Malware software-as-a-service Angel Drainer, linked to over $25 million in thefts, has reportedly shut down after its developers were potentially identified.

Angel Drainer, a drainer-as-a-service program, has allegedly suspended its operations just two hours after cybersecurity researchers at Match Systems said they were able to de-anonymize members of the malware.

🚨 Deanonymization of Angel Drainer Members! 🚨We are actively working on investigating the thefts involving Angel Drainer and have already made progress in identifying the individuals behind this group.🕵️‍♂️ Who are Angel Drainer?Angel Drainer is a criminal gang that has… pic.twitter.com/UEzRS7kR9Q

— Match Systems (@MatchSystems) July 16, 2024

In an X post on Wednesday, the Dubai-based blockchain forensics firm Match Systems revealed that Angel Drainer’s Telegram channel announced the suspension of services, though it remains unclear whether Match Systems reported the bad actors to law enforcement as the firm continues to accumulate data.

“We continue to accumulate data and work to identify the remaining identities involved in this criminal gang.”

Match Systems

Angel Drainer is a JavaScript-based malware utilized by cybercriminals to drain crypto wallets. It operates by executing phishing scams that trick users into granting token approvals, enabling the scammers to siphon off their assets.

The drainer first came under the radar in late 2023 and gained popularity in early 2024 when analysts at blockchain security firm Blockaid warned that Angel Drainer had introduced a new attack vector, using a protocol to execute a novel approval farming attack through the queueWithdrawal mechanism.

In February, Blockaid estimated that Angel Drainer stole over $25 million worth of crypto from nearly 35,000 wallets, suggesting that the malware was probably behind “high profile drains” like Ledger Connect Kit and Restake Farming attack.

Read more: Web3 urgently needs a paradigm shift in its security approach | Opinion