Crypto news

17.06.2026
21:34

New wave of crypto-phishing in Russia: how drainers are emptying Russians' wallets

Russian cryptocurrency holders have faced a massive attack organized by at least three hacker groups. The attackers are actively using so-called drainers—malicious programs designed to instantly empty digital wallets. According to my data, this threat is taking on the character of a systemic epidemic specifically targeting the Russian-speaking audience.

Mechanics of Fraudulent Schemes

In late May to early June of this year, analysts from the specialized division of F6 Digital Risk Protection recorded the launch of at least 15 fake websites. All of them are disguised as legitimate investment platforms. The deception scheme is honed to automation: the user is promised a registration bonus of 50 USDT, but to activate it, they are asked to "connect a wallet" by scanning a QR code in the official app.

In reality, the victim themselves signs a transaction that grants hackers full access to withdraw all assets—tokens, stablecoins, and even NFTs. Once authorization on the fake resource is complete, the malicious software checks the balance in seconds and withdraws everything it can.

Specialists identify three main types of lures used in this campaign:

  • Investment accounts — promising a bonus for registration.
  • Telegram activity — offering a profitable purchase of "stars" or premium access.
  • Bonus programs — giving away free tokens for connecting a wallet.

Notably, the drainer technology is not new. Several years ago, it was actively used against English-speaking users, after which its activity subsided. Now we are witnessing a revival of this tactic, but with a clear focus on the Russian-speaking audience. This indicates that the attackers have adapted and found new vulnerable niches.

How to Protect Your Assets

Experts recommend completely avoiding clicks on links from advertisements, especially those promising "easy" bonuses. It is crucial to carefully verify the domain name of the resource: scammers often register addresses that sound similar to well-known brands. You can check the site's creation date through specialized Whois services—fresh domains should raise heightened suspicion.

Given that brokerage activities in the Russian Federation require a license from the Bank of Russia, the presence of such a license and the company's official online resources can always be verified on the Central Bank's website. Any promotions and bonuses should be cross-checked exclusively on official platforms. If you come across a suspicious site, you can send it for verification to the "Anti-Phishing" platform—specialists will check the information and pass it to regulators for blocking.

My comment: This attack is yet another reminder that the crypto market remains a field of high activity for scammers, especially during periods of growing interest in digital assets. The main rule of security is never to connect your wallet to sites you are not 100% sure about, and remember: there is no such thing as a free lunch. Drainers are not a bug; they are a feature of modern phishing, and the only protection against them is your own vigilance.