New wave of crypto drainers: how hackers empty Russians' wallets
At least three hacker groups have launched a large-scale campaign against Russian cryptocurrency holders. Using malicious drainer programs, the attackers disguise their attacks as legitimate affiliate and investment programs.
The digital asset market in Russia has faced a new serious threat. According to analysts from the specialized unit F6 Digital Risk Protection, at least 15 phishing websites equipped with hidden crypto drainers were launched in late May to early June. These programs are designed to instantly empty connected wallets.
Attack Mechanics: From Bonus to Complete Loss of Funds
The deception scheme is honed to automation. Users are lured to fake resources with promises of opening an investment account and receiving a welcome bonus of $50 in USDT. To activate the "generous offer," the victim is asked to connect their wallet by scanning a QR code through the official app.
In reality, this action gives attackers full access to withdraw all funds, including tokens and NFTs. Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws everything available. The most dangerous part is that the victim signs the transaction request themselves, unaware of the consequences.
Specialists identified three main lures:
- Investment accounts — promising a bonus for registration.
- Telegram activity — offering a profitable purchase of stars.
- Bonus programs — giving away free tokens for connecting a wallet.
According to Maria Sinitsyna, senior analyst at F6's Digital Risk Protection department, drainers are not a new technology. Several years ago, they were actively used against English-speaking audiences, after which their activity declined. However, a resurgence of this threat is now being recorded, targeting Russian-speaking users.
How to Protect Your Digital Assets
Experts recommend completely avoiding clicking on suspicious links from advertisements. It is crucial to carefully verify the domain name of the resource you land on. Attackers often register domains that sound similar to well-known brands, so checking the site's creation date through Whois services is a mandatory procedure.
Since brokerage activities in the Russian Federation are only conducted under a license from the Bank of Russia, it is necessary to verify its presence and the broker's official online resources on the Central Bank's website. Any promotions and offers should be verified exclusively on official platforms. A suspicious website can be sent to the "Antiphishing" platform — F6 specialists will check the information and forward it to regulators for blocking.
Expert opinion: This wave of attacks is a vivid example of how cybercriminals adapt old but effective schemes to new audiences. Russian investors should remember a simple rule: no real broker or investment platform will ever ask you to connect a wallet via a QR code to receive a bonus. Any such offer is 100% a trap.