A new wave of crypto fraud in Russia: drainers are masquerading as investment platforms
Russian cryptocurrency holders have faced a massive attack. At least three hacker groups have launched an active campaign to steal digital assets using malicious software known as drainers. Fraudsters skillfully disguise their schemes as legitimate affiliate programs for investors, making the threat particularly dangerous.
Specialists from the specialized unit F6 Digital Risk Protection have recorded a new wave of investment fraud aimed at emptying the crypto wallets of Russians. In late May to early June, attackers launched at least 15 bait sites that are externally indistinguishable from real investment platforms.
Attack Mechanics: How the Drainer Works
The deception scheme is honed to automation. The user is lured with a promise to open an investment account with a welcome bonus of $50 in USDT. To activate the "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official app. In reality, by approving such integration, the user independently signs a transaction request that gives fraudsters full access to withdraw funds: cryptocurrencies, tokens, and NFTs.
Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws all available assets. Analysts note that this method is not new—several years ago, it was actively used against English-speaking users, after which its activity declined. Now we are witnessing a revival of the scheme, but with a focus on the Russian-speaking audience.
Main Tricks of Fraudsters
Experts highlight three key types of bait used by the groups:
- Investment accounts: a promise of a bonus for registration.
- Telegram activity: an offer to profitably purchase "stars" or other internal currencies.
- Bonus programs: distribution of free tokens for connecting a wallet.
F6 specialists have already submitted requests to block the identified malicious resources, but fraudsters quickly create new addresses in place of closed domains. This is an endless race where user vigilance plays a key role.
How to Protect Your Assets
The first and foremost rule is to completely avoid clicking on suspicious links from advertisements. Carefully verify the domain name of the resource you are on: attackers often register domains that sound similar to well-known brands. You can check the site's creation date through specialized Whois services—fresh domains should raise particular suspicion.
Since brokerage activities in the Russian Federation are only conducted under a license from the Bank of Russia, the presence of such a license and the official online resources of the broker can always be verified on the Central Bank's website. Cross-check any promotions exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform—F6 specialists will verify the information and pass it to regulators for blocking.
Expert opinion: This attack is a vivid example of how old, proven schemes adapt to new audiences. Russian-speaking users, who previously felt relatively safe, must now be extremely cautious. Drainers are becoming an increasingly accessible tool in the hands of attackers, and the only reliable protection is conscious behavior and refusing to connect wallets to any unfamiliar resources, no matter how tempting the promised bonuses may seem.