Anatomy of a Russian Crypto Drainer Operation
A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.
AI Analysis
Technical Summary
The Rublevka Team is a Russian cybercriminal group specializing in cryptocurrency theft through a sophisticated phishing operation that has generated over $10 million since 2023. Their attack methodology centers on social engineering, where victims are directed to malicious websites impersonating legitimate cryptocurrency services. These fake sites deploy custom JavaScript scripts designed to deceive users into connecting their crypto wallets and authorizing fraudulent transactions, effectively draining funds. The group’s infrastructure is fully automated and supports an affiliate program, enabling high-volume scams with scalable operations. They primarily target lower-cost blockchain networks such as Solana, which are less scrutinized by traditional fraud detection systems. The frequent rotation of domains and use of brand impersonation techniques allow Rublevka Team to evade detection and maintain operational agility. This operation threatens the confidentiality and financial integrity of users’ crypto assets and exposes cryptocurrency platforms and brands to reputational damage and legal liabilities. The absence of known exploits in the wild suggests the threat is primarily driven by social engineering and user interaction rather than technical vulnerabilities. The group’s use of automated tools and affiliate networks indicates a mature, organized criminal operation with significant resources.
Potential Impact
For European organizations, the Rublevka Team’s operation presents several critical risks. Financial losses from wallet draining directly impact users and service providers, potentially undermining trust in cryptocurrency platforms. Reputational damage can arise from association with fraudulent activities or failure to protect users, leading to customer attrition and regulatory scrutiny. Legal risks include potential liabilities for inadequate security measures and failure to comply with emerging crypto regulations in Europe. The targeting of lower-cost chains like Solana may affect platforms and users who prefer these networks for lower transaction fees, expanding the threat surface. The automated and affiliate-driven nature of the attacks increases the volume and scale of incidents, making detection and response more challenging. European crypto exchanges, wallet providers, and DeFi platforms may face increased phishing attempts and fraudulent transactions. Additionally, users unfamiliar with phishing tactics or less vigilant about wallet permissions are particularly vulnerable, increasing the likelihood of successful attacks.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to this threat. First, enhance user education programs focusing on recognizing phishing sites, verifying domain authenticity, and understanding wallet permission requests. Deploy advanced domain monitoring solutions to detect and block newly registered or suspicious domains mimicking legitimate crypto services. Integrate behavioral analytics and anomaly detection to identify unusual wallet authorization patterns or transaction requests. Employ browser security tools that can detect and block malicious JavaScript execution on crypto-related sites. Encourage or enforce the use of hardware wallets or multi-signature wallets to reduce the risk of unauthorized transactions. Collaborate with blockchain analytics firms to monitor suspicious transactions on targeted chains like Solana. Establish rapid incident response protocols to address phishing campaigns and domain takedowns swiftly. Finally, maintain compliance with European regulatory frameworks such as the EU’s Markets in Crypto-Assets (MiCA) regulation to ensure robust security and reporting standards.
