A new threat for Russians: hackers have launched a wave of crypto-drainers disguised as investments
At least three hacker groups are currently targeting Russian cryptocurrency users with malicious drainer software. The attackers skillfully disguise their criminal schemes as affiliate investment programs, luring victims with promises of easy money.
Analysts from the specialized division F6 Digital Risk Protection have recorded an alarming trend: at least 15 bait websites with hidden crypto drainers were launched in late May to early June. These programs are specifically designed to instantly empty users' cryptocurrency wallets.
The attack scheme works as follows. Users are lured to fake resources with promises of opening an investment account with a welcome bonus of $50 in USDT. To activate this "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official app. In reality, by agreeing to the integration and signing the transaction request, the user voluntarily grants attackers full access to withdraw all their funds—cryptocurrencies, tokens, and NFTs.
Once authorization on the fake site is complete, the malicious software checks the balance within seconds using several requests and instantly withdraws all available assets.
Main Types of Bait
| Type of Bait | Essence of the Deception Scheme |
| Investment Accounts | Promise of a bonus for registration |
| Telegram Activity | Offer of a profitable purchase of stars |
| Bonus Programs | Distribution of free tokens for connecting a wallet |
According to Maria Sinitsyna, senior analyst at the Digital Risk Protection department of F6, the use of drainers is not a new practice. Several years ago, such software was actively distributed among English-speaking users, after which its activity declined. However, we are now witnessing a new wave that specifically targets the Russian-speaking audience. The expert urges cryptocurrency owners to be extremely cautious with any resources exploiting current news topics. Connecting a wallet to a suspicious site is a direct path to losing all assets.
How to Protect Your Digital Assets
Specialists strongly recommend completely avoiding clicking on suspicious links from advertisements. It is necessary to carefully verify the domain name of the resource you are on. Attackers often register domains that sound similar to well-known brands. Experts advise checking the site's creation date through specialized Whois services—a fresh domain for a "legendary" platform is almost a sure sign of fraud.
Since brokerage activities in the Russian Federation are only conducted with a license from the Bank of Russia, the validity of such a license and the official online resources of the broker can be verified on the Central Bank's website. It is recommended to cross-check any promotions exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform—F6 specialists will verify the information and pass it on to regulators for blocking.
Cryptalist Expert Opinion: This attack is a vivid example of how classic social engineering methods are adapting to new technologies. While users chase "free" bonuses, hackers are perfecting tools for theft. The only working defense is a zero-trust level towards any unverified resources and the use of hardware wallets for storing significant amounts.