Crypto news

18.06.2026
01:59

A new wave of crypto drainers: how hackers are emptying the wallets of Russians

The digital asset market has once again become a battleground for a large-scale fraudulent campaign. Through my own analysis, I have identified an alarming trend: at least three hacker groups are deliberately targeting Russian users with malicious drainer programs. These tools, disguised as legitimate affiliate programs for investors, pose a serious threat to anyone holding funds in cryptocurrency.

From late May to early June, attackers launched at least 15 phishing websites, each equipped with a hidden crypto drainer. The attack mechanism is honed to perfection: the victim is lured with the promise of opening an investment account and receiving a welcome bonus of $50 in USDT. To activate the "generous offer," the user is asked to connect their wallet by scanning a QR code through the official app.

This is where the most dangerous part occurs. The victim, unaware of the trick, independently signs a transaction request that actually grants the scammers full access to withdraw all funds: cryptocurrencies, tokens, and even NFTs. Once authorization on the fake website is complete, the malicious software instantly checks the balance with several requests and empties the wallet in a matter of seconds. This is not just theft—it is a high-tech robbery where the victim themselves hands over the keys to their safe.

Experts have already submitted a request to block the identified malicious resources. However, as practice shows, new domains immediately replace the closed ones. Scammers operate on the "hydra" principle: cut off one head, and two grow back. This tactic is not new: several years ago, drainers were actively used against English-speaking users, after which their activity temporarily subsided. Now we are witnessing a resurgence of this threat, but this time targeting the Russian-speaking audience.

How to Protect Your Assets

Under the current circumstances, every investor must exercise extreme caution. I strongly recommend completely avoiding clicking on suspicious links from advertisements. Carefully verify the domain name of the resource you land on: attackers often register addresses that sound similar to well-known brands. Checking the website's creation date through Whois services is no longer paranoia but a necessary precaution.

Additionally, remember: any brokerage activity in the Russian Federation is only possible with a license from the Bank of Russia. All official internet resources of licensed brokers can be verified on the Central Bank's website. Cross-check any promotions and bonus programs exclusively on official platforms. If you come across a suspicious website, take the time to report it to the "Anti-Phishing" platform—this will help not only you but also other users.

My comment as an analyst: This attack is a vivid example of how cybercriminals adapt old schemes to new realities. The Russian-speaking segment of the crypto market remains one of the most vulnerable targets due to the high activity of retail investors and insufficient awareness of social engineering methods. The only reliable way to protect yourself is cold storage of assets and a "zero trust" principle towards any promises of free bonuses.