Rublevka Team: Anatomy of a Russian Crypto Drainer Operation

Executive Summary

Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions. Their infrastructure is fully automated and scalable, offering affiliates access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. By lowering the technical barrier to entry, Rublevka Team has built an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight.

This structure poses a growing threat to cryptocurrency platforms, fintech providers, and brands whose identities are being impersonated. Organizations that facilitate blockchain transactions, particularly fintech firms, exchanges, or wallet providers, face elevated reputational and legal risks if customers fall victim to these scams. Even if the victim’s compromise occurs outside a firm’s platform, failure to detect spoofed landing pages or fraudulent referrals can trigger consumer backlash, loss of trust, or regulatory scrutiny around customer protections and Know Your Customer (KYC) enforcement. The threat group’s agility — evidenced by its use of frequently rotating domains, targeting lower-cost chains like Solana (SOL), and exploiting Remote Procedure Call (RPC) APIs — undermines traditional fraud detection and domain takedown efforts. Their model mirrors ransomware-as-a-service (RaaS) operations, signaling a continuation of the broader shift toward scalable, service-based cybercrime that organizations must proactively monitor, disrupt, and defend against to protect customers and maintain trust.

Key Findings

• The objective of a Rublevka Team scam is to create an attractive SOL-based offer, such as a promotion or an airdrop event, generate traffic to the lure via social media or advertisements, and trick a user into connecting their wallet to the website and signing a transaction that drains their wallet.
• As of writing, Rublevka Team’s primary Telegram channel has approximately 7,000 members. Over 240,000 messages have been posted to Rublevka Team’s automated “profits” channel, indicating at least 240,000 successful wallet drains, with transactions ranging from $0.16 to over $20,000.
• Rublevka Team offers a custom JavaScript drainer embedded into their landing pages, which exfiltrates victims’ SOL assets by draining held tokens. The drainer is compatible with over 90 SOL wallet types.
• The threat group’s infrastructure is fully automated via Telegram bots, offering affiliates tools for landing page creation, campaign tracking, cloaking, and distributed denial-of-service (DDoS) protection.
• The drainer campaign, active since 2023, leverages spoofed versions of legitimate services such as Phantom, Bitget, and Jito to maximize user trust and conversion

Background

Insikt Group has been monitoring Rublevka Team since August 2025, when we first encountered the threat group’s advertisement banner on Exploit Forum. The name “Rublevka Team” is likely a reference to the Rublevka neighborhood of Moscow, a prestigious and wealthy suburb largely populated by elite Russian businesspeople and government officials. Like other traffer teams previously reported by Insikt Group, such as Marko Polo and Crazy Evil, Rublevka Team is a “cryptoscam” team primarily operating on LolzTeam Forum, as well as maintaining a smaller presence on high-tier forums Exploit and XSS. However, in contrast to the traffer teams previously reported by Insikt Group, Rublevka Team does not rely on infostealer malware to target victims; instead, it operates a drainer script embedded in its landing pages to connect to victims’ cryptocurrency wallets and drain their funds.

Figure 1: Rublevka Team advertisement banner, as seen on Exploit Forum (Source: Recorded Future)

Based on analysis by Insikt Group, Rublevka Team has been active since 2023, when it was first launched on LolzTeam Forum by the user “denisssss_inactive”. Based on an analysis of its reported profits within its private channel, Rublevka Team has a lifetime revenue of over $10 million USD as of the time of writing. The team’s tactics, techniques, and procedures (TTPs) have evolved since it began operations in 2023. Originally, the threat group operated fake cryptocurrency exchanges to convince users to connect their wallets and deposit funds, focusing on generating traffic through Instagram and, later, TikTok. In 2024, however, Rublevka Team fundamentally shifted its tactics to deploy a custom JavaScript-based cryptocurrency wallet drainer on its landing pages, which impersonated cryptocurrency token airdrops and giveaways. The threat group initially targeted The Open Network (TON), then shifted to SOL in spring 2025. Its latest campaign, which is ongoing as of writing, has generated the majority of its total revenue (approximately $8.2 million).

