A new wave of crypto drainers: how hackers are emptying the wallets of Russians
The digital asset market has once again faced an aggressive attack: at least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russian users. The attackers are using malicious software — so-called drainers — which are disguised as legitimate investment platforms and affiliate programs. According to my data, this is not an isolated incident but a well-coordinated operation targeting the Russian-speaking audience.
Specialists from the specialized unit F6 Digital Risk Protection have recorded the launch of at least 15 phishing websites in late May to early June. These resources do not just collect data — they are equipped with hidden scripts that, after user authorization, instantly check the wallet balance and withdraw all available funds: tokens, NFTs, and, of course, stablecoins.
The Mechanics of Deception: From Bonus to Full Drain
The attack scheme looks cynical and well-thought-out. The victim is lured with a promise to open an investment account with a welcome bonus of $50 in USDT. To activate it, the user is asked to connect their crypto wallet by scanning a QR code through the official app. In reality, this operation gives hackers full access to asset management.
I highlight three main types of bait currently being actively used:
- Investment accounts: a promise of a registration bonus.
- Telegram activity: an offer to buy "stars" or premium services at a discount.
- Bonus programs: free token giveaways for connecting a wallet.
Once the victim confirms the transaction, the malicious script "probes" the balance with several requests and instantly withdraws everything it finds. No traces, no possibility of reversal — funds disappear in seconds.
Why Is This Happening Now?
According to F6 lead analyst Maria Sinitsyna, drainers are not a new phenomenon. Several years ago, they were actively used against English-speaking users, but then activity subsided. Now we are seeing a resurgence of this tactic, but with a focus on the Russian-speaking audience. Hackers have adapted their tools, localized interfaces, and are actively using fresh news topics to lure victims.
I strongly recommend exercising extreme caution: do not click on links from advertisements, carefully check domain names (scammers often register similar-sounding addresses), and use Whois services to verify the site's creation date. If the resource is less than a month old, that is a serious red flag.
Additionally, let me remind you: brokerage activities in Russia are only possible with a license from the Central Bank. Any promotions and bonuses should be verified exclusively on official platforms. Suspicious websites can be sent to the "Antiphishing" platform — specialists will check the information and pass it to regulators for blocking.
My analysis: This wave of attacks is a direct consequence of the growing popularity of DeFi and the simplification of access to cryptocurrencies among unprepared audiences. Hackers perfectly understand that greed and gullibility are the main vulnerabilities of users. Until the industry implements mandatory warning mechanisms for suspicious wallet connections, such incidents will continue. Stay vigilant: no bonus is worth losing all your assets.