Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
Summary
Hide ▲
Show ▼
Lucifer DaaS has evolved into a structured underground drainer platform, shifting wallet theft from isolated phishing pages to a commission-based service model that scales affiliate-driven abuse. Research spanning January 2025 to early 2026 shows the operation adding automation, website cloning, and wallet-security bypasses, which lowers the barrier for affiliates and increases the reach of crypto theft. The ecosystem’s operational resilience after bot bans and domain suspensions makes disruption harder and helps sustain repeated theft campaigns.
Related Happenings
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor Meta
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
**Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions
Threat Actor MetaAbout this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor Meta
First: 02.02.2026 18:15
Last: 02.02.2026 18:15
Sources 1
About this happening:
**Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...
Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor MetaAbout this happening: **Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...
Record crypto-fraud losses rise with AI-driven impersonation
Target Trend
First: 14.01.2026 12:00
Last: 14.01.2026 12:00
Sources 1
About this happening:
**Cryptocurrency fraud** is surging as scammers use **AI chatbots** and **brand impersonation** to widen victim reach and raise payout sizes. A **Malwarebytes Labs** analysis foun...
Record crypto-fraud losses rise with AI-driven impersonation
Target TrendAbout this happening: **Cryptocurrency fraud** is surging as scammers use **AI chatbots** and **brand impersonation** to widen victim reach and raise payout sizes. A **Malwarebytes Labs** analysis foun...
Darcula 3.0 phishing-as-a-service ecosystem adds AI automation and anti-detection at scale
Threat Actor Meta
First: 25.11.2025 18:00
Last: 25.11.2025 18:00
Sources 1
About this happening:
**Darcula 3.0** has added **anti-detection features**, an enhanced admin panel, a card-cloning tool, and **AI-driven automation**, making phishing-page creation faster and easier...
Darcula 3.0 phishing-as-a-service ecosystem adds AI automation and anti-detection at scale
Threat Actor MetaAbout this happening: **Darcula 3.0** has added **anti-detection features**, an enhanced admin panel, a card-cloning tool, and **AI-driven automation**, making phishing-page creation faster and easier...
Timeline
-
21.05.2026 17:00 2 articles · 6d ago
Initial report: Lucifer DaaS’s evolution into a commission-based drainer service platform
Initial DisclosureBy early 2025, Lucifer DaaS was already operating as a commission-based drainer service that paired affiliate traffic with operator-managed wallet interaction and asset transfer logic. The first visible phase centered on productization, with software updates and support handling replacing the older one-page scam model.
Show sources
- Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — www.bleepingcomputer.com — 21.05.2026 17:00
- Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet — www.bleepingcomputer.com — 21.05.2026 17:00