Rublevka Team Operations

Affiliate Recruitment

Rublevka Team’s latest post on LolzTeam Forum, which was published by denisssss_inactive on April 18, 2025, advertises Rublevka Team’s SOL drainer scam program. Since Rublevka Team’s original postings advertising its cryptocurrency exchange scams and TON token campaigns, the payout rates have shifted significantly in affiliates’ favor, with a starting percentage of 75% and 80% for “experienced users.” The increase in commission rates for starting affiliates may indicate a shift over time in the team’s monetization strategies based on the financial success the threat group has seen; it may now be more favorable to prioritize expanding the pool of workers rather than extracting maximum income from any individual affiliate.

Figure 2: Screenshot of the latest SOL drainer advertisement, posted by denisssss_inactive (Source: LolzTeam Forum).

The post also advertises a fully automated Telegram bot for conducting operations, a landing page generator, and free domains and hosting services with included cloaking features and distributed denial-of-service (DDoS) protections. The advertisement also describes the SOL drainer used on the landing pages, which supports over 90 wallet types, draining capabilities for SOL, Solana Program Library (SPL) tokens (including SPL2022 extension tokens), non-fungible tokens (NFTs), and Native Stake, spoofing and bypass features for Phantom wallet, a drainer API, and over 35 ready-to-use landing pages integrated with the drainer.

The posts do not specify any hard requirements for prospective affiliates, who are instructed to apply for the team via the Telegram bot [@]RublevkaTeam_Bot. Applications are likely vetted by Rublevka Team’s leader, denisssss_inactive, or the administrative team (“Jesse Pinkman” and “Shell” at the time of writing).

Once an applicant is accepted to Rublevka Team, they are directed to join the following private channels:

• “[RublevkaTeam] Chat”: Closed group chat with messages dating back to May 2024, with 6,821 members as of writing
• “[RublevkaTeam] Profits”: Closed channel with messages dating back to June 2024, with 3,093 subscribers as of this writing
• “[RublevkaTeam] Info”: An informational channel posting updates to the drainer and affiliate program; the threat group also operates a Russian-language version of this channel, “[Rublevka Team] Инфо”
• “[RublevkaTeam] Landing pages”: Repository of screenshots of new landing pages used by Rublevka Team
• “RublevkaTeam_bot (@RublevkaTeam_Bot)”: Handles group applications and serves as an administrative panel for affiliate campaigns
• “Rublevka Utils (@RublevkaUtils_bot)”: Used for generating custom landing pages and video content for traffic generation

Figure 3: Rublevka Team private channels, accessible only by affiliates (Source: Telegram)

Manual Walkthrough

Rublevka Team hosts an informational manual for affiliates on the domain rublevkateam[.]cc. This manual outlines the procedures for working on the team, including how to use the Telegram bot, how to conduct cryptoscams, how to configure the drainer, and more.

The stated goal of the Rublevka Team scam is to create a “drainer-based offer” (usually a promotion, an airdrop notice, a KYC request, or other) and to attract traffic to the website. From the perspective of a victim (referred to as a “lead”), they will encounter the website, connect their cryptocurrency wallet to the website, and then receive an offer to perform a crypto transaction. Upon confirming and signing the transaction, all assets from the lead’s wallet are transferred to the website’s operator.

According to the manual, the team opted for SOL due to its fast transaction time and low fees, as well as its support for smart contracts, decentralized apps (dApps), and NFTs. The manual includes a table of popular wallets that support SOL and are compatible with the Rublevka drainer, which includes Solflare, Phantom, Backpack, Coinbase, Bitget, OKX, Metamask, and others.

Notably, configuration for an affiliate’s campaign is done within the [@]RublevkaTeam_bot, which is available in English, Russian, and Chinese, and in most cases requires no interaction with the support team. This provides affiliates with full control and visibility into their own campaigns.

Domains

Rublevka Team affiliates have three options when creating a domain for hosting a landing page:

• “Shared domain”: This type of domain is provided by Rublevka Team and is shared among multiple team members. This option is free of charge but has a higher chance of being blocked and comes with a preset list of names. With this option, a user chooses a custom subdomain, which is hosted under a shared apex domain managed by Rublevka Team and periodically rotated by administrators. Users on a shared domain have no control over the IP address of their website. This option has experienced continuous disruptions from December 2025 into 2026.
• “Private domain”: An affiliate provides a private domain, which they purchase and configure themselves. This option has minimal risk of being blocked and provides users with full control over their own hosting.
• “Self-host”: With this option, the affiliate can host the SOL drainer backend on a Rublevka Team-operated domain for free, with the intent that the affiliate invokes the script from their own privately hosted website.

