A new wave of crypto drainers: how hackers empty Russians' wallets through fake bonuses
In recent weeks, the Russian crypto market has seen a sharp surge in activity from malicious drainer programs. These are specialized software designed to instantly empty cryptocurrency wallets. Analysts from the specialized unit of F6 Digital Risk Protection have identified at least 15 fake websites disguised as investment platforms that are actively targeting Russian-speaking audiences.
The Mechanics of Deception: From Bonus to Total Asset Loss
The scheme is standard, but no less dangerous for it. Attackers lure victims with promises of opening an investment account with a welcome bonus of $50 in USDT. To activate this "generous" offer, users are asked to connect their crypto wallet by scanning a QR code through the official app.
At first glance, the operation seems harmless, but in reality, the victim unknowingly signs a transaction that grants hackers full access to withdraw funds. Once authorization on the fake site is complete, the drainer checks the wallet balance within seconds and instantly withdraws all available tokens, including NFTs.
Specialists highlight three main types of bait used in this campaign:
- Investment accounts: Promising a bonus for registration.
- Telegram activity: Offering a profitable purchase of "stars" or other internal currencies.
- Bonus programs: Distributing free tokens for connecting a wallet.
Notably, such attacks are not new. Several years ago, drainers were actively used against English-speaking users, after which their activity significantly declined. Now we are witnessing a new wave specifically targeting the Russian audience. Fraudsters quickly create new domains to replace blocked ones, making the fight against them a game of "cat and mouse."
How to Protect Your Digital Assets
The main rule is to completely avoid clicking on suspicious links from advertisements. Before connecting a wallet to any service, it is essential to carefully check the domain name of the resource. Hackers often register domains that sound similar to well-known brands, so use Whois services to check the site's creation date—fresh domains should raise particular suspicion.
Additionally, remember that any brokerage activity in Russia is only conducted under a license from the Bank of Russia. The validity of the license and the official online resources of the broker can always be verified on the Central Bank's website. Any promotions and bonuses should only be cross-checked on official platforms. If you come across a suspicious site, send it to the "Anti-Phishing" platform—specialists will verify the information and pass it on to regulators for blocking.
My professional opinion: This attack is a vivid example of how social engineering and technical vulnerabilities merge together. Russian users should be on alert: the wave of drainers is likely to only intensify, as the scheme has proven its effectiveness. The only reliable protection is cold wallets and absolute distrust of any "free" bonuses online.