A new wave of crypto drainers: hackers attack Russians' wallets under the guise of investment bonuses
At least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russian users. The attackers use malicious drainer programs, disguising their schemes as investment affiliate programs. This is not just another trick—it is a well-coordinated attack using psychological lures.
How the deception scheme works
In late May and early June, analysts from the specialized division of F6 Digital Risk Protection detected at least 15 bait websites equipped with hidden crypto drainers. These programs are designed to instantly empty cryptocurrency wallets. The mechanism is simple but effective: the user is lured with the promise of opening an investment account with a welcome bonus of $50 in USDT. To activate the bonus, the victim is asked to connect their wallet by scanning a QR code through the official app.
In reality, by approving this integration, the user independently signs a transaction request that gives attackers full access to withdraw all funds: cryptocurrencies, tokens, and NFTs. Once authorization on the fake site is complete, the drainer checks the balance with several requests and instantly withdraws everything available.
Main types of lures
| Type of lure | Essence of the deception scheme |
| Investment accounts | Promise of a registration bonus |
| Telegram activity | Offer to buy stars at a favorable price |
| Bonus programs | Free token giveaways for connecting a wallet |
F6 specialists have already submitted a request to block the identified malicious resources. However, in place of closed domains, scammers can quickly create new addresses. This is a classic game of cat and mouse, and users must stay one step ahead.
Evolution of the threat
According to Maria Sinitsyna, senior analyst at the Digital Risk Protection department of F6, drainers have been used before. Several years ago, this software was actively distributed among English-speaking users, after which its activity declined. Now we are seeing a new wave targeting the Russian-speaking audience. The expert urged cryptocurrency owners to be cautious with resources exploiting fresh news topics: by connecting wallets to suspicious sites, it is easy to fall victim to scammers.
How to protect your digital assets
F6 specialists recommend completely avoiding clicking on suspicious links from advertisements. It is necessary to carefully verify the domain name of the site you are on. Attackers often register domains that sound similar to well-known brands, so experts advise checking the site's creation date through specialized Whois services.
Since brokerage activities in Russia are only conducted with a license from the Bank of Russia, the validity of such a license and the official online resources of the broker can be checked on the Central Bank's website. Experts recommend verifying any promotions exclusively on official platforms. A suspicious site can be sent to the "Antiphishing" platform—F6 specialists will check the information and pass it to regulators for blocking.
Expert opinion: This attack is a vivid example of how scammers adapt old schemes to new markets. Russian-speaking users, especially newcomers to cryptocurrency, become easy prey due to their trust in "free" bonuses. The only reliable way to protect yourself is to never connect your wallet to unverified resources, even if the promise seems too tempting. Remember: there is no such thing as a free lunch.