Users can also choose to register subdomains of their private domain using the bot, with each subdomain functioning as a fully autonomous landing page.

Figures 4 and 5: Options to add a domain and subdomain in RublevkaTeam_bot (Source: Recorded Future)

Landing Pages

Once a domain is created, the affiliate can configure their landing page. Within the bot, the user has the option to create either a “regular” page, which includes a drainer, or a “white” page, which does not have a drainer and is used to evade abuse detection services. The white pages are used as part of the “Red Table Bypass” feature, designed to unblock a domain that has been blocked by Google by temporarily displaying a harmless web page. In both cases, the user has the option to choose from a wide selection of pre-created landing pages.

Figure 6: Options to choose a “regular” landing page, as per the Rublevka Team manual (Source: Recorded Future)

Alternatively, users can choose to generate their own landing page based on a template, which can be customized to a token of the user’s choice. They can also choose to “copy” an existing website by providing a URL to the bot; however, as of writing, this functionality appears to be broken.

Figures 7 and 8: Two of the template options for generating a custom landing page for either an airdrop or token-buying scam (Source: Recorded Future)

In addition to generating landing pages, the Telegram bot also allows users to configure “cloaking settings” for their domains. Cloaking is a technique used by cybercriminals that involves presenting website content to a search engine in a way that differs from what the victim will see after navigating to the website. However, Rublevka Team uses the term to describe access restrictions for users from certain countries, IP addresses, internet service providers (ISPs), or virtual private network (VPN) or proxy users. Affiliates can also configure redirect logic and CAPTCHAs via Cloudflare to redirect victims to another landing page if the primary domain is blocked; they can also filter out bots to reduce the likelihood of the domain being blocked. The Telegram bot also supports configurations that allow only the user’s domain to open as a Telegram Mini App for Telegram-based traffic schemes, as well as the option to block specific “leads” (victims).

Drainer Logic and Configuration

Rublevka Team affiliates can configure the settings for the drainer to fit their specific needs. The drainer can display a custom fake transaction for receiving SOL or a fake token, based on the contents of an affiliate’s landing page, and can be configured to display a fake credit for each asset drain operation on the wallet. Affiliates can also set up minimum balance alerts to lure victims into buying additional SOL to use on their landing page.

The drainer has additional settings specifically for Phantom wallet, which the manual states is one of the most popular SOL wallets and can allow for a significant boost in “traffic conversion.” The drainer supports the following Phantom wallet “modes,” which are ways to connect with a user’s Phantom wallet to convince a user to sign a malicious drainer transaction:

• “Honeypot”: This mode relies on a fake incoming token or SOL receipt to prime the user before initiating a visible drain transaction. The drain is shown as an outgoing transfer, but Phantom does not flag it as risky. Fake receipts only render correctly for tokens installable through Phantom’s UI (not arbitrary custom tokens). A modal window falsely claims that the drained assets will be returned via a second transaction.
• “Honeypot2”: Honeypot2 expands on Honeypot by requiring two transactions. The user first sees a fake inbound transfer, then approves a follow-on transaction that performs the drain. When combined with Crasher, the second transaction may appear as a simulation error rather than a clear debit. As with Honeypot, a modal window falsely claims that a refund will follow.
• “Fake Return”: Unlike Honeypot, this mode does not simulate inbound funds; instead, it shows a straightforward outgoing transfer that appears legitimate. After a user signs the transaction, a modal window falsely claims that a second “return” transaction will refund the assets.
• “Crasher”: This is a stealth-focused drain designed to complete in one interaction with minimal user review. Phantom displays a generic warning commonly seen on legitimate sites, reducing suspicion through familiarity. There is no fake inbound activity or refund narrative. This mode is considered experimental and is replaced by Honeypot behavior on mobile devices.
• “Whitelist”: This mode is intended for domains explicitly whitelisted by Phantom, and is used in conjunction with other modes. When active on a whitelisted domain, it enables hidden draining and fake inbound token displays. If enabled on a non-whitelisted domain, Phantom blocks all draining activity, rendering the mode ineffective.
• “Warning”: Unlike other modes that suppress warnings, this mode intentionally displays a Phantom warning banner while concealing the drain mechanics, aiming to exploit warning fatigue in users. A modal window instructs the user to proceed despite the warning. Default warnings include:
  • “This dApp could be malicious”
  • “You are approving over 200 transactions”
• “Remove Phantom”: This mode restricts Phantom wallet use by hiding it from wallet selectors or blocking connection attempts.

