Crypto news

17.06.2026
22:04

New wave of crypto ransomware: hackers attack Russians through drainers

A worrying trend has been recorded in the Russian crypto market: at least three hacker groups have launched a large-scale campaign to steal digital assets using malicious drainer programs. These tools, disguised as affiliate investment programs, pose a serious threat to cryptocurrency holders.

Attack Mechanics: How Investors Are Deceived

In late May to early June, attackers launched at least 15 fake websites equipped with hidden crypto drainers. The deception scheme is simple and effective: users are offered to open an investment account with a welcome bonus of $50 in USDT. To activate the bonus, the victim is asked to connect their wallet by scanning a QR code through the official app.

In reality, by signing the transaction, the user grants hackers full access to their funds—tokens, NFTs, and all cryptocurrency. After authorization on the fake resource, the malicious software instantly checks the balance and withdraws all available assets with a few requests.

Main Tricks of Scammers

Analysts from F6 Digital Risk Protection have identified three key types of lures used in this campaign:

  • Investment accounts: promising a bonus for registration.
  • Telegram activity: offering a profitable purchase of stars (internal currency).
  • Bonus programs: distributing free tokens for connecting a wallet.

Specialists have already submitted requests to block the identified malicious domains, but hackers quickly create new ones to replace those taken down. According to F6 senior analyst Maria Sinitsyna, drainers are not new—they were actively used against English-speaking users several years ago, but their activity then declined. Now we are seeing a resurgence of this threat, specifically targeting the Russian-speaking audience.

How to Protect Your Assets

Experts recommend completely avoiding clicking on suspicious links from advertisements. Always carefully check the domain name of the resource—scammers often register addresses that sound similar to well-known brands. Use Whois services to check the site's creation date: fresh domains are a red flag.

Additionally, investors should remember that brokerage activities in the Russian Federation are only possible with a license from the Bank of Russia. You can verify the license and official resources of the broker on the Central Bank's website. Cross-check any promotions and bonuses exclusively on official platforms. Suspicious websites can be reported to the "Anti-Phishing" platform—F6 specialists will verify the information and pass it to regulators for blocking.

My analysis: The return of drainers with a focus on the Russian-speaking audience is a signal that the cryptocurrency market in Russia is becoming increasingly attractive to cybercriminals. Investors need to radically rethink their security habits: no bonus is worth the risk of losing all assets. Stay vigilant—trust only verified sources and never connect your wallet to unfamiliar websites.