Recent analysis by Flare researchers of over 700 posts from underground forums and channels related to the 'Lucifer DaaS' reveals how crypto drainers have evolved into a professional service economy. Unlike traditional malware, drainers rely on social engineering, luring victims to fake websites to connect wallets and approve malicious transactions, enabling instant asset theft across multiple blockchains. Lucifer operates on a commission-based model, taking a 20% cut from successful 'hits,' and emphasizes affiliate growth, automation, and phishing scalability. The dataset shows Lucifer releasing regular updates (e.g., version 6.6.6), offering website-cloning features, and implementing 'Zero Config' deployment to lower technical barriers. Despite takedowns—such as Telegram bot bans and Google Firebase suspension—the group demonstrated resilience by migrating to decentralized IPFS. This case highlights how modern DaaS platforms mimic legitimate SaaS businesses, focusing on product development, affiliate retention, and operational resilience. The broader ecosystem includes competitors like Inferno, Angel, and Venom, all vying for traffic and affiliates.

Key facts

• Lucifer DaaS takes 20% commission from successful hits, not selling software outright.
• Version 6.6.6 added ERC20 support, Permit2 abuse, and wallet-security bypasses.
• Zero Config deployment lowered technical barriers for affiliates.
• After Telegram bot bans, Lucifer instructed users to migrate bots and admin privileges.
• Google Firebase docs domain suspended; group moved to decentralized IPFS.
• Drainers exploit user confusion over wallet permissions and signature approvals.

KeyAudit data perspective