishing configuration setup, free domains, and more.
We have ascertained with high-confidence that the operators behind the project are of Russian-origin. The threat group was most likely operating under a different name since 2017 but underwent a rebranding in 2021, which links them to the DaaS program we have discovered.


Cryptocurrency Drainers, also known as Crypto Stealers, are designed to steal the funds from a victim’s wallet. The drainers are primarily spread using a combination of social engineering and phishing, luring victims to enter their wallet details on deceptive websites. One of the notable drainers in 2023 was Inferno Drainer – whose developers announced that they were shutting down (public) operations in November 2023, leaving a void in the crypto drainer community. We have observed multiple drainers that are trying to fill that gap with aggressive marketing, but the CG project bags the winner’s title, with close to 50k subscribers on their telegram channel and 10k affiliates working with them. The affiliates have been observed to be Russian, English and Chinese speakers.


The free crypto drainer provided by the DaaS operators is compatible with:

  • Ethereum
  • BNB Smart Chain
  • Polygon
  • Avalanche
  • Arbitrum
  • Fantom

Supported Wallets:

  • Metamask
  • Trust Wallet
  • Coinbase Wallet
  • WalletConnect
  • MyEtherWallet
  • Trezor
  • Ledger Nano

Supported Tokens:

  • ETH (Ethereum)
  • BNB (Binance Coin)
  • MATIC (Polygon)
  • USDT (Tether)
  • USDC (USD Coin)
  • PEPE
  • UNI (Uniswap)
  • All tokens on PancakeSwap

The threat group has created two websites; one for describing their affiliate program, and another; that is the admin panel for affiliates.

Drainer Configuration

Successful connection – message that will be displayed to user when wallet is connected.

Scan #(number) – set of messages that will be displayed to the user when scanning assets. Not necessarily all of them will be used, the longer the scan (more assets), the more likely each of them will be used. Initially, it takes 3 seconds to display each message.

Acknowledgement pending – a message is displayed when a user has confirmed some transaction (e.g. Approve), and it is waiting for confirmation on the network.

Confirmation Request – This is the message the user will see when requesting any withdrawal (Approve,Permit, Contract etc)

Error (cancel confirmations) – the error which is displayed to the user when he canceled all requests for confirmations (if it is not enabled to request cyclically, of course).

Error (low balance) – Error at low wallet balance.

Customize the minimum amounts to request a withdrawal (can’t be less than 10) : This option may be useful when an attacker is working manually with social engineering.

The threat group has also created a separate telegram channel for posting free designs of phishing pages that mimic most of the prominent crypto exchanges.

This channel refers attackers to a telegram bot that enables them to run their fraud operations without any third-party dependencies. The bot allows a user to get a domain for free, clone an existing template for the new domain, set the wallet address where the scammed funds are supposed to be sent, and also provides Cloudflare protection for that new domain.

The threat actors have integrated Freenom’s free domain services to support the creation of the phishing pages. As seen below on their website, the threat actor can use .tk, .ml, .ga, .cf and .gq domain TLDs for free. However, it is important to note that existing domains can be connected to the bot using its IP address or NS records.

As we can see below, the website has Cloudflare protection enabled, which falls in line with the whois record’s last updated date.

The threat group uses 2 custom telegram bots called “SiteCloner” and “CloudflarePage”. As the names suggest, they are used for cloning a website and adding Cloudflare protection to the cloned website respectively.


Based on the transactions observed, we can ascertain with high-confidence that the number of phishing and social engineering campaigns carried out by the DaaS affiliates so far, has seen a rise.

Recent Campaigns on X (formally twitter):
These campaigns are spread mostly using compromised X accounts. Other campaigns are spread by obtaining a crypto leads database, performing mass phishing and/or social engineering.

However, the scalability of the DaaS services allows anyone to create a new phishing site using a template in just a few minutes. We have observed an increasing demand in hacking communities for crypto PII databases for social engineering and phishing.

“Pretend inferiority and encourage his arrogance. ~ Sun Tzu, The Art of War”

A small OPSEC mistake by threat actors can help connect the dot between seemingly unrelated entities. On a telegram channel meant for generic information dissemination by the threat group, the CYFIRMA research team noted multiple wallet transaction screenshots posted as proof of assurance.

On most of the transaction screenshots, we could see the first and last few characters of the wallet addresses where the funds were received by affiliates. We started investigating and soon found out the wallet address linked with one of the affiliates.


Upon further investigation, we noted that this wallet has recently been involved in a crypto phishing incident. In this case, the victim was using Metamask crypto wallet. The affiliate (wallet address above) followed a typical pattern used by phishing scams, where attackers trick victims into signing a permit. There is no legitimate reason to do a token transfer like this with permit2 broadcasted from a different address.


The discovery of CG, a Drainer-as-a-service (DaaS) project, shows that crypto drainers will become a bigger problem during 2024. Run by a Russian group, it’s gaining popularity because it’s easy to use, comes with free guides, and has a big affiliate network of 10,000 members. Other similar projects are making it easier for less skilled attackers to get involved. It works with major networks and wallets, using customizable phishing pages and Cloudflare protection, making it a situation where the risk is low, the skill level required is minimal, but the potential rewards are high.



Management Recommendations:

Incident Response Plan:

  • Develop and regularly update an incident response plan specifically tailored for crypto-related threats.
  • Conduct tabletop exercises to ensure all team members understand their roles and responsibilities during a security incident.

Vendor Due Diligence:

  • Vet and regularly review the security practices of third-party vendors providing services such as Cloudflare protection, wallet services, or any other integrations.
  • Ensure that vendors adhere to industry best practices and comply with security standards.

Regulatory Compliance:

  • Stay abreast of regulatory developments related to cryptocurrency security and compliance.
  • Implement measures to comply with relevant regulations, fostering a secure and legally compliant environment.

Strategic Recommendations:

Educational Initiatives:

  • Implement comprehensive cybersecurity training programs to educate users about phishing and social engineering tactics commonly used by crypto drainers.
  • Foster a culture of cybersecurity awareness to empower individuals to recognize and report potential threats.

Partnerships and Information Sharing:

  • Establish collaborative partnerships with cybersecurity organizations, financial institutions, and industry peers to share threat intelligence and best practices.
  • Engage in industry forums to stay informed about emerging trends and threats in the cryptocurrency space.

Tactical Recommendations:
Multi-Factor Authentication (MFA):

  • Enforce MFA for all cryptocurrency wallet and exchange accounts to add an additional layer of security.
  • Regularly audit and update MFA settings to mitigate the risk of compromised accounts.

Phishing Simulation Exercises:

  • Conduct regular phishing simulation exercises to test the organization’s resilience against phishing attacks.
  • Provide targeted training based on simulation results to address specific areas of vulnerability.

Real-time Monitoring:

  • Implement real-time monitoring solutions to detect and respond swiftly to suspicious activities on cryptocurrency platforms.
  • Utilize anomaly detection tools to identify unusual transaction patterns and behaviors.

IoAs from (suspected) past campaigns

No. Indicator Remarks
1 spskelonline[.]com Phishing domain
2 firstspconf[.]com Phishing domain
3 zyberparty[.]tech Phishing domain
5 cbrdackz[.]fun Phishing domain
6 skellion[.]pro Phishing domain
7 cbrzcommunity[.]fun Phishing domain
8 Bullsstored[.]com Phishing domain
9 Spaceskelliesstores[.]com Phishing domain