Mac, a crypto enthusiast in Scotland, was browsing Twitter in November when he stumbled on an enticing offer: A news account he follows called Briefly Crypto was promoting discounted gift cards, purchasable with cryptocurrency, for Black Friday. Mac—who declined to provide his last name, citing privacy concerns—decided to buy his parents some hotel vouchers for Christmas.
The link was for Bitrefill, a platform Mac was familiar with that allows users to buy gift cards with crypto. He knew the Twitter account promoting the deal, so he figured it was safe and clicked on the link. After selecting the vouchers, he connected his crypto wallet and signed off on the first transaction.
Then, he got a strange pop-up—the website was asking his permission to send money to a decentralized trading exchange called dYdX. Suspicious, he opened a fraud prevention tool that would cancel the first transaction he had signed off on, but it was too late. The website already had stolen about $1,200 worth of crypto from his wallet.
“Sucks to lose, but I’m thankful that I acted quickly,” Mac told Fortune over Telegram, sharing that he had about $25,000 in his wallet at the time.
Mac was scammed through a pernicious scheme common in crypto. First, he was phished, or tricked into clicking on a malicious link. Then, he fell victim to a “drainer script”—code running in the background of the website that emptied his wallet. As cryptocurrency has gone increasingly mainstream, the average wallet can hold anything from Bitcoin and Ether to NFTs and memecoins. A successful phishing attack combined with a drainer script can empty wallets in seconds. Nick Bax, the head of research at the cybersecurity firm Convex Labs, estimated that drainers have resulted in anywhere from $50 million to $100 million in losses over the last year.
One entrepreneurial scammer, who experts say has revolutionized the drainer game, is responsible for a significant portion of these losses. Operating under the handle Monkey, the cybercriminal pioneered a new approach for crypto exploits—cribbed from ransomware—where he outsourced his code to other scammers, keeping a 30% cut of whatever they steal. Over the past six months, Monkey has claimed that his drainer script has stolen over $24 million.
According to cybersecurity researchers, Monkey has inspired a legion of copycats. Together, he and his acolytes have been responsible for millions in successful scams over the past few months, from Mac and his gift cards to Kevin Rose, an NFT entrepreneur who lost millions of dollars in NFTs to a wallet drainer in January.
On Tuesday, Monkey abruptly announced his departure from Telegram, but he left behind a prodigious legacy—and a wake of imitators.
“We see them as our competition,” Bax said. "And they’re winning.”
Full-stack scamming
Monkey emerged on Telegram in the fall of 2022. On Sept. 7, he created the channel “Monkey Drainer,” announcing its inception with a GIF of an animated monkey wearing ski goggles and rubbing a towel through its crotch.
In the edgelord land of crypto scammers, Monkey became a king in a matter of months.
“I’m no one compared to Monkey,” one disciple, a crypto scammer who spoke on the condition of anonymity, told Fortune. “He is running an industry—we are just here picking up the crumbs he leaves behind."
So, how did Monkey build his empire?
The drainer scam has two parts. The first can be thought of as the front-end, or how a victim is lured to sign off on transactions that drain their wallet. Mac, for example, had to believe he was clicking on a real link. This is generally accomplished through a trick called “social engineering,” where scammers convince users that a fake website or application is real.
Convincing victims to click on malicious links is an art form, and it can be accomplished in any number of ways. Mac clicked through a link from a Twitter account he trusted. As the owner of the Twitter account, Briefly Crypto told Fortune it aggregates links from social media sites like Reddit. Apparently, around Black Friday, a scammer gamed the platform to vote malicious links to the top of popular forums and then they ended up on Twitter aggregators.
Another technique is forcibly taking over well-known social media accounts or Discord servers through hacking, which has become increasingly common. In late January, for example, someone hacked the Twitter account for the hyped NFT project Azuki, posting links to drainer-websites infected with drainer scripts. At least $750,000 was stolen from users in just 30 minutes.
A third approach is mimicking popular mainstream brands and promoting fake NFT projects. Researchers behind the cybersecurity tool TrustCheck identified several of these scammers, where hackers created websites imitating popular video games, including Hades and Horizon Zero Dawn, and sneaker brands, including Nike, promoting NFT drops.
NFTs function around the promise of scarcity—when a new project is announced, users rush in to mint a limited amount of available NFTs that hopefully increase in price.
“A lot of the pretense for this phishing is trying to get people to FOMO [fear of missing out] in and click as fast as they can without thinking,” Convex Labs’ Bax told Fortune.
In the case of the video game and fashion industries, hackers leverage brand recognition to convince users to click on malicious links that lead to drainer scripts.
The phishing element of the scam—the front-end—still requires the back-end, or hidden infrastructure, as well: the drainer script that empties victims’ crypto wallets. And not all scammers are full-stack developers.
The rise of Monkey
Monkey is the epitome of a sought-after back-end developer. The scammer first rose to prominence with a drainer that exploited a protocol on OpenSea, the most popular NFT marketplace, which enabled the script to target NFTs. Monkey then started incorporating other types of assets into his script as well, from tokens native across different blockchains to CryptoPunks, one of the most popular NFT collections.
And Monkey’s drainer script was fast. People who have been hacked often realize quickly that their wallets are being emptied. According to Bax, the Monkey drainer script can triage by emptying wallets of their most valuable assets first, regardless of the type of token, even cross-checking prices and automatically listing the stolen goods.
