Crypto news

18.06.2026
00:09

A new wave of crypto fraud in Russia: drainers are disguised as investment programs

At least three hacker groups have launched a massive attack on Russian cryptocurrency holders using malicious drainer programs. The attackers skillfully disguise their schemes as affiliate programs and lucrative offers for investors.

In late May to early June 2025, analysts from the specialized unit F6 Digital Risk Protection recorded the launch of at least 15 bait websites equipped with hidden crypto drainers. These programs are designed to instantly empty the crypto wallets of unsuspecting users.

The attack mechanism works as follows. The victim is lured to a fake resource with a promise to open an investment account with a welcome bonus of 50 USDT. To activate this "generous" offer, the user is asked to connect their wallet by scanning a QR code through the official app. In reality, by approving the integration and signing the transaction request, the user personally grants attackers full access to withdraw all their digital assets: cryptocurrencies, tokens, and NFTs. Once authorization on the fake site is complete, the malicious software checks the balance with several requests and instantly withdraws all available funds.

Main Tricks of Scammers

Experts identify three main types of bait used by attackers:

  • Investment accounts: Promise of a registration bonus.
  • Telegram activity: Offer to buy "stars" (the messenger's internal currency) at a favorable rate.
  • Bonus programs: Distribution of free tokens for connecting a wallet.

It is important to note that drainers are not a fundamentally new tool. Several years ago, they were actively used in the English-speaking segment, after which their activity declined. Now we are witnessing a resurgence of this threat, but this time targeting exclusively the Russian-speaking audience. Attackers adapt quickly: blocked domains are replaced by new addresses.

How to Protect Your Assets

F6 experts strongly recommend completely avoiding clicking on suspicious links from advertisements. Before connecting a wallet, it is necessary to carefully verify the domain name of the resource. Attackers often register domains that sound similar to well-known brands, so it is worth checking the site's creation date through Whois services.

Additionally, since brokerage activities in Russia are only conducted under a license from the Bank of Russia, you can always verify the validity of such a license and the broker's official internet resources on the Central Bank's website. Any promotions should be verified exclusively on official platforms. A suspicious site can be sent to the "Antiphishing" platform — F6 specialists will check the information and pass it to regulators for blocking.

Analyst's comment: This attack is a vivid example of how classic phishing schemes are getting a new "lease on life" in the crypto industry. I recommend users develop a hard rule: never connect a wallet to a site whose advertisement you saw in a random ad or message. Any promise of "free money" is almost always a red flag. Use hardware wallets and separate "hot" wallets with minimal balances for interacting with new dApps and services.