Figures 9–11: Screenshots of “Honeypot,” “Crasher,” and “Fake return” modes (Source: Recorded Future)

The user can configure notifications in Telegram to notify them when a user visits their website, receives a withdrawal request, does not have funds, and more. Additionally, they can use the “Autosplit” feature, which will send any stolen funds directly to their private wallet, bypassing any intermediaries such as smart contracts or the shared Rublevka Team wallet, which is the default behavior. In this case, the profits are sent as they are, with each drained token being sent without conversion to the threat actor’s wallet.

Additionally, Rublevka Team provides an API (PiterAPI) stored in the piter variable within the JavaScript code to allow more advanced users to further customize drainer behavior. This API includes the following functions:

• “connect”: Opens the modal window to connect to a victim’s wallet
• “process”: Prompts the user to sign the transaction
• “onConnect”: Sets the function to be called when a user connects their wallet
• “getBalance,” “getAddress”: Gets victim wallet information
• “setToken”: Sets up context for a specific token to be drained, including the token account address, mint, victim address, price, amount, and whether it’s an SPL-2022 token

Landing Pages and Content

Through the Telegram bot, Rublevka Team provides affiliates with an extensive catalog of landing pages available for use in their campaigns. As of October 2025, the Insikt Group identified 50 unique drainer landing pages and eleven “white” landing pages provided to affiliates. It is possible that additional landing pages have been added to the Telegram bot since then.

The drainer landing pages spoofed meme coin and stablecoin token airdrops, token mints, decentralized finance (DeFi) trading platforms, SOL staking services, and more. For the most part, the landing pages impersonate existing “legitimate” services, such as Axiom, Bitget, Photon, Jito, and Marinade. The landing pages also impersonate existing meme coin and social coin tokens for airdrops, including “Bonk,” “DogWifHat,” “Trump,” “Pengu,” and “Fartcoin.” The SOL-specific services pages typically reference SOL liquid staking, “burning” or “incineration,” faucets, airdrops, snipers, and multipliers. Generally, the landing pages included social media and informational links to the actual websites of the coins and services they were impersonating, likely to appear legitimate in a cursory check.

Figures 12–17: Sample of Rublevka Team drainer landing pages impersonating Trump Coin, Jito, Marinade, Bitget, and Jupiter (Source: Recorded Future)

The landing page generator also included a panel for selecting a crypto wallet to connect to the malicious page, which prompts users to either connect an existing wallet or create a new one.

Figure 18: The “Connect Wallet” landing page prompting users to connect a supported wallet to the drainer (Source: Recorded Future)

It is likely that these landing pages are used to lure victims to connect their wallet to the website, after which the embedded drainer script, index.js, will enumerate the wallet’s holdings, trick the user into signing a malicious transaction, and drain all held funds.

JavaScript Drainer Analysis

Based on Insikt Group’s analysis of the malicious landing pages, we identified that each page contained the file index.js (9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489). This file is heavily obfuscated; Insikt Group assesses that the authors possibly used js-confuser, a free open-source JavaScript obfuscation tool with no available deobfuscator. However, Insikt Group was still able to identify strings of interest within the code, including indicators that may suggest parts of the script’s functionality.

