Crypto news

18.06.2026
00:40

A new wave of crypto drainers: how hackers are hunting Russian investors

At least three hacker groups are currently actively attacking Russian users using malicious drainer programs. Scammers disguise their criminal schemes as legitimate affiliate programs for investors, and this has already led to serious financial losses.

In late May to early June, attackers launched at least 15 bait websites filled with hidden crypto drainers. These malicious tools are designed to instantly empty cryptocurrency wallets. Analysts from the specialized division of F6 Digital Risk Protection have recorded this alarming trend.

How the deception scheme works

The victim is lured to a fake resource with the promise of opening an investment account and a generous welcome bonus of $50 in USDT. To activate this "gift," the user is asked to connect their wallet by scanning a QR code through the official app. In reality, the victim independently signs a transaction request that gives scammers full access to withdraw cryptocurrency, tokens, and NFTs. Once authorization on the fake site is complete, the drainer checks the balance with several requests and instantly withdraws all available funds.

Here are the main types of bait used by the groups:

  • Investment accounts — promising a bonus for registration.
  • Telegram activity — offering a profitable purchase of stars (or other virtual goods).
  • Bonus programs — distributing free tokens for connecting a wallet.

F6 specialists have already submitted an official request to block the identified malicious resources. However, as practice shows, scammers quickly create new addresses to replace blocked domains, so the threat remains extremely high.

Maria Sinitsyna, Senior Analyst at the Digital Risk Protection department of F6, notes that drainers are not being used for the first time. Several years ago, this software was actively distributed among English-speaking users, after which its activity declined. Now a new wave is being recorded, targeting the Russian-speaking audience. The expert urges cryptocurrency owners to be cautious with resources exploiting fresh news topics: by connecting wallets to suspicious sites, it is easy to become a victim of scammers.

How to protect your digital assets

F6 specialists recommend completely avoiding clicking on suspicious links from advertisements. It is necessary to carefully verify the domain name of the resource you have landed on. Attackers often register domains that sound similar to well-known brands, so experts advise checking the site's creation date through specialized Whois services.

Since brokerage activities in the Russian Federation are only conducted under a license from the Bank of Russia, the validity of such a license and the official online resources of the broker can be verified on the Central Bank's website. Experts recommend verifying any promotions exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform — F6 specialists will check the information and pass it to regulators for blocking.

Expert opinion (Cryptalist): This attack is a classic example of social engineering adapted to the current market trend. Scammers perfectly understand the psychology of an investor who craves quick and easy profits. The only reliable way to protect yourself is cold storage of assets and critical thinking: if you are offered a bonus for connecting a wallet, it is most likely a trap.