Skip to main content
Sign in

Eleven Drainer

avoid.net/eleven-drainer0/100·72% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·5ea6FV…bNhS

Summary

Eleven Drainer is a Drainer-as-a-Service (DaaS) toolkit and phishing syndicate that emerged around August 2025, offering rented wallet-draining infrastructure to criminal operators who deploy it through phishing sites, DNS hijacks, and compromised front-ends. The kit is associated with confirmed theft of at least $4.2 million across a three-week window in November 2025, including a $700,000 loss from a DNS hijack of decentralized exchanges Aerodrome and Velodrome. As of June 2026, the kit remains active and was detected embedded in a compromised Gitcoin subdomain.

Connected Entities

1 entities · 10 linked investigations
Organizations
Eleven Drainer
Relationships
    Also appears in
    edgeX Exchange·28Saga EVM Blockchain·32Mach-O Man Malware Campaign (Lazarus / Chollima)·0Q2 2026 DeFi Record Hack Wave·0Gamma Strategies·28Alephium Bridge·18Bunni Protocol·28BitGrail·2Thorchain DEX·28Crossmint·70
    Have evidence about Eleven Drainer?

    Timeline(6 events)

    2025-08-01

    Eleven Drainer toolkit alleged to have launched, based on community research placing its origin approximately August 2025. Exact launch date is unconfirmed.

    BITBBQ community research

    2025-11-06

    Largest cluster of Eleven Drainer drain activity observed, with the majority of the confirmed $4.2 million in November losses occurring between November 6 and November 8, 2025.

    BITBBQ community research

    2025-11-09

    SlowMist founder Yu Xian publicly identifies a growing cluster of victims linked to Eleven Drainer, marking the first major public disclosure of the operation.

    BeInCrypto

    2025-11-21

    Eleven Drainer code deployed in a DNS hijack of Aerodrome Finance and Velodrome Finance via a compromised NameSilo registrar account. Attackers stripped DNSSEC and redirected both protocol frontends to a phishing interface. Approximately $700,000 was stolen; an estimated $3.5 million in additional losses was prevented by Blockaid's detection network.

    CoinDesk; Blockaid Blog

    2025-11-24

    Extended community on-chain analysis published, identifying ENS addresses, admin wallets, fee laundering addresses, and the scam-as-a-service fee structure (approximately 15 percent to operators).

    CryptoSafetyFirst CW48 2025 digest

    2026-06-21

    Blockaid detects Eleven Drainer code embedded in the Gitcoin subdomain files.gitcoin.co via a frontend attack. Blockaid advises users not to interact with the site. The incident confirms the toolkit remains active more than seven months after its initial public identification.

    Blockaid on X; Phemex News
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/26/2026, 5:12:15 PM

    last updated: 6/26/2026, 5:12:25 PM

    avoid.net — verified advice for a post-truth world