New wave of crypto phishing: how drainers are siphoning wallets of Russians
Over the past few weeks, my colleagues and I have recorded a sharp surge in activity from at least three hacker groups targeting Russian-speaking cryptocurrency holders. The attackers use specialized malware — so-called drainers — that masquerade as legitimate investment platforms and affiliate programs.
The attack mechanics are refined to the point of automation. Between late May and early June, at least 15 bait websites were launched. Users are offered the chance to open an "investment account" and receive a welcome bonus of $50 in USDT. To activate this generous offer, the victim is asked to connect their crypto wallet by scanning a QR code through the official app.
At first glance, everything looks harmless. However, at the moment of confirming the integration, the user independently signs a transaction that grants the scammers full access to withdraw all funds: tokens, stablecoins, and even NFTs. Once authorization on the fake site is complete, the drainer instantly scans the balance with multiple requests and empties the wallet.
Main Deception Schemes
Analysis shows that criminals use three main types of bait:
- Investment accounts — promising a bonus for registration.
- Telegram activity — offering a profitable purchase of "stars" or premium services.
- Bonus programs — distributing free tokens for connecting a wallet.
It is important to understand: this is not an isolated case. Several years ago, similar software was actively spread among English-speaking users, after which its activity subsided. Now we are witnessing a resurgence of this threat, but with a focus on the Russian-speaking audience. Scammers quickly create new domains to replace blocked ones, so fighting them resembles a game of "cat and mouse."
How to Protect Your Assets
Based on the data obtained, I strongly recommend:
- Completely avoid clicking on suspicious links from advertisements.
- Carefully verify the domain name of the resource. Attackers often register addresses that sound similar to well-known brands.
- Check the site's creation date via Whois services — fresh domains should raise suspicion.
- Remember that in Russia, brokerage activities are only possible with a license from the Central Bank. Any promotions should be verified exclusively on official platforms.
Expert comment: The cryptocurrency market remains a wild west, where every user is their own bank and security service. Drainers are an evolution of phishing, and the only way to avoid becoming a victim is a culture of cold wallets and total verification of any transaction signature request. Do not trust "free bonuses" — they do not exist.