New wave of crypto fraud in Russia: drainers disguise themselves as investment programs
The digital asset market in Russia has faced a new, extremely aggressive threat. According to data from the specialized unit F6 Digital Risk Protection, at least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russian users. They are using so-called drainers—malicious programs disguised as legitimate affiliate and investment services.
Attack Mechanics: From Bonus to Complete Wallet Drain
The scheme identified by analysts is characterized by its sophistication and psychological precision. In late May to early June, the attackers launched at least 15 bait sites that are visually indistinguishable from official platforms for opening investment accounts.
Users are promised a welcome bonus of $50 in USDT. To activate it, the victim is asked to "connect a wallet" by scanning a QR code through the official app. At first glance, this seems like a standard procedure. However, in reality, it is an authorization on a phishing resource that gives fraudsters full access to withdraw all funds: tokens, NFTs, and stablecoins.
Once the connection is complete, the malicious software automatically checks the balance and instantly withdraws all available assets. No additional confirmation from the user is required—the transaction is signed at the moment the QR code is scanned.
Analysts identify three main types of bait:
- Investment accounts: Promising a bonus for registration.
- Telegram activity: Offering a profitable purchase of "stars" or premium services.
- Bonus programs: Distributing free tokens for connecting a wallet.
Notably, drainers are not a new tool. Several years ago, they were actively used against English-speaking audiences, after which their activity subsided. Now we are seeing a resurgence of this tactic with a focus on Russian-speaking users. Hackers are adapting their schemes, exploiting current news topics and investor gullibility.
How to Protect Your Assets
Experts strongly recommend completely avoiding clicking on links from advertisements promising "easy money." Every time you land on an unfamiliar site, you must carefully verify the domain name. Fraudsters often register domains that sound similar to well-known brands, and only a thorough check via Whois services (website creation date) can reveal a fake.
Additionally, it is important to remember that brokerage activities in Russia are licensed by the Bank of Russia. The legitimacy of the license and the list of official broker websites can always be verified on the Central Bank of the Russian Federation's website. Any promotions and bonuses should be sought exclusively on official platforms, not on dubious sites from advertisements.
Analyst's comment: This campaign is a vivid example of how old threats adapt to new markets. Russian-speaking users, especially beginners, often underestimate the risks associated with connecting wallets to untrusted interfaces. The only reliable protection is the principle of "zero trust": do not connect your wallet anywhere except official, repeatedly verified dApps and exchanges.