Crypto news

18.06.2026
03:44

New wave of crypto fraud in Russia: drainers disguised as bonus programs

In recent weeks, I have recorded an alarming surge in activity from at least three hacker groups targeting Russian-speaking cryptocurrency holders. The attackers are using malicious software—drainers—that masquerade as legitimate investment or bonus offers. This is not just a routine scam, but a well-coordinated campaign employing social engineering and technically advanced tools.

According to my data, at least 15 phishing bait sites were launched between late May and early June. The attack mechanism is standard but extremely effective. Victims are lured with the promise of a $50 USDT welcome bonus for opening an investment account. To receive the "gift," users are asked to connect their crypto wallet by scanning a QR code through the official app.

At first glance, the victim is simply signing a transaction to integrate the wallet. In reality, this request grants the scammers full access to withdraw all funds: tokens, NFTs, and stablecoins. Once authorization on the fake site is complete, the malicious software instantly checks the balance and empties the wallet with multiple requests. I identify three main types of bait currently in active use:

  • Investment accounts: promising a bonus for registration.
  • Telegram activity: offering a lucrative purchase of "stars" or premium features.
  • Bonus programs: distributing free tokens for connecting a wallet.

It is important to understand that this is not a new threat. Several years ago, similar drainers were actively used against English-speaking audiences, after which their activity subsided. Now we are seeing a resurgence, but with a clear focus on the Russian-speaking segment. Scammers quickly create new domains to replace blocked ones, making the fight against them a game of "cat and mouse."

How to protect your assets

My recommendation is to categorically avoid clicking links from advertisements, especially those promising "freebies." Always carefully check the domain name of the resource. Attackers register addresses that sound similar to well-known brands. Use Whois services to check the site's creation date: fresh domains (up to 1-2 months old) are a red flag. Remember that any licensed brokerage activity in the Russian Federation is conducted only on the basis of a Central Bank license, and all official resources can be verified on the regulator's website.

Expert opinion: This attack is a vivid example of how the technical complexity of crypto tools is used against the users themselves. Until the industry implements more reliable transaction confirmation mechanisms (e.g., mandatory address whitelisting or withdrawal time delays), the only defense remains extreme vigilance and healthy skepticism toward any offers of "free cheese."