Affected Countries
Germany, United Kingdom, Netherlands, France, Switzerland, Sweden
Indicators of Compromise
- url: https://solana-rpc.publicnode.com
- hash: 730eede4c040eafa7a928a503b6cd650
- hash: 78bfb193ba291e17360126796ec9b93acdfec75867619fc50c5d45d7081009b6
- hash: 93288b95db8cba2b8d3f38246be46e383990a9fcdd06bf26417a5935a8fe0a27
- hash: 9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489
- hash: af5bed914f5406e7c1a3f30f91dfe34d81c5b06c571c59417fe4e2bde966325c
- hash: b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15
- hash: ea8e780d0c292bfd1a3ee6bd9b8d77900a545bd3be3105891816c8f561eeb302
- hash: fcf1bbac7dae24b6e0357bee6e8e184dfd193ddf8b341feaa9a3d83265af8f0a
- ip: 158.94.208.165
- url: https://mainnet.helius-rpc.com/?api-key=
- url: https://mainnet.helius-rpc.com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf
- url: https://mainnet.helius-rpc.com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd
- url: https://mainnet.helius-rpc.com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726
- url: https://mainnet.helius-rpc.com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705
- url: https://mainnet.helius-rpc.com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b
- url: https://mainnet.helius-rpc.com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04
- url: https://mainnet.helius-rpc.com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83
- url: https://rpc.walletconnect.org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650
- domain: burn-shard-bridge.xyz
- domain: commontechrepo.cc
- domain: efficient-endpoint.site
- domain: emailsecure.tech
- domain: events-dege.com
- domain: g-app-d.cc
- domain: highperformance-kit.online
- domain: highperformance-shard.online
- domain: instant-automated-matrix.website
- domain: luna-memex.com
- domain: minordao.co
- domain: open-sol.cc
- domain: private-peer.store
- domain: public-proof.online
- domain: pump-foundation.xyz
- domain: pumptoken.net
- domain: rublevkateam.cc
- domain: rugchecker.fun
- domain: sol-chey.com
- domain: sol-coin.xyz
- domain: sol-galaxy.cc
- domain: sol-hook.org
- domain: web-core.cc
- domain: check.me-fnd.com
- domain: fortunawhee.sol-galaxy.cc
- domain: rewards.sol-galaxy.cc
- domain: solana-rpc.publicnode.com
- domain: soldrop.solvault.ws
- domain: token.pump-launch.fun
- domain: usdcoin.sol-galaxy.cc
Anatomy of a Russian Crypto Drainer Operation
Description
A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.
AI-Powered Analysis
Technical Analysis
The Rublevka Team is a Russian cybercriminal group specializing in cryptocurrency theft through a sophisticated phishing operation that has generated over $10 million since 2023. Their attack methodology centers on social engineering, where victims are directed to malicious websites impersonating legitimate cryptocurrency services. These fake sites deploy custom JavaScript scripts designed to deceive users into connecting their crypto wallets and authorizing fraudulent transactions, effectively draining funds. The group’s infrastructure is fully automated and supports an affiliate program, enabling high-volume scams with scalable operations. They primarily target lower-cost blockchain networks such as Solana, which are less scrutinized by traditional fraud detection systems. The frequent rotation of domains and use of brand impersonation techniques allow Rublevka Team to evade detection and maintain operational agility. This operation threatens the confidentiality and financial integrity of users’ crypto assets and exposes cryptocurrency platforms and brands to reputational damage and legal liabilities. The absence of known exploits in the wild suggests the threat is primarily driven by social engineering and user interaction rather than technical vulnerabilities. The group’s use of automated tools and affiliate networks indicates a mature, organized criminal operation with significant resources.
