Crypto news

17.06.2026
19:34

A new wave of crypto fraud in Russia: drainers disguised as investment bonuses

The cryptocurrency market in Russia faces a serious threat: at least three hacker groups have launched a large-scale campaign to steal digital assets using malicious drainer programs. These tools, disguised as affiliate programs for investors, represent one of the most dangerous attack vectors today.

Specialists from the specialized unit of F6 Digital Risk Protection have recorded a new wave of investment fraud. In late May to early June, attackers launched at least 15 bait sites that outwardly appear as legitimate investment platforms. However, each one contains hidden drainer code—a program designed to instantly empty crypto wallets.

The attack mechanism is honed to automation. Users are promised a welcome bonus of $50 in USDT for opening an investment account. To activate the "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official app. At first glance, the procedure seems standard and raises no suspicion. However, in reality, by signing the transaction request, the user grants attackers full access to withdraw all funds: cryptocurrencies, tokens, and NFTs.

Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws all available assets. The investor is left with nothing.

Main Scammer Tricks

Analysts have identified three main types of bait used by the groups:

  • Investment accounts: promising a bonus for registration.
  • Telegram activity: offering a profitable purchase of "stars" or other internal assets.
  • Bonus programs: distributing free tokens for connecting a wallet.

It is worth noting that drainers are not a new phenomenon. Several years ago, they were actively spreading among English-speaking users, after which their activity declined. Now we are witnessing a resurgence of this threat, but this time targeting a Russian-speaking audience. As noted by Maria Sinitsyna, senior analyst at the Digital Risk Protection department of F6, attackers have adapted the schemes to the local market and are actively exploiting fresh news topics.

How to Protect Your Assets

Experts recommend completely avoiding clicking on suspicious links from advertisements. Additionally, it is necessary to carefully verify the domain name of the resource you are on. Scammers often register domains that sound similar to well-known brands, so checking the site's creation date via Whois services is a mandatory procedure.

It is also worth remembering that brokerage activities in Russia are conducted only under a license from the Bank of Russia. The validity of the license and the official online resources of the broker can be checked on the Central Bank's website. Any promotions and bonuses should be verified exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform—F6 specialists will check the information and pass it to regulators for blocking.

My professional opinion: This attack is a vivid example of how classic social engineering methods are combined with modern technological tools. Russian investors should be extremely vigilant: if an offer seems too good to be true, it is likely a trap. Never connect your wallet to unverified resources, even if you are promised "free" money.