A new wave of crypto fraud in Russia: drainers disguised as investment programs attack the wallets of Russians
The digital asset market in Russia has encountered a new, extremely dangerous threat. At least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russian users using malicious drainer programs. Fraudsters skillfully disguise their criminal schemes as legitimate affiliate programs for investors, making the attack particularly insidious.
Mechanics of Fraudulent Attacks
According to my data, in late May to early June, attackers launched at least 15 bait websites equipped with hidden crypto drainers. These programs are designed to instantly empty crypto wallets. Analysts from the specialized unit F6 Digital Risk Protection have recorded an alarming trend: users are lured to fake resources with promises of opening an investment account and receiving a welcome bonus of $50 in USDT.
The scheme works as follows: the victim is offered to connect their wallet by scanning a QR code through the official app. As a result, the user independently approves the integration and signs a transaction request. In reality, this operation grants hackers full access to withdraw cryptocurrency, tokens, and NFTs. Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws all available funds.
I have identified three main types of bait currently being actively used:
- Investment accounts: Promise of a bonus for registration.
- Telegram activity: Offer to profitably purchase "stars" or other internal currencies.
- Bonus programs: Distribution of free tokens for connecting a wallet.
Specialists have already submitted a request to block the identified malicious resources. However, as I have repeatedly noted, this is a fight against windmills: in place of blocked domains, fraudsters quickly create new addresses. According to Maria Sinitsyna, senior analyst at the Digital Risk Protection department of F6, drainers have been used before. Several years ago, this software was actively spread among English-speaking users, after which its activity declined. A new wave is now being recorded, targeting the Russian-speaking audience.
How to Protect Your Digital Assets
Experts recommend completely avoiding clicking on suspicious links from advertisements. It is crucial to carefully verify the domain name of the resource—fraudsters often register addresses that sound similar to well-known brands. I recommend checking the site's creation date through specialized Whois services: "fresh" domains are a red flag.
Since brokerage activities in the Russian Federation are only conducted under a license from the Bank of Russia, the validity of such a license and the official online resources of the broker can be verified on the Central Bank's website. Any promotions should be cross-checked exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform—specialists will verify the information and pass it to regulators for blocking.
My expert opinion: This attack is a vivid example of how fraudsters adapt proven Western schemes to the Russian market. Investors should remember a simple rule: if you are promised "free money" for connecting a wallet, it is almost certainly a trap. Vigilance and cold analysis are the only reliable protection in the current conditions.