Crypto news

17.06.2026
22:34

New wave of crypto-phishing: how drainers are emptying Russians' wallets

At least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russian users. Their main weapon is malicious drainer programs, cleverly disguised as legitimate affiliate and investment offers.

Specialists from the specialized division of F6 Digital Risk Protection have recorded an alarming surge in malicious activity. In late May to early June alone, at least 15 fake websites loaded with hidden crypto drainers were launched. These programs are designed to instantly empty digital wallets.

The deception mechanism is honed to automation. Users are lured with the promise of opening an investment account with a welcome bonus of $50 in USDT. To activate the "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official app. In reality, by approving the integration, the person personally signs a transaction that gives hackers full access to withdraw not only tokens but also NFTs. Once authorization on the fake site is complete, the drainer instantly checks the balance with several requests and withdraws all available funds.

Main Types of Bait

Analysts have identified three key schemes currently being actively used:

Type of BaitEssence of the Deception Scheme
Investment AccountsPromise of a bonus for registration
Telegram ActivityOffer to buy "stars" at a profit
Bonus ProgramsDistribution of free tokens for connecting a wallet

According to Maria Sinitsyna, Senior Analyst at the Digital Risk Protection Department, drainers are not a new threat. Several years ago, they were actively spread among English-speaking audiences, after which activity declined. Now we are seeing a revival of this scheme, but this time targeting Russian-speaking users.

How to Protect Your Assets

F6 experts strongly recommend completely avoiding clicking on suspicious links from advertisements. It is critically important to carefully verify the domain name of the resource you are visiting—attackers often register addresses that sound similar to well-known brands. You can check the site's age through Whois services: a fresh domain is one of the main signs of fraud.

Additionally, in Russia, brokerage activities are only possible with a license from the Bank of Russia. The validity of the license and the official online resources of the broker can always be verified on the Central Bank's website. Any promotions and bonuses should be verified exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform—F6 specialists will check the information and pass it on to regulators for blocking.

My expert opinion: This attack is a vivid example of how social engineering and technical vulnerabilities merge into a single, highly effective tool. As long as users chase "free" tokens, attackers will refine their methods. The only reliable protection is cold storage of assets and a principled refusal to connect a wallet to any unverified web interfaces. No bonus is worth losing all your funds.