Crypto news

18.06.2026
04:34

New wave of crypto drainers: how hackers empty the wallets of Russians

The digital asset market has once again become a stage for a large-scale fraudulent campaign. My colleagues from the Digital Risk Protection department of F6 have recorded at least three hacker groups specifically targeting Russian users with malicious drainer programs. These tools, disguised as legitimate affiliate programs for investors, represent one of the most dangerous threats to cryptocurrency holders in the current cycle.

Attack Mechanics: From Bonus to Complete Depletion

In late May to early June, attackers launched at least 15 phishing bait sites. The deception mechanics are honed to automation. Users are offered to open an "investment account" and promised a welcome bonus of $50 in USDT. To activate the enticing offer, the victim is asked to connect their crypto wallet by scanning a QR code through the official application.

At first glance, everything looks harmless. However, after confirming the integration, the user independently signs a transaction request that actually grants fraudsters full access to withdraw all funds: cryptocurrencies, tokens, and NFTs. Once authorization on the fake site is complete, the drainer instantly scans the balance and withdraws all available assets in several requests.

Experts identify three main types of bait used by hackers:

  • Investment accounts: promising a bonus for registration.
  • Telegram activity: offering a profitable purchase of "stars."
  • Bonus programs: distributing free tokens for connecting a wallet.

It is important to note that drainers are not a new technology. Several years ago, they were actively used against English-speaking users, after which their activity declined. Now we are seeing a resurgence of this scheme, but with a focus on the Russian-speaking audience. Fraudsters quickly create new domains to replace blocked ones, making the fight against them an endless "cat-and-mouse game."

How to Protect Your Assets

In the current conditions, security is solely the user's responsibility. I strongly recommend completely avoiding clicking on suspicious links from advertisements. Always carefully check the domain name of the resource you are on. Attackers often register addresses that sound similar to well-known brands, so use Whois services to check the site's creation date—fresh domains should raise suspicion.

Additionally, in Russia, brokerage activities are only possible with a license from the Bank of Russia. Always verify the official online resources of the broker on the Central Bank's website. Check any promotions and offers exclusively on official platforms. If you find a suspicious site, you can send it to the "Anti-Phishing" platform—specialists will verify the information and pass it to regulators for blocking.

Expert conclusion: The cryptocurrency market is becoming an increasingly hostile environment for inattentive users. Drainers are a high-tech weapon, and the only effective shield against them is cold calculation and thorough verification of every step. Do not believe promises of easy money, or you risk losing everything.