Crypto news

18.06.2026
01:14

New wave of crypto drainers: how hackers are emptying Russians' wallets

The digital asset market in Russia has faced an aggressive attack: at least three hacker groups have launched a large-scale campaign to steal cryptocurrency using malicious drainer programs. These tools, disguised as legitimate investment partnerships, have already emptied dozens of wallets.

How the deception scheme works

In late May to early June, attackers launched at least 15 phishing websites, each containing hidden drainer code. The mechanics are simple and cynical: the victim is lured with a promise of a $50 USDT welcome bonus. To receive it, the user is asked to connect their crypto wallet by scanning a QR code through the official app.

At first glance, this is a standard authorization procedure. However, after confirming the transaction, the attackers gain full access to the funds: coins, tokens, and NFTs. The drainer instantly scans the balance and, with several requests, withdraws all available assets. The victim doesn't even have time to realize what happened.

Specialists from the dedicated unit F6 Digital Risk Protection classify three main types of bait:

  • Investment accounts: promise of a registration bonus.
  • Telegram activity: offer of a profitable purchase of "stars."
  • Bonus programs: distribution of free tokens for connecting a wallet.

Why this is dangerous right now

Drainers are not a new threat. Several years ago, they were actively used against English-speaking audiences, after which their activity declined. Now we are witnessing a resurgence of this scheme, but this time targeting Russian-speaking users. As noted by F6 senior analyst Maria Sinitsyna, the current wave is characterized by high organization and the use of fresh news topics to attract victims.

How to protect your assets

F6 experts recommend completely avoiding clicking on suspicious links from advertisements. Before connecting your wallet, always check the domain name of the site—scammers often register addresses that sound similar to well-known brands. Use Whois services to check the creation date of the resource: new domains should raise suspicion.

Additionally, remember: brokerage activity in Russia is only possible with a license from the Central Bank. All official resources of licensed brokers can be verified on the Central Bank of Russia website. Any promotions and bonuses should be verified exclusively on official platforms. If you encounter a suspicious site, send it to the "Antiphishing" platform—F6 specialists will check the information and pass it on to regulators for blocking.

Expert opinion: Drainers are an evolution of phishing, adapted to the realities of DeFi. As long as users chase after "free" tokens and bonuses, scammers will continue to improve their tools. The only reliable way to protect yourself is cold storage and thorough verification of every wallet connection request. Don't let $50 USDT cost you your entire portfolio.