Crypto news

17.06.2026
17:35

New wave of crypto drainers: how hackers empty Russians' wallets

Russian cryptocurrency users have encountered a new, extremely dangerous threat. At least three hacker groups have launched a massive attack using malicious software known as drainers. These programs, disguised as legitimate affiliate and investment schemes, are designed to instantly empty crypto wallets.

My team of analysts is closely monitoring this trend. In late May to early June, attackers launched at least 15 phishing bait sites. All of them contain hidden crypto drainers. The deception scheme is refined to automation and targets the main weakness of many investors—the desire for easy money.

Attack Mechanics: From Bonus to Theft

The victim is lured to a fake resource with the promise of opening an investment account with a welcome bonus of $50 in USDT. To activate this "generous" offer, the user is prompted to connect their crypto wallet by scanning a QR code through the official app. At first glance, this is a standard procedure.

However, in reality, the victim independently signs a transaction that grants attackers full access to withdraw all funds: cryptocurrencies, tokens, and NFTs. Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws everything available.

We have identified three main types of bait currently in use:

  • Investment accounts: Promising a bonus for registration.
  • Telegram activity: Offering a profitable purchase of "stars" or other internal currencies.
  • Bonus programs: Distributing free tokens for connecting a wallet.

It is important to understand that this is not a one-time event. Several years ago, similar drainers were actively used against English-speaking audiences, after which their activity temporarily declined. Now we are seeing a resurgence of this tactic, but with a focus on Russian-speaking users. Closing some domains will not solve the problem—scammers quickly create new addresses.

How to Protect Your Assets

In the current environment, every cryptocurrency holder needs to exercise extreme caution. My recommendations are simple but critically important:

  • Never click on suspicious links from ads. Enter website addresses manually or use bookmarks.
  • Carefully check the domain name. Attackers often register domains that sound similar to well-known brands. Use Whois services to check the site's creation date—new resources should raise suspicion.
  • Check licenses. In Russia, brokerage activities are only possible with a Central Bank license. Verify any promotions exclusively on official platforms.
  • Report suspicious sites. The "Antiphishing" platform allows you to submit a resource for review and subsequent blocking.

My professional advice: In an era of growing attack automation, the only reliable protection is your own awareness. Never connect your wallet to unfamiliar services for promised bonuses. If an offer seems too good to be true—it is almost certainly a trap.