A new wave of crypto drainers: how hackers empty Russians' wallets under the guise of investment bonuses
The digital asset market is once again becoming a stage for a large-scale fraudulent campaign. At least three hacker groups have launched attacks on Russian-speaking users using malicious software — crypto drainers. These programs masquerade as legitimate affiliate and investment offers, making them particularly dangerous.
Attack Mechanics: From Bonus to Complete Loss of Funds
In late May to early June of this year, attackers launched at least 15 phishing websites equipped with hidden drainers. Analysts from the specialized division of F6 Digital Risk Protection have recorded an alarming trend: victims are lured with promises of opening an investment account with a welcome bonus of $50 in USDT.
The deception scheme works as follows. The user is offered to activate the bonus by connecting their crypto wallet via scanning a QR code in the official app. The unsuspecting victim independently signs a transaction, which in reality grants hackers full access to withdraw all digital assets: cryptocurrencies, tokens, and NFTs. Once authorization on the fake website is complete, the malicious software instantly checks the balance with several requests and empties the wallet.
Experts identify three main types of bait used by the groups:
- Investment accounts: Promising a bonus for registration.
- Telegram activity: Offering a profitable purchase of "stars".
- Bonus programs: Distributing free tokens for connecting a wallet.
F6 specialists have already submitted requests to block the identified malicious resources. However, as practice shows, fraudsters quickly create new domains to replace the blocked ones.
Why This Is a New Threat and How to Protect Yourself
Maria Sinitsyna, Senior Analyst at the Digital Risk Protection Department of F6, notes that drainers are not a new phenomenon. Several years ago, they were actively spreading among English-speaking users, after which their activity declined. Now we are witnessing the return of this threat, but with a focus on the Russian-speaking audience.
Cryptocurrency owners need to exercise extreme caution. It is strictly not recommended to click on suspicious links from advertisements. Always carefully check the domain name of the resource — attackers often register addresses that sound similar to well-known brands. Use Whois services to check the website's creation date: fresh domains are one of the main signs of phishing.
Additionally, in Russia, brokerage activities are only possible with a license from the Central Bank. You can verify the legitimacy of the license and the official internet resources of the broker on the Central Bank of the Russian Federation's website. Any promotions and bonus offers should be verified exclusively on official platforms. If you encounter a suspicious website, you can send it for verification on the "Antiphishing" platform — F6 specialists will check the information and pass it on to regulators for blocking.
Expert Opinion: This new wave of attacks is a vivid example of how fraudsters adapt old but effective schemes to new markets. The psychological aspect is particularly dangerous: the promise of easy money ($50) makes users neglect basic security rules. I strongly recommend using hardware wallets to store significant amounts and never connecting hot wallets to unverified web interfaces. The only reliable way to preserve assets is cold storage and absolute distrust of any "bonuses" that require connecting a wallet.