Crypto news

In recent weeks, I have recorded a sharp increase in activity from at least three hacker groups targeting Russian-speaking cryptocurrency holders. The attackers have launched a large-scale campaign using malicious drainer programs disguised as legitimate affiliate programs and investment platforms.

Analysts from the specialized unit F6 Digital Risk Protection have identified at least 15 bait websites launched in late May to early June. The attack mechanism is honed to automation: the user is lured with the promise of opening an investment account and receiving a welcome bonus of 50 USDT. To activate the "generous" offer, the victim is asked to connect their wallet by scanning a QR code through the official application.

How the scheme works

At first glance, everything looks harmless. The user independently signs a transaction request, but in reality, this operation grants fraudsters full access to withdraw all digital assets: cryptocurrencies, tokens, and even NFTs. Once authorization on the fake website is complete, the malicious software checks the balance in seconds with several requests and instantly empties the wallet.

I have identified three main types of bait currently being actively used:

• Investment accounts — promising a bonus for registration.
• Telegram activities — offering a profitable purchase of "stars" or premium services.
• Bonus programs — distributing free tokens for connecting a wallet.

It is important to understand that drainers are not a new threat. Several years ago, this tool was actively used against English-speaking audiences, after which its activity temporarily declined. Now we are witnessing a revival of the tactic, but this time targeting Russian-speaking users. As experts note, fraudsters quickly create new domains to replace blocked ones, so combating them resembles a game of "cat and mouse."

How to protect your assets

My recommendation is simple but critically important: completely avoid clicking on suspicious links from advertisements. Always carefully verify the domain name of the resource you land on. Attackers often register domains that sound similar to well-known brands — check the site's creation date through Whois services.

Additionally, I remind you: brokerage activities in the Russian Federation are conducted only under a license from the Bank of Russia. The validity of the license and the official online resources of the broker can be verified on the Central Bank's website. Always cross-check any promotions exclusively on official platforms. A suspicious website can be sent to the "Anti-Phishing" platform — specialists will verify the information and forward it to regulators for blocking.

My professional opinion: drainers are one of the most dangerous threats for retail investors today. They exploit human greed and gullibility, and technically, the legitimate mechanisms of blockchain. The only reliable method of protection is cold wallets and the principle of "trust but verify." Never connect a hot wallet to unverified websites, even if they promise mountains of gold.