Crypto news

17.06.2026
22:48

A new wave of crypto fraud in Russia: drainers are disguised as investment bonuses

At least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russians using malicious drainer software. The scammers skillfully disguise their criminal schemes as affiliate programs and lucrative offers for investors.

Attack Mechanics: How the $50 Bonus Trick Works

In late May to early June, the attackers launched at least 15 bait websites, embedding hidden crypto drainers into them. This specific software is designed to instantly empty connected wallets. Analysts from the specialized division of F6 Digital Risk Protection have recorded this alarming trend.

The deception scheme is honed to automation. Users are lured to fake resources with the promise of opening an investment account and receiving a welcome bonus of $50 in USDT. To activate this "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official app.

In reality, by agreeing to the integration and signing the transaction request, the user themselves grants scammers full access to withdraw funds. Once authorization on the fake site is complete, the drainer checks the balance with several requests and instantly withdraws all available assets: cryptocurrency, tokens, and NFTs.

Experts identify three main types of bait currently being actively used:

  • Investment accounts: Promising a bonus for registration.
  • Telegram activity: Offering a favorable purchase of "stars" or other internal currencies.
  • Bonus programs: Distributing free tokens for connecting a wallet.

New Target: Russian-Speaking Audience

F6 specialists have already submitted a request to block the identified malicious resources. However, as practice shows, scammers quickly create new domains to replace the closed ones. According to Maria Sinitsyna, senior analyst at the Digital Risk Protection department of F6, drainers are not a new threat. Several years ago, this software was actively distributed among English-speaking users, after which its activity declined. Now we are seeing a revival of the scheme, but this time specifically targeting the Russian-speaking audience.

The expert urges cryptocurrency holders to be extremely cautious with any resources exploiting current news topics. By connecting wallets to suspicious sites, especially those promising "easy" money, you risk losing all your savings.

Recommendations for Protecting Digital Assets

To protect assets, analysts recommend completely avoiding clicking on suspicious links from advertisements. It is crucial to carefully verify the domain name of the site you are on. Scammers often register domains that sound similar to well-known brands. You can check the site's creation date through specialized Whois services.

Additionally, brokerage activities in the Russian Federation are only conducted with a license from the Bank of Russia. The validity of such a license and the official online resources of the broker can always be verified on the Central Bank's website. It is recommended to verify any promotions and bonuses exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform — F6 specialists will check the information and forward it to regulators for blocking.

Cryptalist Expert Opinion: This campaign is a vivid example of how classic social engineering methods are adapting to new technologies. Scammers exploit users' greed and gullibility, playing on the desire to get "free" $50. The only reliable way to protect yourself is cold storage of assets and completely ignoring any offers to connect a wallet on unfamiliar sites. Remember: there is no such thing as a free lunch, and a $50 bonus could result in losing your entire portfolio.