Crypto news

17.06.2026
17:52

A new wave of crypto fraud in Russia: drainers disguised as investment platforms

Analysts have recorded an alarming trend: at least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russian users. They are using malicious drainer programs, which attackers cleverly disguise as affiliate programs for investors. These are not isolated incidents but a coordinated attack targeting a Russian-speaking audience.

In late May and early June, criminals launched at least 15 bait websites, each containing a hidden crypto drainer. The deception mechanism is honed to perfection. Users are offered to open an "investment account" and promised a welcome bonus of $50 in USDT. To activate the "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official app.

At first glance, this looks like a standard procedure. However, by agreeing to the integration and signing the transaction request, the user effectively grants attackers full access to their funds. Once authorization on the fake site is complete, the malicious software checks the balance within seconds and instantly withdraws all available assets: cryptocurrency, tokens, and NFTs.

Main Tricks of Scammers

Analysts have identified three key types of bait currently being actively used:

  • Investment accounts: Promising a bonus for registration.
  • Telegram activity: Offering a profitable purchase of "stars" or other internal tokens.
  • Bonus programs: Distributing free tokens for connecting a wallet.

It is worth noting that drainers are not a new threat. Several years ago, they were actively spreading among English-speaking users, after which their activity temporarily declined. Now we are witnessing a revival of this scheme with a clear focus on the Russian-speaking audience. Users need to be extremely vigilant: by connecting a wallet to suspicious sites, you risk losing all your digital assets.

How to Protect Your Assets

Cybersecurity experts recommend completely avoiding clicking on suspicious links from advertisements. Always carefully verify the domain name of the resource you are on. Scammers often register domains that sound similar to well-known brands, so it is useful to check the site's creation date through Whois services.

Additionally, it is important to remember that brokerage activities in the Russian Federation are conducted only with a license from the Bank of Russia. The validity of the license and the official online resources of the broker can always be verified on the Central Bank's website. Any promotions and bonuses should be checked exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform, where specialists will verify the information and pass it to regulators for blocking.

My professional opinion: This attack is a vivid example of how scammers adapt old, proven schemes to new realities. The use of "bonuses" is a classic psychological trigger that reduces vigilance. I advise all cryptocurrency holders to use separate wallets with minimal balances for interacting with any suspicious dApps and under no circumstances connect wallets containing significant amounts to unfamiliar sites.