Vanilla Drainer (DaaS)
Summary
Vanilla Drainer is a Drainer-as-a-Service (DaaS) criminal platform first documented in October 2024 that provides phishing kits and malicious smart contract infrastructure to affiliate fraudsters in exchange for a 15-20% commission on stolen proceeds. Blockchain investigator Darkbit attributed at least $5.27 million in cryptocurrency thefts to the service within a three-week window in mid-2025, and the Security Alliance (SEAL) identified Vanilla Drainer as one of the two primary drainer families deployed via Google Ads malvertising campaigns that stole more than $1.27 million between March 13-30, 2026. No operators have been publicly identified and no law enforcement actions against the service have been confirmed as of mid-2026.
Connected Entities
1 entities · 10 linked investigations- + 2 more
Timeline(10 events)
2024-10-01
Earliest thefts attributed to Vanilla Drainer infrastructure observed on-chain according to Darkbit's retrospective analysis.
CoinTelegraph / Darkbit2024-12-08
Vanilla Drainer's first known public advertisement posted on underground forums, claiming an 'advanced algorithm' capable of bypassing Blockaid fraud detection. The advertisement has since been removed.
CoinTelegraph / Darkbit2025-07-15
Start of the confirmed three-week window during which Darkbit tracked at least $5.27 million in thefts attributed to Vanilla Drainer across four major incidents.
FinanceFeeds / Darkbit2025-07-01
Darkbit links Vanilla Drainer to $2.19 million in July 2025 losses, comprising over 30% of the month's total phishing losses.
FinanceFeeds / Darkbit2025-08-05
Largest single Vanilla Drainer incident: a victim loses $3.09 million in stablecoins. Operators receive an estimated $463,000 commission at approximately 17%.
CoinTelegraph / FinanceFeeds2025-08-05
Darkbit publishes thread on X attributing $5.27 million in thefts to Vanilla Drainer and identifying fee wallet 0x9d3...E710d holding approximately $2.23 million.
Darkbit on X2025-10-07
Security Alliance (SEAL) publishes 'State of Drainers Vol. 1,' naming Vanilla Drainer among four actively monitored drainer families alongside Inferno, Rublevka, and Eleven.
Security Alliance Radar2026-02-09
Ethereum Foundation and SEAL announce 'Trillion Dollar Security' initiative, funding a dedicated security engineer to combat wallet drainers including Vanilla Drainer.
CoinTelegraph2026-03-13
SEAL begins tracking a wave of malicious Google Ads campaigns deploying Vanilla Drainer and Inferno Drainer payloads impersonating Uniswap (41% of URLs), Morpho Finance (31%), and other DeFi protocols.
Security Alliance Radar2026-03-30
SEAL's documented March 13-30 campaign window closes with $810,929 in directly attributed losses and $1,274,259 in total including victim-reported incidents. SEAL has blocked 356+ malicious ad URLs.
Security Alliance RadarDecision Log
- hash: 869yKHEA1hatrVB7b9VyGM7hCHQFUx5HEnw5GZhKXDS8
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 6/7/2026, 11:29:35 PM
last updated: 6/8/2026, 1:35:04 AM
avoid.net — verified advice for a post-truth world