Potential Impact
For European organizations, the Rublevka Team’s operation presents several critical risks. Financial losses from wallet draining directly impact users and service providers, potentially undermining trust in cryptocurrency platforms. Reputational damage can arise from association with fraudulent activities or failure to protect users, leading to customer attrition and regulatory scrutiny. Legal risks include potential liabilities for inadequate security measures and failure to comply with emerging crypto regulations in Europe. The targeting of lower-cost chains like Solana may affect platforms and users who prefer these networks for lower transaction fees, expanding the threat surface. The automated and affiliate-driven nature of the attacks increases the volume and scale of incidents, making detection and response more challenging. European crypto exchanges, wallet providers, and DeFi platforms may face increased phishing attempts and fraudulent transactions. Additionally, users unfamiliar with phishing tactics or less vigilant about wallet permissions are particularly vulnerable, increasing the likelihood of successful attacks.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to this threat. First, enhance user education programs focusing on recognizing phishing sites, verifying domain authenticity, and understanding wallet permission requests. Deploy advanced domain monitoring solutions to detect and block newly registered or suspicious domains mimicking legitimate crypto services. Integrate behavioral analytics and anomaly detection to identify unusual wallet authorization patterns or transaction requests. Employ browser security tools that can detect and block malicious JavaScript execution on crypto-related sites. Encourage or enforce the use of hardware wallets or multi-signature wallets to reduce the risk of unauthorized transactions. Collaborate with blockchain analytics firms to monitor suspicious transactions on targeted chains like Solana. Establish rapid incident response protocols to address phishing campaigns and domain takedowns swiftly. Finally, maintain compliance with European regulatory frameworks such as the EU’s Markets in Crypto-Assets (MiCA) regulation to ensure robust security and reporting standards.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation","https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium"]
- Adversary
- Rublevka Team
- Pulse Id
- 698364aade09c6acd9e673b9
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://solana-rpc.publicnode.com | — | |
urlhttps://mainnet.helius-rpc.com/?api-key= | — | |
urlhttps://mainnet.helius-rpc.com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf | — | |
urlhttps://mainnet.helius-rpc.com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd | — | |
urlhttps://mainnet.helius-rpc.com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726 | — | |
urlhttps://mainnet.helius-rpc.com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705 | — | |
urlhttps://mainnet.helius-rpc.com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b | — | |
urlhttps://mainnet.helius-rpc.com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04 | — | |
urlhttps://mainnet.helius-rpc.com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83 | — | |
urlhttps://rpc.walletconnect.org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash730eede4c040eafa7a928a503b6cd650 | — | |
hash78bfb193ba291e17360126796ec9b93acdfec75867619fc50c5d45d7081009b6 | — | |
hash93288b95db8cba2b8d3f38246be46e383990a9fcdd06bf26417a5935a8fe0a27 | — | |
hash9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489 | — | |
hashaf5bed914f5406e7c1a3f30f91dfe34d81c5b06c571c59417fe4e2bde966325c | — | |
hashb9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15 | — | |
hashea8e780d0c292bfd1a3ee6bd9b8d77900a545bd3be3105891816c8f561eeb302 | — | |
hashfcf1bbac7dae24b6e0357bee6e8e184dfd193ddf8b341feaa9a3d83265af8f0a | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip158.94.208.165 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainburn-shard-bridge.xyz | — | |
domaincommontechrepo.cc | — | |
domainefficient-endpoint.site | — | |
domainemailsecure.tech | — | |
domainevents-dege.com | — | |
domaing-app-d.cc | — | |
domainhighperformance-kit.online | — | |
domainhighperformance-shard.online | — | |
domaininstant-automated-matrix.website | — | |
domainluna-memex.com | — | |
domainminordao.co | — | |
domainopen-sol.cc | — | |
domainprivate-peer.store | — | |
domainpublic-proof.online | — | |
domainpump-foundation.xyz | — | |
domainpumptoken.net | — | |
domainrublevkateam.cc | — | |
domainrugchecker.fun | — | |
domainsol-chey.com | — | |
domainsol-coin.xyz | — | |
domainsol-galaxy.cc | — | |
domainsol-hook.org | — | |
domainweb-core.cc | — | |
domaincheck.me-fnd.com | — | |
domainfortunawhee.sol-galaxy.cc | — | |
domainrewards.sol-galaxy.cc | — | |
domainsolana-rpc.publicnode.com | — | |
domainsoldrop.solvault.ws | — | |
domaintoken.pump-launch.fun | — | |
domainusdcoin.sol-galaxy.cc | — |
Threat ID: 6983b6ddf9fa50a62fad288d
Added to database: 2/4/2026, 9:15:09 PM
Last enriched: 2/4/2026, 9:30:17 PM
Last updated: 2/5/2026, 11:06:56 PM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
MediumResearchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign
MediumHundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw
MediumBroken Phishing URLs, (Thu, Feb 5th)
MediumPunishing Owl Attacks Russia: A New Owl in the Hacktivists' Forest
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.