New wave of crypto drainers: scammers attack Russian investors through fake websites
Analysts have recorded an alarming trend: at least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russians. They are using malicious drainer programs, cleverly disguised as investment affiliate programs. This is not just another fraudulent scheme, but a well-coordinated attack employing modern social engineering technologies.
Attack Mechanics: From Bonus to a Completely Empty Wallet
In late May to early June, the attackers launched at least 15 bait websites equipped with hidden crypto drainers. These programs are designed to instantly empty wallets. The victim is lured with a promise to open an investment account and receive a welcome bonus of $50 in USDT. To activate the "generous" offer, the user is asked to connect their wallet by scanning a QR code through the official app.
At first glance, everything looks legitimate. However, in reality, the victim themselves signs a transaction request that grants the scammers full access to withdraw all funds: cryptocurrencies, tokens, and NFTs. Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws all available assets. The scheme works flawlessly, exploiting human greed and gullibility.
Main Types of Bait
Experts have identified three key deception scenarios currently being actively used:
- Investment Accounts: promising a bonus for registration and wallet connection.
- Telegram Activity: offering a profitable purchase of "stars" or other internal currencies.
- Bonus Programs: distributing free tokens for connecting a wallet.
Notably, drainers are not a new threat. Several years ago, they were actively spread among English-speaking users, after which their activity declined. Now we are seeing a resurgence of this tactic, but this time targeting a Russian-speaking audience. This indicates that scammers are adapting and seeking new markets where awareness of such threats is still lower.
How to Protect Your Assets
Specialists strongly recommend completely avoiding clicking on suspicious links from advertisements. Before connecting a wallet, it is necessary to carefully verify the domain name of the resource. Attackers often register domains that sound similar to well-known brands, so checking the site's creation date through Whois services is a mandatory procedure.
Furthermore, in Russia, brokerage activities are only possible with a license from the Bank of Russia. The validity of such a license and the official online resources of the broker can be verified on the Central Bank of the Russian Federation's website. Any promotions and offers should be verified exclusively on official platforms. A suspicious website can be sent to the "Anti-Phishing" platform — specialists will check the information and forward it to regulators for blocking.
Expert Opinion: This new wave of attacks is a vivid example of how old threats return in a new guise. Russian investors need to be extremely vigilant: any "free lunch" in the crypto world almost always turns out to be a mousetrap. Use hardware wallets for long-term storage and never connect them to dubious web interfaces.