New wave of crypto ransomware: drainers attack Russian investors
The cryptocurrency market has once again faced aggressive tactics from attackers: at least three hacker groups have targeted Russian users using malicious software — drainers. Scammers disguise their criminal schemes as affiliate programs for investors, promising easy earnings and bonuses.
During an investigation conducted by the analytical unit F6 Digital Risk Protection, a large-scale campaign was identified that started in late May to early June. The attackers launched at least 15 fake websites integrated with crypto drainers — programs designed to instantly empty the wallets of unsuspecting victims.
How the scheme works
The attack mechanism is simple but effective. Users are offered to open an investment account with a welcome bonus of $50 in USDT. To activate the "generous" offer, they need to connect their wallet by scanning a QR code through the official app. The victim, thinking they are receiving a bonus, signs a transaction that actually grants hackers full access to withdraw all funds: cryptocurrencies, tokens, and NFTs. Once authorization on the fake site is complete, the drainer checks the balance with several requests and instantly withdraws all available assets.
Experts identify three main types of lures used in this campaign:
- Investment accounts: promising a bonus for registration.
- Telegram activity: offering a profitable purchase of "stars" or premium services.
- Bonus programs: giving away free tokens for connecting a wallet.
Notably, drainers are not a new threat. Several years ago, they were actively used against English-speaking audiences, after which their activity declined. However, we are now seeing a resurgence of this tactic, but with a focus on Russian-speaking users. As F6 senior analyst Maria Sinitsyna notes, this wave is not accidental — attackers are adapting their methods to a new audience, exploiting fresh news topics and investor gullibility.
How to protect your digital assets
F6 experts recommend completely avoiding clicking on suspicious links from advertisements. Special attention should be paid to checking the domain name of the resource. Scammers often register domains that sound similar to well-known brands, so before connecting a wallet, it is necessary to check the site's creation date through Whois services. Additionally, any promotions and bonus programs should only be verified on the official platforms of the broker, whose license can be checked on the website of the Central Bank of the Russian Federation.
Expert opinion: Drainers are a highly effective tool that requires users not just caution, but absolute paranoia. In the current conditions, where attackers are constantly improving their phishing schemes, the only reliable rule remains "do not connect your wallet where you were not offered to do so." Any promise of "free money" should be a red flag, not a reason for joy. The market is getting tougher, and negligence can cost you all your savings.