A new wave of crypto drainers: how hackers are emptying Russians' wallets under the guise of investments
At least three hacker groups have launched a massive attack on Russian cryptocurrency holders. The attackers are using malicious software—drainers—disguising their schemes as affiliate investment programs. This is not just another phishing project, but a well-coordinated campaign aimed at emptying wallets.
During a threat monitoring conducted by my team together with a specialized unit of F6 Digital Risk Protection, a new wave of investment fraud was identified. The attackers have launched at least 15 bait websites loaded with hidden crypto drainers. These programs are designed for a single purpose—to instantly withdraw all available funds from the connected wallet.
Attack Mechanics: From Bonus to Complete Depletion
The deception scheme is polished to automation. Users are lured to fake resources with the promise of opening an investment account and receiving a welcome bonus of 50 USDT. To activate this "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official application.
At first glance, this is a standard procedure. However, in reality, the user independently approves a transaction request that gives scammers full access to withdraw all crypto assets: tokens, NFTs, and of course, stablecoins. Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws all funds.
Hackers are actively exploiting three main types of bait:
- Investment accounts: promising a bonus for registration.
- Telegram activity: offering supposedly profitable purchases of "stars" or premium services.
- Bonus programs: distributing free tokens for connecting a wallet.
It is worth noting that drainers are not a new technology. Several years ago, they were actively used against English-speaking users, after which their activity temporarily decreased. Now we are seeing a clear shift towards the Russian-speaking audience. Scammers have adapted their scripts, and now they work with maximum efficiency specifically in our segment.
How to Protect Your Assets: Practical Recommendations
F6 specialists have already submitted official requests to block the identified resources. But the problem is that in place of closed domains, attackers quickly create new addresses. Therefore, the only reliable protection is your own vigilance.
Never click on suspicious links from advertisements. Carefully verify the domain name of the resource you are on. Scammers often register domains that sound similar to well-known brands, so it is useful to check the site's creation date through Whois services. If the site was created a week ago and promises mountains of gold, it is 100% a trap.
Additionally, let me remind you: brokerage activities in the Russian Federation are conducted only under a license from the Bank of Russia. Check any promotions and bonus programs exclusively on the official platforms of licensed brokers. If you doubt the legitimacy of a resource, send it for verification to the "Antiphishing" platform—F6 specialists will check the information and pass it to regulators for blocking.
Expert opinion: This wave of attacks is an alarming signal for the entire CIS crypto community. Scammers are no longer hunting for large whales; they are targeting the mass user, using social engineering and "free" bonuses. While investors chase 50 USDT, hackers take everything. The only working method of protection is cold storage and a complete lack of trust in any unverified sites promising easy money.