Crypto news

18.06.2026
02:59

A new wave of crypto drainers: how hackers empty Russians' wallets under the guise of investments

The cryptocurrency landscape in Russia has encountered an aggressive new threat. At least three hacker groups have intensified attacks on users using malicious software known as drainers. The attackers skillfully disguise their criminal schemes as legitimate affiliate programs for investors, making this wave particularly dangerous.

Specialists from the specialized unit F6 Digital Risk Protection have recorded a large-scale campaign that began in late May to early June. During this short period, at least 15 bait websites were launched, each containing hidden code for a crypto drainer. This software is designed with the sole purpose of instantly emptying a connected crypto wallet.

The Mechanics of Deception: From Bonus to Total Theft

The attack scenario is honed to automation. Users are lured with the promise of opening an investment account with a welcome bonus of 50 USDT. To activate this "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official app.

The key point is that the user independently approves the transaction, thinking they are activating the bonus. In reality, they grant the attackers full access to withdraw all funds: cryptocurrencies, tokens, and even NFTs. Once authorization on the fake site is complete, the drainer instantly checks the balance with several requests and withdraws all available assets.

Experts have identified three main types of bait used by the groups:

  • Investment Accounts: Promise of a bonus for registration.
  • Telegram Activity: Offer of a profitable purchase of "stars" (the messenger's internal currency).
  • Bonus Programs: Distribution of free tokens for connecting a wallet.

According to estimates by F6 senior analyst Maria Sinitsyna, drainers are not a new technology. Several years ago, they were actively used against English-speaking audiences, after which their activity subsided. The current wave is a relapse, but now specifically targeting the Russian-speaking community. She urges cryptocurrency owners to be extremely cautious with any resources exploiting fresh news topics.

How to Protect Your Digital Assets

F6 specialists have already submitted a request to block the identified malicious resources, but fraudsters quickly create new domains to replace the blocked ones. Therefore, the key responsibility falls on the users themselves.

Here are the basic security rules that I, as an analyst, strongly recommend following:

  • Never click on links from advertisements. Enter the website address manually.
  • Carefully check the domain name. Fraudsters often register addresses that sound similar to well-known brands.
  • Check the website's creation date via Whois services. "Fresh" domains are a red flag.
  • Brokerage activities in the Russian Federation require a Central Bank license. Always verify the broker's official resources on the Bank of Russia website.
  • Check any promotions exclusively on official platforms. If in doubt, send the suspicious site to the "Anti-Phishing" platform from F6.

Expert Opinion: This campaign is a vivid example of how social engineering and technical vulnerabilities merge. The most alarming aspect is the adaptation of old but effective schemes to a new audience. Russian investors are historically less sophisticated in DeFi security matters than their Western counterparts, making them an ideal target. Until the industry develops unified standards for verifying dApp connections, the only protection remains total paranoia and cold wallets for long-term storage.