In the past, a scammer with a drainer script might offer a package on Telegram or Github, the popular online repository for code, selling the code along with some downloadable JPEGs to make a fake, paint-by-the-numbers website, all for a flat price—what the community refers to as a “drainer template.”
According to the Monkey disciple who spoke with Fortune on the condition of anonymity, this plug-and-play approach doesn’t make much money and is targeted at scammer “newbies.”
Instead, Monkey copied a business model popular in the world of ransomware—instead of selling his script as a one-off, he would provide the back-end and let other scammers handle the phishing while still taking his 30% cut. Bax described Monkey as an “aggregator for crime.”
It also meant that Monkey had to become a salesman. The scammer’s Telegram channel read like a series of marketing pitches, where he sold potential customers—other scammers—on the sophistication of his particular drainer, even touting new updates and releases.
“I am not competing with anyone else,” he wrote on his Telegram channel. “I am a very busy human and working on staying ahead of the curve.”
Explosive growth, then a disappearance
By November, Monkey’s drainer had become so popular that he was charging not only a 30% cut of scam proceeds but a $1,000 fee just to get started.
Monkey’s rapid rise was at least partly attributable to a Twitter post in October by ZachXBT, a popular account on Twitter that uses blockchain data to reveal crypto scams. On Oct. 25, ZachXBT published an investigation on Monkey, writing that he had stolen around 700 ETH—then equivalent to around $1 million—in the past 24 hours.
1/ Over the past 24 hrs ~700 ETH ($1m) has been stolen by the phishing scammer known as Monkey Drainer.
— ZachXBT (@zachxbt) October 25, 2022
They recently surpassed 7300 transactions from their drainer wallet after being around for only a few months. pic.twitter.com/6vAYBiqCxQ
It’s a strange quirk of crypto Twitter that one of the most skilled blockchain sleuths helped propel a scammer to even greater success. Still, Monkey’s business scheme works by convincing other scammers to use his drainer, and being featured by ZachXBT is the equivalent of a Super Bowl ad in this ecosystem. ZachXBT even told Fortune that a scammer once messaged him asking if he could investigate his drainer template.
According to the anonymous scammer, Monkey’s popularity exploded after the ZachXBT post, not only sending him customers but spurring a wave of copycats offering drainer scripts for a 30% cut—as well as trying to emulate the script itself.
Bax said that the rise of Monkey has led to an increase in drainer scams. “It really accelerated starting in August, when Monkey drainer hit the streets,” he told Fortune.
Monkey touted that his drainer was responsible for over 25,000 successful “hits” through January, collecting more than 15,000 ETH, or about $24 million, according to the scammer’s Telegram channel. Bax said such a figure was believable.
He accomplished this by finding front-end phishing partners. In February, ZachXBT published a new investigation detailing how a scammer known as Loyalist stole $4 million from over 400 victims using the Monkey drainer, with Monkey presumably getting his 30%.
Loyalist: $4m stolen from over 400 victims https://t.co/SW10nPVyS9
— ZachXBT (@zachxbt) February 16, 2023
There has also been a rise in imitators. One of the biggest hits in the past three months came from a scammer known as Zentoh, who built a drainer script modeled after Monkey’s and offered it for a 30% cut. A different scammer, known as Kai, used the drainer to steal $4.3 million.
As detailed by the cybersecurity firm Certik, Kai absconded with the funds, not paying Zentoh the promised 30%. An increasingly desperate Zentoh pleaded with Kai for the money through a series of messages sent on the Ethereum blockchain.
“I just want you to stay loyal like I was to you,” Zentoh said, to no avail.
Monkey seemed to relish the drama.
“I am getting messages every day from yall [sic] that you used other drainer and drainer exit scam you,” he wrote in his Telegram channel. “Monkey drainer is on the scene for over 4 months now and haven’t yoinked single worker off.”
And then, as mysteriously as he arrived, Monkey deleted his Telegram account minutes before Fortune sent him a message requesting comment.
“The end of the crème de la crème,” he wrote in a farewell message on the channel, claiming to be moving on to “something better than ever before.”
Monkey Drainer has been shut down according to its owner. I wonder why 🤔 pic.twitter.com/BZ06Y1staD
— Fantasy 🦢 (@0xFantasy) February 28, 2023
He didn’t state a reason for the departure, but he did recommend would-be customers turn to a competitor known as Venom drainer, whose Telegram channel was started the same day Monkey’s closed.
Speculation ran rampant. The anonymous scammer told Fortune that Monkey might have left or rebranded because of heat related to the recent ZachXBT investigation, although ZachXBT said it was unlikely. Bax, who works alongside ZachXBT on investigations, said that Monkey's operations security had a lot of cracks in it.
“Perhaps its popularity was becoming too much to handle,” Joe Green, a researcher at Certik, told Fortune. “With more eyes than ever on these drainers, any mistake in the way they’re set up could potentially reveal clues to the scammer’s identity.”
Green said that, shortly after the disappearance of Monkey, he and his team saw other vendors of drainer scripts publicly announce on Telegram that they were receiving a flood of messages inquiring about their scam kits.
Fortune contacted the owner of the Venom drainer channel, the one to which Monkey pointed his disciples. After a brief exchange in which the owner said he “likes” journalism and asked to collaborate on a fictitious article, he went quiet. Its last message was an animated alligator.