The drainer includes the following URLs:

• hxxps://mainnet[.]helius-rpc[.]com/?api-key=
• hxxps://mainnet[.]helius-rpc[.]com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705
• hxxps://mainnet[.]helius-rpc[.]com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726
• hxxps://mainnet[.]helius-rpc[.]com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04
• hxxps://mainnet[.]helius-rpc[.]com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd
• hxxps://mainnet[.]helius-rpc[.]com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b
• hxxps://mainnet[.]helius-rpc[.]com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83
• hxxps://mainnet[.]helius-rpc[.]com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf
• hxxps://rpc[.]walletconnect[.]org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650
• hxxps://solana-rpc[.]publicnode[.]com
• hxxps://wallet-api[.]solflare[.]com

These are likely authorization calls to the Solana remote procedure call (RPC) API endpoints provided by RPC platforms Helius and WalletConnect, as well as the free Solana RPC endpoint provided by PublicNode. These endpoints are likely used to conduct the malicious drainer transactions. Notably, the Helius and WalletConnect URLs include API keys, as both services require sign-up and have various service tiers. As such, these API keys likely belong to Rublevka Team developers. The Solflare endpoint is likely used to connect to a victim’s wallet for enumeration and draining. The strings also included the domain efficient-endpoint[.]site (discussed further in the Domains and Infrastructure section below).

The drainer code also includes the following strings (verbatim):

• Strings related to building SOL transactions and address tables, including:
  • “numSignerAccounts”
  • “programAddressIndex”
  • “lookupTableAddress”
  • “addressTableLookups”
  • “solana:101/nativeToken:501”
  • “solana:mainnet”
  • “standard:connect”
  • “solana:signTransaction”
  • “solana:signAllTransactions”
  • “solana:signMessage”
• Instructional and error messages related to wallet transactions:
  • “Transactions are reverted. Sign all transactions to verificate your account”
  • “Phantom is temporarily unsupported, please choose another wallet”
  • “You have an insufficient balance. Top-up your balance by at least {fee} SOL”
  • “This DApp would like to connect your wallet”
  • “You are allowing this DApp to”
  • “View wallet balance & activity”
  • “Request approval for transactions”
  • “Perform transactions without confirmation”
  • “\n\nWelcome to our DApp. Signing is the only way we can truly know that you are the owner of the wallet you are connecting. Signing is a safe, gas-less transaction that does not in any way give us permission to perform any transactions with your wallet.\n\nURI: https://”
  • “A wallet lets you store, send and receive digital assets like cryptocurrencies and NFTs.”
• Messages stating that the dApp can be trusted:
  • “This application hasn’t been reviewed by Phantom yet, but it is listed in trusted community-maintained safety databases. You can proceed with confidence — this app is recognized as safe.”
  • “This dApp uses a new, optimized transaction delivery method that is not yet displayed correctly in Phantom. You can proceed with confidence — this app is recognized as safe.”
  • “This dApp uses Abuse Protection to prevent misuse of platform. You’ll need to complete a quick verification of your transaction history. It’s completely safe and only takes a few seconds.”
• String related to Telegram integration:
  • “TelegramWebview”
  • “TelegramWebviewProxy”
  • “tgWebAppVersion”
  • “TelegramGameProxy”
  • “[Telegram.WebView] < receiveEvent”
• A catalog of supported wallets, including wallet display names, URI schemes, iOS and Android package identifiers, and deeplinks, including Arculus, Blockchain, Ledger, KuCoin, Atomic, CoinEx, Trezor, and others.

Insikt Group also identified approximately 160 unique strings within the drainer that resembled SOL addresses. Of these, approximately 30 corresponded to known addresses in the SOL ecosystem, including system programs and token mints. The remaining approximately 130 addresses do not have any official SOL affiliation and are likely private addresses linked to attacker infrastructure. These addresses are discussed further in the Cryptocurrency Addresses section below.

Profits and Top Earners

Rublevka Team has tracked their profits in the closed Telegram channel “[RublevkaTeam] Profits” since at least June 2024. Each entry contains a user’s “Worker” name (sometimes hidden) and the profit from a single transaction in SOL (or TON, during their previous campaign) and USD. As of this writing, the channel has over 240,000 messages and approximately 3,000 subscribers. Insikt Group performed an analysis of the total sum of profits generated by affiliates since the channel’s inception, totaling approximately $10.9 million USD as of December 8, 2025. The sums for individual profit messages span from as little as $0.16 per transaction to upwards of $20,000.

