Crypto news

17.06.2026
18:35

New wave of crypto phishing: how drainers empty Russians' wallets

The cryptocurrency market has once again become a stage for a large-scale fraudulent attack. My colleagues from the Digital Risk Protection department at F6 have recorded a sharp surge in activity from at least three hacker groups targeting Russian holders of digital assets. The attackers are using malicious software — so-called "drainers" — disguised as legitimate investment platforms.

Attack Mechanics: From a Bonus Promise to Complete Depletion

In late May to early June 2024, at least 15 phishing bait sites were launched. The scheme is deceptively simple and dangerous: the user is offered to open an "investment account" and receive a welcome bonus of $50 in USDT. To activate the "generous offer," the victim is asked to connect their crypto wallet by scanning a QR code through the official app.

At first glance, this is a standard integration procedure. However, in reality, the user, without knowing it, signs a transaction that grants the attackers full access to manage their assets. Once the authorization on the fake site is complete, the malicious software checks the wallet balance within seconds and instantly withdraws all available funds: tokens, stablecoins, and even NFTs.

Bait TypeEssence of the Deception Scheme
Investment AccountsPromise of a registration bonus
Telegram ActivitiesOffer to buy "stars" at a favorable price
Bonus ProgramsFree token giveaways for connecting a wallet

It is worth noting that drainers are not a new threat. Several years ago, they were actively used against an English-speaking audience, after which their activity declined. Now we are seeing a resurgence of this tactic, but with a focus on Russian-speaking users. F6 specialists have already submitted requests to block the identified domains, but as practice shows, for every closed site, scammers quickly create a dozen new ones.

How to Protect Your Assets: Practical Recommendations

In the current environment, investors need to exercise extreme caution. The first and most important rule is to never click on links from advertisements promising "freebies." Always manually enter the domain name of the resource in the browser's address bar.

Special attention should be paid to checking the site's creation date through Whois services. Scammers often register domains that sound similar to well-known brands and have existed for only a few days or weeks. Additionally, I remind you that any legitimate brokerage activity in Russia is conducted only with a license from the Central Bank of the Russian Federation. You can verify its authenticity and the company's official online resources on the regulator's website.

Analyst's Comment: This wave of attacks is a vivid example of how scammers adapt old but successful schemes to a new audience. The key vulnerability here is the human factor and the desire to get "free money." As long as users fall for promises of bonuses and connect their wallets to unverified sites, drainers will remain one of the most effective tools in the arsenal of crypto criminals. The only reliable protection is cold storage and absolute distrust of any "gifts" from the internet.