Crypto news

17.06.2026
20:19

A new wave of crypto drainers: how hackers empty the wallets of Russians

Russian cryptocurrency users are facing an aggressive new threat. At least three hacker groups have shifted their focus to the Russian-speaking audience, using malicious software known as drainers. These programs disguise themselves as legitimate investment platforms and affiliate programs, promising easy profits.

In late May to early June of this year, the emergence of at least 15 bait websites containing hidden crypto drainers was recorded. Analysts from the specialized division of F6 Digital Risk Protection identified a worrying trend: users are lured with promises of opening an investment account with a welcome bonus of $50 in USDT. To activate the bonus, the victim is asked to connect their wallet by scanning a QR code through the official app.

At first glance, this looks like a standard procedure. However, in reality, the user, without realizing it, signs a transaction that gives attackers full access to withdraw funds, tokens, and NFTs. Once authorization on the fake website is complete, the drainer instantly checks the balance with several requests and empties the wallet.

Main Luring Schemes

Specialists have identified three key tricks used by scammers:

  • Investment accounts: Promising a bonus for registration.
  • Telegram activity: Offering a profitable purchase of stars or other internal currencies.
  • Bonus programs: Distributing free tokens for connecting a wallet.

The scheme organizers have already submitted a request to block the identified domains, but as practice shows, new addresses immediately replace the closed ones. Maria Sinitsyna, Senior Analyst at the Digital Risk Protection Department of F6, notes that drainers are not new—they were actively used against English-speaking users several years ago, after which their activity declined. Now we are witnessing a resurgence of this threat, but with a focus on the Russian-speaking audience.

How to Protect Your Assets

Experts recommend completely avoiding clicking on suspicious links from advertisements. It is important to carefully verify the domain name of the resource you are on. Attackers often register domains that sound similar to well-known brands. Use Whois services to check the site's creation date—new resources should raise particular suspicion.

Additionally, since brokerage activities in the Russian Federation are only conducted under a license from the Bank of Russia, check the license and official internet resources of the broker on the Central Bank's website. Verify any promotions exclusively on official platforms. If you find a suspicious site, you can send it to the "Antiphishing" platform—F6 specialists will check the information and pass it to regulators for blocking.

Expert comment: The return of drainers targeting the Russian-speaking audience is an alarming signal. This indicates that attackers are adapting and finding new ways to bypass protective mechanisms. The most reliable protection is cold storage of assets and a critical attitude towards any offers requiring wallet connection. Do not believe promises of "freebies"—they do not exist in the crypto world.