Crypto news

18.06.2026
00:58

A new wave of crypto drainers: how scammers are attacking Russians' wallets

Analysts at F6 Digital Risk Protection have recorded an alarming surge in activity from at least three hacker groups targeting Russian cryptocurrency holders. The attackers are using malicious software—so-called "drainers"—that masquerades as legitimate investment affiliate programs. This is not a one-time attack but a systemic threat requiring heightened attention from the community.

From late May to early June of this year, the attackers launched at least 15 phishing bait sites. The mechanism is simple and cynical: the user is lured with a promise of a $50 USDT bonus for opening an "investment account." To activate the generous offer, the victim is asked to connect their crypto wallet by scanning a QR code through the official app. However, in reality, the scanning initiates a transaction that grants the scammers full access to withdraw all funds: cryptocurrencies, tokens, and NFTs.

Once authorization on the fake site is complete, the malicious script instantly scans the wallet balance and empties it through several transactions. It is important to understand: the victim signs the transaction themselves, unaware of the attackers' true intentions. This is a key element of the attack.

Main Deception Schemes

Experts have identified three basic scenarios used by the hackers:

  • Investment accounts: promising a bonus for registration and wallet connection.
  • Telegram activity: offering a profitable purchase of "stars" or other in-platform assets.
  • Bonus programs: distributing free tokens for connecting a wallet.

F6 specialists have already submitted requests to block the identified malicious domains. However, as practice shows, scammers quickly create new ones to replace the closed sites. This is an endless race.

Notably, this tactic is not new. Several years ago, drainers were actively used against English-speaking audiences, after which their activity temporarily subsided. Now we are witnessing a resurgence of this threat, but with a focus on Russian-speaking users. This confirms my long-held belief: attackers carefully study the market and adapt their tools to specific regions.

How to Protect Your Assets

Under current conditions, standard precautions become critically important. I strongly recommend:

  • Never click on suspicious links from advertisements or unverified sources.
  • Carefully check the domain name of the site. Scammers often register addresses that visually resemble well-known brands.
  • Use Whois services to check the site's creation date. A "fresh" domain is a red flag.
  • Verify broker licenses on the official website of the Central Bank of the Russian Federation. Any legal activity in this area requires a license.
  • Cross-check any promotions and bonuses exclusively on the official platforms of companies.

If you encounter a suspicious resource, you can submit it for verification to F6 experts through the "Antiphishing" platform. They will forward the information to regulators for blocking.

My comment: The crypto industry, unfortunately, remains an attractive target for scammers, and this wave is a clear confirmation of that. Drainers are becoming increasingly sophisticated, and social engineering is their main weapon. The only reliable way to protect yourself is a combination of technical literacy and healthy skepticism. Remember: there is no such thing as a free lunch, especially in the world of cryptocurrencies.