New wave of crypto drainers: how hackers attack Russian investors through fake bonus programs
At least three hacker groups have launched a large-scale campaign to steal cryptocurrency from Russian users. They are using malicious drainer programs disguised as affiliate investment offers. These are not isolated incidents, but a well-coordinated attack aimed at emptying the wallets of unsuspecting victims.
Attack Mechanics: From a $50 Bonus to Total Asset Loss
In late May to early June, the attackers launched at least 15 bait websites with built-in crypto drainers. These programs are designed to quickly and discreetly withdraw funds. Analysts from the specialized unit of F6 Digital Risk Protection have recorded an alarming trend: users are lured with promises of opening an investment account and receiving a welcome bonus of $50 in USDT.
The deception scheme is simple and effective. The victim is asked to connect their wallet by scanning a QR code through the official app. The user independently approves the transaction request, thinking they are activating the bonus. In reality, they grant hackers full access to withdraw all their crypto assets: tokens, NFTs, and stablecoins. Once authorization on the fake site is complete, the drainer checks the balance with several requests and instantly withdraws all available funds.
Main Types of Bait
The attackers use three main luring schemes:
- Investment accounts — promising a bonus for registration.
- Telegram activity — offering a profitable purchase of stars (the messenger's internal currency).
- Bonus programs — giving away free tokens for connecting a wallet.
F6 specialists have already submitted an official request to block the identified malicious resources. However, the problem is that in place of closed domains, fraudsters quickly create new addresses, attacking again and again.
According to Maria Sinitsyna, senior analyst at the Digital Risk Protection department of F6, drainers have been used before. Several years ago, this software was actively distributed among English-speaking users, after which its activity declined. Now a new wave is being recorded, targeting the Russian-speaking audience. The expert urged cryptocurrency owners to be cautious with resources exploiting fresh news topics: by connecting wallets to suspicious sites, it is easy to become a victim of scammers.
How to Protect Your Digital Assets
F6 specialists recommend completely avoiding clicking on suspicious links from advertisements. It is necessary to carefully verify the domain name of the resource you are on. Attackers often register domains that sound similar to well-known brands, so experts advise checking the site's creation date through specialized Whois services.
Since brokerage activities in the Russian Federation are only conducted with a license from the Bank of Russia, the validity of such a license and the official online resources of the broker can be checked on the Central Bank's website. Experts recommend verifying any promotions exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform — F6 specialists will check the information and pass it on to regulators for blocking.
My analysis: This attack is a vivid example of how social engineering and technical vulnerabilities merge into a single threat. It is now extremely important for Russian investors to exercise maximum vigilance: there is no such thing as a free lunch, and a promise of easy $50 is almost always bait for losing all your assets.