Figure 19: Messages posted to the Telegram channel “[RublevkaTeam] Profits” (Source: Recorded Future)

According to the main chat channel, Rublevka Team has also operated a more private channel for “top earners” to receive “exclusive” information and landing pages. As of May 2025, the eligibility requirements for this channel are:

• Having no less than ten TON in profit (the team was targeting TON during this time)
• Being in the list of top 50 earners in the last ten days, which can be verified using a command in the [@]RublevkaTeam_bot
• Being active in the team for no less than fourteen days, including providing traffic, contributing to the chat channel, or communicating with members of the support team
• Having any Telegram username

Although a high number (approximately 14%) of “worker” names are hidden in the channel messages, Insikt Group was able to identify the top named earners in Rublevka Team based on the number of transactions posted to the channel, as well as based on the highest revenue per individual. The worker named “🇨🇦🇹🇷🇮🇷🇪🇪🇪🇺🇫🇮🇫🇷🇩🇪🇯🇵🇳🇱🇰🇷🇺🇸”, for example, has a total of 24,625 posts in the profits channel, the most among any other individual user, and has grossed $292,033.85 USD during their time in Rublevka Team. Other top posters include “Zatecky Gus 🍎🩸🍎🩸🍎🩸🍎🩸🍎🩸🍎🩸🍎” (9,804 posts valued at $95,106.91), “🍎🦮💥💥💥💥💥💥💥💥💥💥💥💥👀” (8,165 posts valued at $76,228.84), and others.

The top earner per the profits channel is the user “hard working guy”; though there are only 799 transactions associated with this user, they are valued at over $1.3 million. Multiple users within the “[RublevkaTeam] Chat” channel expressed amazement at this user’s high profits, with several users asking “hard working guy” to message them for collaboration and speculating on what type of traffic “hard working guy” uses to generate such high profits per transaction. However, “hard working guy” is not active within the chat channel, and several users have cast doubt on whether this user exists, or if they are a fake user created by Rublevka Team administrators to motivate other affiliates to “work harder.” The user “think about it” is a close second to “hard working guy”, with 145 transactions valued at $1.04 million. The next top earner, “Mr. Zelensky” (no relation to the President of Ukraine), made only $325,662.67 with 195 transactions, indicating a significant gradation between these earning tiers. This likely demonstrates the differing approaches between individual affiliates of Rublevka Team, which involve either extracting small sums of money from individual victims over a prolonged period or draining large quantities in fewer transactions.

Figure 20: Top named earners on Rublevka Team between June 2024 and December 2025, based on the threat group’s Telegram profits channel, where “Hidden” users amassed the most combined profits (Source: Recorded Future)

Domains and Infrastructure

Insikt Group collected a sample of domains associated with Rublevka Team based on the Telegram bot and channels linked to the threat group. Based on proprietary sources, it is evident that Rublevka Team is constantly changing and rotating their infrastructure, including the domains used to host their shared pages for affiliate use, as well as other staging infrastructure to host aspects of their drainer. Over the last year, shared Rublevka Team domains have included:

• open-sol[.]cc
• sol-galaxy[.]cc
• web-core[.]cc
• sol-hook[.]org
• sol-coin[.]xyz

Using open-source intelligence (OSINT) tools, Insikt Group identified approximately 70 unique subdomains historically associated with open-sol[.]cc, 400 associated with sol-hook[.]org, 300 associated with sol-galaxy[.]cc, 30 associated with web-core[.]cc, and 40 associated with sol-coin[.]xyz, as of writing. A cursory analysis of these domains’ hosting information showed that Rublevka Team primarily hides their shared infrastructure behind Cloudflare, with variation in registrars (using CNOBIN, Public Domain Registry, and an unspecified Hong Kong-based registrar). Notably, in November and December 2025, three of the domains (sol-galaxy[.]cc, web-core[.]cc, and sol-coin[.]xyz) migrated to IP address 158[.]94[.]208[.]165, registered to “Lanedonet Datacenter,” previously named “Metaspinner Net Gmbh.” Insikt Group recently identified Metaspinner net GmbH as a fraudulently registered hosting network that impersonated a legitimate German software company. Following RIPE NCC intervention, the network was re-registered under Lanedonet Datacenter. Insikt Group assessed with high confidence that Lanedonet Datacenter is operated by threat activity enabler (TAE) Virtualine Technologies.

