Crypto news

17.06.2026
21:05

New wave of crypto fraud: how drainers empty the wallets of Russians

At least three hacker groups have launched a large-scale campaign against Russian cryptocurrency holders. Their main weapon is drainer programs disguised as legitimate affiliate investment programs. Unlike classic phishing, these tools act instantly and leave virtually no chance of recovering funds.

Attack Mechanics: From Bonus to Complete Depletion

In late May to early June, attackers launched at least 15 bait websites packed with hidden drainers. Analysts from the specialized division of F6 Digital Risk Protection recorded an alarming trend: victims are promised an investment account and a welcome bonus of $50 in USDT. To activate it, users are asked to connect their wallet by scanning a QR code through the official app.

At first glance, everything looks like a standard procedure. However, in reality, the victim independently signs a transaction that gives scammers full access to withdraw all crypto assets: tokens, NFTs, and native coins. Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws everything available.

Main Deception Schemes

Scammers actively use three main types of bait:

  • Investment accounts — promising a bonus for registration.
  • Telegram activity — offering a profitable purchase of stars (or other in-platform assets).
  • Bonus programs — distributing free tokens for connecting a wallet.

F6 specialists have already submitted requests to block the identified malicious resources. However, the problem is that scammers quickly create new addresses to replace closed domains. As noted by Maria Sinitsyna, senior analyst at the Digital Risk Protection department of F6, drainers are not a new threat. Several years ago, they actively spread among English-speaking users, after which their activity declined. Now, a new wave is being recorded, specifically targeting the Russian-speaking audience.

How to Protect Your Digital Assets

Experts recommend completely avoiding clicking on suspicious links from advertisements. Carefully verify the domain name of the site you are on. Attackers often register domains that sound similar to well-known brands. Check the site's creation date through Whois services — a newly registered resource with "free" bonuses should immediately raise suspicion.

Since brokerage activities in Russia are only conducted under a license from the Bank of Russia, verify the validity of the license and the broker's official online resources on the Central Bank's website. Cross-check any promotions exclusively on official platforms. A suspicious site can be sent to the "Antiphishing" platform — F6 specialists will verify the information and pass it to regulators for blocking.

Analyst's opinion: The situation resembles a classic evolution of threats: as soon as the Western market learned to counter drainers, scammers shifted to the less protected Russian-speaking audience. The key advice is to never connect your wallet to unfamiliar sites for "free" bonuses. In cryptocurrencies, freebies are always a red flag, not a gift of fate.