Rublevka Team: Anatomy of a Russian Crypto Drainer Operation

Rublevka Team is a Russian cybercriminal operation that has stolen over $10 million since 2023 through large-scale cryptocurrency wallet draining campaigns. The group operates as a 'traffer team' with thousands of affiliates who deploy custom JavaScript drainers via spoofed landing pages impersonating legitimate crypto services like Phantom, Bitget, and Jito. Their fully automated infrastructure includes Telegram bots, landing page generators, cloaking tools, and supports over 90 Solana wallet types. Insikt Group estimates at least 240,000 successful drains with transactions ranging from $0.16 to over $20,000. The operation mirrors ransomware-as-a-service models, significantly lowering the technical barrier for cybercriminals. Organizations facilitating blockchain transactions face elevated reputational and legal risks from customer victimization. The group's use of rotating domains and targeting lower-cost chains undermines traditional fraud detection efforts.

Rublevka Team exemplifies the industrialization of crypto scams. Learn how traffer teams and wallet drainers enable high-volume theft.

Rublevka Team is a Russian cybercriminal operation that has stolen over $10 million since 2023 through large-scale cryptocurrency wallet draining campaigns. The group operates as a 'traffer team' with thousands of affiliates who deploy custom JavaScript drainers via spoofed landing pages impersonating legitimate crypto services like Phantom, Bitget, and Jito. Their fully automated infrastructure includes Telegram bots, landing page generators, cloaking tools, and supports over 90 Solana wallet types. Insikt Group estimates at least 240,000 successful drains with transactions ranging from $0.16 to over $20,000. The operation mirrors ransomware-as-a-service models, significantly lowering the technical barrier for cybercriminals. Organizations facilitating blockchain transactions face elevated reputational and legal risks from customer victimization. The group's use of rotating domains and targeting lower-cost chains undermines traditional fraud detection efforts. Rublevka Team exemplifies the industrialization of crypto scams. Learn how traffer teams and wallet drainers enable high-volume theft. Executive Summary Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions. Their infrastructure is fully automated and scalable, offering affiliates access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. By lowering the technical barrier to entry, Rublevka Team has built an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight. This structure poses a growing threat to cryptocurrency platforms, fintech providers, and brands whose identities are being impersonated. Organizations that facilitate blockchain transactions, particularly fintech firms, exchanges, or wallet providers, face elevated reputational and legal risks if customers fall victim to these scams. Even if the victim’s compromise occurs outside a firm’s platform, failure to detect spoofed landing pages or fraudulent referrals can trigger consumer backlash, loss of trust, or regulatory scrutiny around customer protections and Know Your Customer (KYC) enforcement. The threat group’s agility — evidenced by its use of frequently rotating domains, targeting lower-cost chains like Solana (SOL), and exploiting Remote Procedure Call (RPC) APIs — undermines traditional fraud detection and domain takedown efforts. Their model mirrors ransomware-as-a-service (RaaS) operations, signaling a continuation of the broader shift toward scalable, service-based cybercrime that organizations must proactively monitor, disrupt, and defend against to protect customers and maintain trust. Key Findings The objective of a Rublevka Team scam is to create an attractive SOL-based offer, such as a promotion or an airdrop event, generate traffic to the lure via social media or advertisements, and trick a user into connecting their wallet to the website and signing a transaction that drains their wallet. As of writing, Rublevka Team’s primary Telegram channel has approximately 7,000 members. Over 240,000 messages have been posted to Rublevka Team’s automated “profits” channel, indicating at least 240,000 successful wallet drains, with transactions ranging from $0.16 to over $20,000. Rublevka Team offers a custom JavaScript drainer embedded into their landing pages, which exfiltrates victims’ SOL assets by draining held tokens. The drainer is compatible with over 90 SOL wallet types. The threat group’s infrastructure is fully automated via Telegram bots, offering affiliates tools for landing page creation, campaign tracking, cloaking, and distributed denial-of-service (DDoS) protection. The drainer campaign, active since 2023, leverages spoofed versions of legitimate services such as Phantom, Bitget, and Jito to maximize user trust and conversion