Rublevka Team: Russian Crypto Drainer Operation Steals $10 Million Through Affiliate Network
Recorded Future's Insikt Group has published a comprehensive analysis of Rublevka Team, a Russian cybercriminal operation that has generated over $10 million in cryptocurrency theft since 2023 through an affiliate-driven wallet draining ecosystem.
Unlike traditional crypto-stealing operations that rely on infostealer malware, Rublevka Team deploys custom JavaScript drainer scripts via spoofed landing pages that impersonate legitimate crypto services. Victims are tricked into connecting their wallets and signing fraudulent transactions that drain their holdings.
The operation is named after the Rublevka neighborhood of Moscow — a prestigious suburb populated by elite Russian businesspeople and government officials.
Scale of Operations
Rublevka Team's primary Telegram channel has approximately 7,000 members. Their automated "profits" channel has logged over 240,000 messages, indicating at least 240,000 successful wallet drains with individual transactions ranging from $0.16 to over $20,000.
The top earner, operating under the handle "hard working guy," has accumulated over $1.3 million across 799 transactions. The second-highest earner, "think about it," has $1.04 million from just 145 transactions — demonstrating the operation's capacity for high-value theft.
The operation's latest campaign, which shifted to Solana (SOL) in spring 2025, has generated approximately $8.2 million of the group's total revenue.
Affiliate Model
Rublevka Team operates as a "traffer team" — a network of social engineering specialists who drive victim traffic to malicious pages. The model mirrors ransomware-as-a-service operations, with affiliates receiving 75-80% commission on stolen funds.
Affiliates receive access to a fully automated Telegram bot infrastructure that provides landing page generators, campaign tracking, cloaking features, DDoS protection, and free domains and hosting. The drainer supports over 90 wallet types and includes specialized bypass techniques for Phantom wallet, one of the most popular Solana wallets.
No technical expertise is required. Prospective affiliates apply through [@]RublevkaTeam_Bot and, once accepted, gain access to private channels for chat, profit tracking, and ready-to-use landing pages.
Technical Infrastructure
The JavaScript drainer is heavily obfuscated, likely using js-confuser. It communicates with Solana RPC API endpoints through Helius and WalletConnect services, using embedded API keys belonging to Rublevka Team developers.
The drainer includes multiple "modes" for Phantom wallet exploitation:
- Honeypot: Displays fake incoming token receipts before initiating a visible drain transaction
- Crasher: Stealth-focused drain that completes in one interaction with minimal user review
- Fake Return: Shows a straightforward outgoing transfer with false claims of a refund to follow
- Warning: Intentionally displays Phantom warning banners while concealing drain mechanics, exploiting warning fatigue
Landing pages impersonate legitimate services including Phantom, Bitget, Jito, Marinade, Jupiter, and popular meme coins like Trump, Bonk, DogWifHat, and Fartcoin. The pages include social media links to actual services to appear legitimate under cursory inspection.
Infrastructure and Evasion
Rublevka Team rotates domains frequently, using shared domains for affiliates that are periodically replaced when blocked. Domain generation algorithms automatically spin up new infrastructure following patterns like "[word1]-[word2].cc".
The operation uses cloaking techniques to restrict access from certain countries, IP addresses, ISPs, and VPN users. Affiliates can configure Cloudflare CAPTCHAs and redirect logic to filter bots and reduce the likelihood of domain blocking.
Infrastructure has been traced to Lanedonet Datacenter (formerly Metaspinner Net GmbH), which Insikt Group assesses with high confidence is operated by threat activity enabler Virtualine Technologies.
Detection Guidance
Organizations in the cryptocurrency, fintech, and Web3 space should monitor for brand impersonation on spoofed landing pages. The operation specifically targets users through Telegram, social media, and crypto investment advice groups with pages prompting wallet connections.
Defenders should block the domains listed in the IOCs below and monitor for connections to the Helius RPC endpoints containing the embedded API keys used by the drainer.
MITRE ATT&CK
- T1566 — Phishing (spoofed landing pages)
- T1027 — Obfuscated Files or Information (js-confuser obfuscation)
- T1071.001 — Application Layer Protocol: Web Protocols (RPC API abuse)
- T1568.002 — Dynamic Resolution: Domain Generation Algorithms
- T1665 — Hide Infrastructure (Cloudflare cloaking)
- T1657 — Financial Theft (wallet draining)
Indicators of Compromise
Domains: open-sol[.]cc, sol-galaxy[.]cc, web-core[.]cc, sol-hook[.]org, efficient-endpoint[.]site, g-app-d[.]cc, fontmaxplugin[.]cc, commontechrepo[.]cc, burn-shard-bridge[.]xyz, pumptoken[.]net, emailsecure[.]tech
IP Addresses: 158[.]94[.]208[.]165
Email: alex.petrov.domain[@]emailsecure[.]tech
File Hashes (SHA-256): 9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489 b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15 fcf1bbac7dae24b6e0357bee6e8e184dfd193ddf8b341feaa9a3d83265af8f0a
Malicious RPC Endpoints: hxxps://mainnet[.]helius-rpc[.]com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705 hxxps://mainnet[.]helius-rpc[.]com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726 hxxps://mainnet[.]helius-rpc[.]com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04
