Crypto news

17.06.2026
23:34

New wave of crypto drainers: how hackers empty Russians' wallets under the guise of bonuses

The digital asset market has once again become a battleground for a large-scale fraudulent campaign. At least three hacker groups have launched attacks on Russian users using malicious software — drainers. These programs are disguised as affiliate investment programs and bonus offers, but their true goal is the instant emptying of crypto wallets.

From late May to early June, attackers launched at least 15 phishing websites disguised as legitimate platforms. Analysts from the specialized unit F6 Digital Risk Protection have already recorded this dangerous trend and submitted requests to block the malicious resources.

The Mechanics of Deception: From a $50 Bonus to Complete Theft

The attack scheme is meticulously planned. The victim is lured with a promise to open an investment account and receive a welcome bonus of $50 in USDT. To activate this "generous" offer, the user is asked to connect their wallet by scanning a QR code through the official app.

In reality, this operation grants fraudsters full access to withdraw all digital assets: cryptocurrencies, tokens, and NFTs. Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws all available funds. The user doesn't even have time to realize they have become a victim.

Investors need to be extremely vigilant. The main types of bait used by the groups include:

  • Investment accounts: promising a bonus for registration.
  • Telegram activity: offering a profitable purchase of "stars" or other digital goods.
  • Bonus programs: giving away free tokens for connecting a wallet.

According to Maria Sinitsyna, a senior analyst at the Digital Risk Protection department of F6, drainers are not a new phenomenon. Several years ago, they were actively spreading among English-speaking users, after which their activity declined. However, a new wave is now being recorded, targeting the Russian-speaking audience. The expert urged cryptocurrency owners to be cautious about resources exploiting fresh news topics: by connecting wallets to suspicious sites, it is easy to fall victim to fraudsters.

How to Protect Your Digital Assets

F6 specialists recommend completely avoiding clicking on suspicious links from advertisements. Additionally, it is necessary to carefully verify the domain name of the resource you have landed on. Attackers often register domains that sound similar to well-known brands, so experts advise checking the site's creation date through specialized Whois services.

Since brokerage activities in the Russian Federation are only conducted with a license from the Bank of Russia, the validity of such a license and the official online resources of the broker can be verified on the Central Bank's website. Experts recommend verifying any promotions exclusively on official platforms. A suspicious website can be sent to the "Anti-Phishing" platform — F6 specialists will check the information and pass it on to regulators for blocking.

Commentary from Cryptalist analyst: This campaign is a vivid example of how fraudsters adapt old schemes to new markets. Russian users, especially beginners, are at increased risk due to low awareness and gullibility towards "free" bonuses. I recommend always checking domains via Whois and never connecting wallets to unfamiliar resources, even if the promise seems too tempting. Remember: free cheese only exists in a mousetrap, and in the crypto world — in a drainer.