Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
Summary
Hide ▲
Show ▼
Lucifer DaaS has evolved into a structured underground drainer platform, shifting wallet theft from isolated phishing pages to a commission-based service model that scales affiliate-driven abuse. Research spanning January 2025 to early 2026 shows the operation adding automation, website cloning, and wallet-security bypasses, which lowers the barrier for affiliates and increases the reach of crypto theft. The ecosystem’s operational resilience after bot bans and domain suspensions makes disruption harder and helps sustain repeated theft campaigns.
Related Happenings
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
H score43
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
**Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor MetaAbout this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
H score36
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor Meta
H score33
First: 02.02.2026 18:15
Last: 02.02.2026 18:15
Sources 1
About this happening:
**Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...
Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor MetaAbout this happening: **Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...
Record crypto-fraud losses rise with AI-driven impersonation
Trend
H score43
First: 14.01.2026 12:00
Last: 14.01.2026 12:00
Sources 1
About this happening:
**Cryptocurrency fraud** is surging as scammers use **AI chatbots** and **brand impersonation** to widen victim reach and raise payout sizes. A **Malwarebytes Labs** analysis foun...
Record crypto-fraud losses rise with AI-driven impersonation
TrendAbout this happening: **Cryptocurrency fraud** is surging as scammers use **AI chatbots** and **brand impersonation** to widen victim reach and raise payout sizes. A **Malwarebytes Labs** analysis foun...
Timeline
-
21.05.2026 17:00 2 articles · 1mo ago
Initial report: Lucifer DaaS’s evolution into a commission-based drainer service platform
Initial DisclosureBy early 2025, Lucifer DaaS was already operating as a commission-based drainer service that paired affiliate traffic with operator-managed wallet interaction and asset transfer logic. The first visible phase centered on productization, with software updates and support handling replacing the older one-page scam model.
Show sources
- Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — www.bleepingcomputer.com — 21.05.2026 17:00
- Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — www.bleepingcomputer.com — 21.05.2026 17:00