New wave of crypto fraud in Russia: drainers disguised as investment programs
Over the past few weeks, I have recorded an alarming increase in activity from at least three hacker groups targeting Russian cryptocurrency holders. The attackers are using malicious software — drainers — that empty victims' wallets in real time. The criminals skillfully disguise their schemes as affiliate and bonus programs for investors.
According to my data, at least 15 phishing bait sites with built-in scripts for instant fund withdrawal were launched in late May to early June. The attack mechanism is honed to automation. The user is lured with a promise to open an "investment account" and receive a welcome bonus of $50 in USDT. To activate the "generous offer," the victim is asked to connect their wallet by scanning a QR code through the official app.
In reality, this operation grants fraudsters full access to withdraw not only stablecoins but also tokens and NFTs. Once authorization on the fake resource is complete, the malicious software checks the balance with several requests and instantly withdraws all available assets. The investor can only watch as their account is drained.
Main types of baits currently used
I have identified three key schemes that are actively being exploited:
- Investment accounts: A promise of a bonus for registration and wallet connection.
- Telegram activity: An offer to purchase "stars" or premium features at a favorable price.
- Bonus programs: Distribution of free tokens for simply connecting a wallet to the site.
Notably, drainers are not a new threat. Several years ago, they were actively used against English-speaking audiences, after which their activity declined. Now we are seeing a resurgence, but with a focus on Russian-speaking users. My colleagues in the digital security field have already submitted requests to block the identified domains, but the fraudsters quickly create new addresses to replace the closed ones.
Expert opinion from Cryptalist: This attack is a classic example of social engineering multiplied by the technical vulnerability of human greed. As long as users fall for promises of "free money," such schemes will thrive. The only reliable protection is the principle of "trust but verify" and the use of hardware wallets for significant amounts. Check the site's creation date via Whois services and verify broker licenses on the Central Bank of Russia website. Any suspicious link is best sent immediately for verification on the "Antiphishing" platform.