A subscription to crime: how rented hacking software imperils Web3

According to Chainalysis, the amount stolen in the crypto industry in 2024 rose by about 21% to $2.2bn. Most of it came from DeFi services.

The ForkLog team reviewed several illicit marketplaces to assess how accessible and easy to use their offerings are. This report looks at Crimeware-as-a-Service (CaaS)—subscription-based illegal cyberattack services.

Such services offer cloud access to software for crypto-phishing, ransomware-style computer lockups, renting botnets, organising DDoS attacks and more. We also set out the basic rules for safe Web3 browsing.

What is Crimeware-as-a-Service?

Not only “white hats” are becoming more organised, sought-after and successful. On the opposite, darker side of the internet, cybercriminals are also pooling their efforts.

Once, black-hat hackers acted alone or in small groups, spreading viruses by email. Making money required writing malware yourself and mastering skills such as finding vulnerabilities in smart contracts. CaaS has simplified all that—attackers can simply rent the necessary tools and commission a cyberattack as a commercial service.

The Software-as-a-Service (SaaS) delivery model, around for more than a decade, has been effectively repurposed for attacks. Adapted for illicit activity, CaaS lets people without specialist knowledge conduct hacking. Cybercriminals also discuss methods on online forums. A community takes shape: veterans support newcomers and provide tools and services for a fee, often as a cut of the haul.

Deals to develop and purchase malware typically take place on the darknet, where users can preserve a degree of anonymity. Although Tor and its browser can be used legitimately to protect data, they are banned in some countries.

How CaaS crews pick users’ pockets

Thanks to CaaS, fraudsters can deploy phishing kits, ransomware and spyware in concert to hit thousands of users. We are dealing with a full-blown underground economy with automated cybercrime. The cost of attacks has fallen sharply and the market has broadened, complicating the job of law enforcement.

According to a report by Europol, Cyber-attacks: the apex of crime-as-a-service, cybercrime is acquiring a more complex organisational structure with its own ecosystem and multi-tier hierarchy. It cites popular ransomware programmes (RaaS) as an example:

“Affiliate programmes have taken hold as the main format of the RaaS model thanks to streamlined processes and the scalability of their operations. This business model is based on the development of a platform that partners use to distribute ransomware, publish stolen data and launder criminal proceeds. Platform administrators (the ransomware group) receive a percentage of all payments made by victims through their service,” the report says.

The flow typically looks like this: victims’ crypto payments are sent to the extortionists’ wallet, then usually pass through a mixer such as Tornado Cash and are automatically shared between administrators, the partner who executed the attack and service providers. The cut received by the partner depends on their status. Entry-level shares are about 20–40% of the ransom; at higher levels they can reach 80%.

A common three-tier organisation of a cybercriminal community looks like this:

• the main ransomware group—cybercriminals with experience across disciplines and a long history of working together. They are typically active on private forums and in chats. The core consists of senior managers and back-end developers who control operations, manage assets and develop the platform;

• the second tier comprises contracted specialists performing assorted tasks. These may include developers, pentesters, experts in reverse engineering, system administrators, negotiators, recruiters, HR managers and even legal advisers;

• the third tier consists of service providers and partners who carry out attacks: developers of crypters, droppers, as well as money launderers and hosting operators. Operators may trick victims into downloading malware or handing over confidential data, such as credentials for crypto wallets.

Similar models are used across many attack vectors on blockchain applications. Some CaaS platforms let criminals tailor malware to their requirements and target specific victims. CaaS greatly expands attackers’ capabilities by giving them access to all the tools they need. They employ programmes such as keyloggers, Trojans and adware.

Among CaaS products on the darknet, many are tied to cryptocurrency:

• compromised assets and databases of hacked accounts;

• malware to steal private keys and credentials for crypto wallets;

• DDoS attacks on cryptocurrency platforms or other online systems. Clients choose the target and duration; operators use botnets or other methods to overwhelm the victim’s infrastructure;

• money-laundering services. Help converting stolen crypto into untraceable assets or fiat;

• phishing kits. Packages for creating fake sites impersonating exchanges or wallets to steal personal data.

Phishing at scale: a bane for crypto

In its 2024 annual report, CertiK’s analysts cite more than $1bn stolen across 296 phishing attacks.

Anyone who has ever joined an airdrop campaign is a potential target. Criminals cast nets of fake links to bogus exchanges, X accounts and airdrop claim pages, waiting for a bite. Email and social networks fill daily with spam urging users to claim the latest token reward.

CaaS has made matters worse. Why spend months probing an organisation’s security for vulnerabilities when you can strike with a turnkey phishing attack? The model also scales campaigns by cutting the labour involved.

There are several types of “drainers”—wallet-emptying tools. Some malicious smart contracts contain hidden functions that trigger unauthorised transfers. Others use NFT- or token-based triggers to set up counterfeit resources that execute covert, unauthorised crypto transfers.

Crypto drainers are often offered under a DaaS model, where providers supply software and support to cybercriminals for a share of the proceeds. Modern services typically include:

• turnkey scripts for draining cryptocurrencies;

• customisable smart contracts;

• phishing kits and social-engineering services;

• premium operational-security or anonymity services;

• help with integrations and mixers;

• ongoing updates, maintenance and technical support.

Several large DaaS platforms shut down in 2024. In May, Pink Drainer shut down; it supplied criminals with tools for crypto theft, including social engineering and link distribution, and took fees plus a cut of the loot. Pink Drainer was linked to $85m in stolen digital assets from more than 21,000 victims.

In July, participants in the Angel Drainer crypto-phishing platform, which appeared around August 2023, were deanonymised. The platform offered tools to steal cryptocurrency for a 20% fee and an upfront deposit of $5,000–$10,000, gaining most of its traction on Telegram. In total, the drainer helped steal more than $25m from 35,000 users. It has been linked to the Ledger Connect Kit and EigenLayer attacks.

DaaS may have catalysed a shift in attack vectors on Telegram users. Registered cases of malware scams targeting crypto investors on the messenger now exceed traditional phishing. From November 2024 to January 2025, the frequency of such attacks increased by 2,000%. To lure victims, attackers use fake verification bots and invitations to “exclusive” trading or airdrop channels. During sham checks, malicious code hijacks the clipboard, downloads malware and opens the door to passwords, wallets and browser data.

Darknet marketplaces are awash with services for spying on mobile devices and desktops, hacking email and messengers such as Telegram and WhatsApp, and comprehensive packages aimed at stealing bitcoin. Vendors even offer detailed video demonstrations as proof that their malware works.

Takeaways

Crimeware-as-a-Service (CaaS) has altered the cybersecurity calculus for crypto users, raising risks and demanding stronger defences. It has lowered the barrier to entry into cybercrime, letting even non-technical actors wield sophisticated tools. That has increased both the number and scale of attacks, blunting traditional safeguards.

Key responses include multi-factor authentication, hardware wallets and round-the-clock threat monitoring. And, as Web3 researcher Vladimir Menaskop advises, follow the three-step rule: security, diversification and customisation. If you do get into trouble, “white hats” may help—try the 24/7 SEAL 911 “rescue service”.