Crypto news

18.06.2026
03:59

A new wave of crypto fraud in Russia: drainers masquerading as investment platforms

Russian cryptocurrency holders are facing a large-scale and well-organized threat. My latest research shows that at least three hacker groups have launched an active campaign to steal digital assets using malicious software — drainers. These programs, disguised as legitimate affiliate and investment services, are designed for one purpose: to instantly empty a connected crypto wallet.

Attack Mechanics: From a $50 Bonus to Total Collapse

In late May to early June of this year, attackers launched at least 15 phishing bait sites. The scheme is automated and preys on human greed.

The user is lured with a promise to open an investment account and receive a welcome bonus of $50 in USDT. To activate the "generous" offer, the victim is asked to connect their crypto wallet by scanning a QR code through the official app. At this stage, the user, unaware of the trick, independently signs a transaction that actually grants fraudsters full access to withdraw funds.

Once authorization on the fake resource is complete, the drainer checks the wallet balance with several requests and instantly withdraws all available tokens, including NFTs. Analysts from the specialized unit F6 Digital Risk Protection have already recorded this dangerous trend.

Notably, several years ago, such software was actively distributed among English-speaking users, after which its activity declined. Now we are seeing a new wave targeting a Russian-speaking audience. Fraudsters are adapting their methods to local realities and actively exploiting fresh news topics.

Main Types of Bait

Attackers use three main tricks:

  • Investment Accounts: Promising a bonus for registration.
  • Telegram Activity: Offering a profitable purchase of "stars" or other internal assets.
  • Bonus Programs: Distributing free tokens for connecting a wallet.

How to Protect Your Assets: Expert Recommendations

In the current environment, investors need to be extremely vigilant. Cybersecurity specialists recommend completely avoiding clicking on suspicious links from advertisements. Carefully verify the domain name of the resource you are on. Fraudsters often register domains that sound similar to well-known brands, so use Whois services to check the site's creation date.

Additionally, remember: brokerage activities in the Russian Federation are only conducted with a license from the Bank of Russia. The validity of such a license and the official online resources of the broker can be verified on the Central Bank's website. Always cross-check any promotions exclusively on official platforms. A suspicious site can be sent to the "Anti-Phishing" platform — specialists will verify the information and pass it to regulators for blocking.

Expert Opinion: This new wave of attacks is an alarming signal for the entire crypto community in Russia. Fraudsters are becoming increasingly sophisticated, using social engineering and impersonating trusted brands. The only reliable way to protect yourself is your own cyber hygiene. Never connect your wallet to unfamiliar sites, even if you are promised "easy" money. In the world of DeFi, free cheese only comes in a mousetrap.