Figures 21–23: Sample of subdomains associated with sol-galaxy[.]cc; from left to right: usdcoin.sol-galaxy[.]cc, rewards.sol-galaxy[.]cc, fortunawhee[.]sol-galaxy[.]cc (Source: Recorded Future)

Insikt Group also identified several domains used for Rublevka Team’s shared drainer backend hosting (“selfhost”) service: g-app-d[.]cc, fontmaxplugin[.]cc, and commontechrepo[.]cc. These domains are also behind Cloudflare and have obfuscated registration information. We identified approximately 60 unique subdomains under g-app-d[.]cc, approximately 20 under fontmaxplugin[.]cc, and approximately 40 under commontechrepo[.]cc, all of which followed the naming convention “[word1]-[word2].[domain].cc,” where “word1” and “word2” appeared to be randomly selected words. This is likely due to the specific domain generation algorithm (DGA) used by Rublevka Team to automatically spin up domains as they rotate them.

Insikt Group also identified the domain efficient-endpoint[.]site contained within the drainer file index.js. This domain was registered on September 24, 2025, and was hosted behind Cloudflare until December 12, 2025. After this date, the WHOIS record indicated it was registered via Namecheap to “Alexander Petrov,” with a physical address at 742 Evergreen Drive, Springfield, OR (likely fake), and the email address alex[.]petrov[.]domain[@]emailsecure[.]tech.

Insikt Group identified additional domains registered to this individual and email address, with over 900 registered since April 2025. These subdomains followed several DGA patterns since first being registered, including “[word 1]-[word 2]-[word 3]” and “[word 1][word 2][word 3]” (where each word is themed around decentralized finance and technology), “[word 1][word 2]”, and “[word 1]-[word 2]”. They used the top-level domains .xyz, .online, .site, .store, .space, .online, and .com.

The first website observed in OSINT sources registered to the email address alex[.]petrov[.]domain[@]emailsecure[.]tech is burn-shard-bridge[.]xyz, first observed on April 15, 2025. Around this time, the website displayed a “Connect Wallet” window similar to that observed in the Rublevka Team landing page generator, and an analysis of calls made by the website included /piter/visit and /piter/fetch, matching the name of the “Piter” drainer API described in Rublevka Team’s manual. We identified the following five additional domains that shared similar features and were registered to the same email address:

• public-proof[.]online
• private-peer[.]store
• highperformance-kit[.]online
• instant-automated-matrix[.]website
• highperformance-shard[.]online

All of these websites demonstrated similar behavior, including displaying the same “Connect Wallet” window, calls to the PiterAPI function openModal(), and references to a JavaScript file that is highly similar to the drainer analyzed by Insikt Group. Hashes for the JavaScript drainer files observed on these websites are included in Appendix A.

Figure 24: The page displayed by burn-shard-bridge[.]xyz in April 2025, which made HTTP requests to endpoints referencing “piter” (Source: Recorded Future).

We assess that the domains registered to Alexander Petrov are possibly automatically generated infrastructure for use by Rublevka Team to host backend functions of their drainer operation, where the high volume of the domains is likely intended to enable the threat group to frequently rotate their infrastructure.

Cryptocurrency Addresses

Insikt Group identified a set of cryptocurrency addresses connected to Rublevka Team operations. Approximately 160 unique strings resembling SOL addresses were extracted from the JavaScript drainer attached to the team’s malicious landing pages, and several others were obtained by tracing transactions within affiliate screenshots showing proof of their payouts on forums and the “[RublevkaTeam] Chat” Telegram channel. We focused on the following addresses for further analysis:

• EAsyxEjYKbDSVi6JbGYF1v9Jq1QyTSghRc8aqCeq7Ub3 (“Address A”, Transaction History)
• EkaGjTVHDiRTYqSiup6TQs2QXfqSnEcrWN61dC8UVK21 (“Address B”, Transaction History)
• CRnuwdpi3HGvFU5gGnvZAA9rV7AWe12v3sap8H3vXFY4 (“Address C”, Transaction History)
• DD6vCVa4NEYRKA7K93rYZSKuY7REydFbqB3rog149ySx (“Address D”, Transaction History)
• 8e8kiGgEMCxYYx2vuSf2iPo859QjE7ojkY6yGWDez9pW (“Address E”, Transaction History)
• 4Ri6Rd7zN6M6H8jF3vPc6MqnmFioVcPaizZt3crLVGXd (“Address F”, Transaction History)

