New wave of crypto drainers: how hackers clean out Russians' wallets through fake investment platforms
The digital asset market has once again become a target for well-organized fraudulent schemes. My analysis shows that at least three hacker groups have launched a large-scale campaign against Russian cryptocurrency holders, using malicious software known as drainers. These tools are disguised as legitimate affiliate programs for investors, but their sole purpose is to instantly empty wallets.
Attack Mechanics: From Bonus to Theft
From late May to early June, attackers launched at least 15 phishing websites disguised as investment platforms. The method is simple and cynical: the user is promised a welcome bonus of $50 in USDT for registration. To activate the "generous" offer, the victim is asked to connect their crypto wallet by scanning a QR code through the official app.
In reality, this is nothing but a trap. After scanning, the user independently signs a transaction, giving fraudsters full access to manage their assets. Once authorization on the fake website is complete, the drainer automatically checks the wallet balance with several requests and instantly withdraws all available funds: tokens, NFTs, stablecoins—anything of value.
Main Types of Bait
The analysis identified three key scam scenarios actively used in the current campaign:
- Investment Accounts — promising a bonus for connecting a wallet.
- Telegram Activity — offering a profitable purchase of "stars" or premium services.
- Bonus Programs — distributing free tokens in exchange for authorization.
Why This Is Especially Dangerous Now
Notably, drainers are not a new threat. Several years ago, they were actively used against English-speaking users, after which their activity declined. However, we are now witnessing a resurgence of this tactic, but with a focus on the Russian-speaking audience. Fraudsters quickly create new domains to replace blocked ones, making the fight against them a game of cat and mouse.
How to Protect Your Assets
Experts recommend completely avoiding clicking on suspicious links from advertisements. Before connecting a wallet, it is necessary to thoroughly check the domain name of the resource—attackers often register addresses that sound similar to well-known brands. Use Whois services to check the site's creation date: fresh domains are a red flag.
Additionally, in Russia, brokerage activities are only possible with a license from the Central Bank. All official resources of licensed brokers can be verified on the Central Bank of the Russian Federation's website. Any promotions and bonuses should be cross-checked exclusively on official platforms. If you come across a suspicious website, you can submit it for verification to the "Antiphishing" platform—specialists will promptly forward the data to regulators for blocking.
My Expertise: The current wave of attacks is a vivid example of how fraudsters adapt old but effective schemes to new audiences. Russian cryptocurrency holders should double their vigilance: drainers are becoming increasingly sophisticated, and the only reliable defense is the principle of "trust but verify." Never connect your wallet to websites that promise easy money or bonuses—this is almost a guaranteed path to losing all your assets.