New wave of crypto phishing in Russia: how drainers empty the wallets of Russians
Russian cryptocurrency holders have faced a massive attack. At least three hacker groups have launched a campaign to steal digital assets using malicious software known as drainers. These programs masquerade as legitimate investment platforms and affiliate programs, luring victims with promises of easy profits.
Attack Mechanics: From Bonus to Complete Depletion
In late May to early June 2026, digital security specialists recorded the launch of at least 15 phishing websites integrated with crypto drainers. The scheme is standard but no less dangerous: users are offered to register an investment account and receive a welcome bonus of $50 in USDT. To activate the "gift," they need to connect a crypto wallet by scanning a QR code through the official app.
The victim, thinking they are performing a routine operation, signs the transaction themselves. In reality, they grant attackers full access to withdraw funds. Once authorization on the fake resource is complete, the drainer instantly scans the balance and empties the wallet with several requests, withdrawing all tokens, including NFTs.
Analysts highlight three main types of lures used in this campaign:
| Lure Type | Essence of the Deception Scheme |
|---|---|
| Investment Accounts | Promise of a registration bonus |
| Telegram Activity | Offer to buy stars at a favorable price |
| Bonus Programs | Free token giveaways for connecting a wallet |
Notably, drainers are not a new threat. Several years ago, they were actively used against English-speaking users, after which their activity declined. However, we are now witnessing a revival of this tactic, but with a focus on a Russian-speaking audience. Experts warn: connecting your wallet to suspicious sites, especially those exploiting recent news topics, risks losing all your funds.
How to Protect Your Assets
The main rule is to never click on suspicious links from advertisements. Carefully check the domain name of the resource: attackers often register addresses that sound similar to well-known brands. Use Whois services to verify the site's creation date—fresh domains should raise particular suspicion.
In Russia, brokerage activities are only possible with a license from the Central Bank. Always verify the official details and online resources of a company on the Central Bank of Russia's website. Check any promotions and bonuses exclusively on official platforms. If you come across a suspicious site, submit it for review—specialists will pass the information to regulators for blocking.
Expert Opinion: This attack is a vivid example of how cybercriminals adapt old schemes to new realities. Drainers are becoming increasingly accessible on the black market, and their integration with phishing sites is becoming more sophisticated. Investors should remember: there is no such thing as a free lunch. Any offer of "easy money" involving connecting a wallet should be seen as a red flag. Security starts with cold storage and thorough verification of every resource you interact with.