New wave of crypto fraud in Russia: drainers disguised as investment programs
Russian cryptocurrency holders have become targets for at least three hacker groups using malicious software known as drainers. Scammers skillfully disguise their attacks as legitimate affiliate programs for investors. In late May to early June of this year, specialists from F6 Digital Risk Protection recorded the launch of at least 15 bait websites equipped with hidden scripts designed to instantly empty crypto wallets.
Attack Mechanics: From Bonus to Complete Depletion
The deception scheme is honed to automation. Users are lured to fake resources with promises of opening an investment account and receiving a welcome bonus of 50 USDT. To activate the "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official app. The naive investor independently approves a transaction request, which in reality grants attackers full access to withdraw all digital assets: cryptocurrencies, tokens, and NFTs. Once authorization on the fake site is complete, the malicious software checks the balance within seconds and withdraws all available funds.
Analysts identify three main types of bait used by the groups:
| Type of Bait | Essence of the Deception Scheme |
| Investment Accounts | Promise of a registration bonus |
| Telegram Activity | Offer to purchase "stars" at a favorable price |
| Bonus Programs | Distribution of free tokens for connecting a wallet |
It is worth noting that this tactic is not new. Several years ago, drainers were actively spread among English-speaking users, after which their activity subsided. Now we are witnessing a revival of this tool, but with a focus on the Russian-speaking audience. F6 has already submitted requests to block the identified resources, but scammers quickly create new domains to replace those that have been shut down.
Protection Methods: Vigilance and Verification
Cryptocurrency owners should exercise extreme caution. It is strongly recommended not to click on suspicious links from advertisements. It is necessary to carefully verify the domain name of the site you are on—attackers often register addresses that sound similar to well-known brands. You can check the site's creation date through specialized Whois services; a fresh domain is one of the main signs of fraud.
Additionally, since brokerage activities in the Russian Federation are licensed by the Bank of Russia, always check for a license and the official online resources of the broker on the Central Bank's website. Verify any promotions exclusively on official platforms. If you come across a suspicious site, you can report it to the "Antiphishing" platform—F6 specialists will check the information and forward it to regulators for blocking.
My comment as an analyst: This attack is a classic example of social engineering multiplied by the technical vulnerability of the human factor. As long as users chase "free" bonuses and connect their wallets to unverified sites, drainers will remain an effective and, unfortunately, profitable tool in the arsenal of attackers. The only reliable protection is your own cyber hygiene and total distrust of any promises of easy money online.