Insikt Group identified seventeen references to the above addresses in the Recorded Future Platform, all of which involved posts from users on social media and Telegram stating that those addresses had stolen crypto assets from them, with the earliest post dated July 10, 2025. One such post specifically named pumptoken[.]net as the phishing website that had initiated the transaction; via further historical analysis, Insikt Group identified a JavaScript file linked to this website (b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15) that had a high degree of similarity with the drainer file analyzed above, including the same obfuscation technique and overlap in listed addresses. We assess that these users were likely victims of Rublevka Team.

Figures 25–27: Social media posts by users claiming that their crypto assets were routed to Address C and Address E (Source: Recorded Future)

Both Address A and Address B were contained in the JavaScript drainer code as base64-encoded strings, indicating an attempt by the threat actor to further obfuscate these specific addresses, while all others were available in plaintext. Based on SOL blockchain data, Address A is listed as the “owner” for 31 of the identified addresses within the drainer JavaScript file, corresponding to its Associated Token Accounts (ATAs). As such, these ATAs are almost certainly used as part of the drainer logic. Additionally, the address appeared to be making a high number of conversions to wrapped SOL (wSOL), potentially to use on or swap to compatible blockchains. Insikt Group observed that in fall 2025, Address A followed a pattern of transferring large amounts in and out on the same day, with $50,000 to $80,000 moving through the wallet each day over a several-week period. On October 6, 2025, approximately $1.2 million worth of assets were transferred in and out of the address. This pattern suggests that the wallet was likely used by Rublevka Team as a conduit for transferring and laundering stolen funds before cashing them out. Based on SOL blockchain data, the address first came into use in September 2025.

Figure 28: Analytics for transfers in and out of Address A, showing a transfer in of approximately $1.2 million, and a transfer out of $1.1 million on the same day (Source: solscan[.]io)

Figure 29: Analytics for transfers in and out of Address A, showing a series of same-day high-value transactions throughout October 2025 (Source: solscan[.]io)

Insikt Group also identified an account associated with Address A on pump[.]fun, a platform for users to launch their own meme coins. This account holds low balances in over 600 tokens and was first funded by a transaction from Fixed Float Exchange on September 22, 2025.

Figure 30: Profile on pump[.]fun associated with Address A (Source: pump[.]fun)

The account associated with Address B currently holds over 100 tokens and is associated with a high volume of token swap activity. Notably, Address B’s first funder is Address C, which was mentioned in several social media posts as a malicious wallet between July and August 2025. It was also mentioned in a Reddit thread from August 2025, where users discussed having their funds stolen. One user stated that they were signing up for Axiom and connected their Phantom wallet to the service website, and once they authenticated the service took $50 worth of SOL from their wallet and transferred it to Address C. Based on the wallet address and TTPs (using an Axiom-themed landing page and Phantom wallet), we assess that this individual was likely another victim of Rublevka Team.

Figure 31: Reddit user stating that their funds were stolen when connecting to an Axiom service; these funds were transferred to Address C (Source: Reddit)

Insikt Group identified Addresses D and E in several affiliate reviews of Rublevka Team, namely in posts showing proof of funds disbursement to their personal wallets from those addresses. These addresses also appeared in screenshots of the [@]RublevkaTeam_bot “profits” notifications, posted by individual affiliates to the chat channel, many of which did not obfuscate the victim wallet ID, allowing Insikt Group to trace the transaction. Several of these transactions were made directly to Address D and E. Based on this, we assess that these are likely two of the “shared” Rublevka addresses used to collect stolen assets and then disburse affiliates’ cuts. We also note that Address E is the first funder of Address D.

Figure 32: Exploit user posting a screenshot showing funds flowing from Address D to their personal wallet (Source: Recorded Future)

In addition to the above, Insikt Group identified 28 abuse reports for SOL addresses contained in the drainer file (including Addresses A to E) within other open sources, made between April and October 2025. Users reported a variety of scams in which these addresses drained their funds. These scams involved web pages shared on Telegram, social media, and crypto investment advice groups that prompted users to connect their wallets and sign transactions, resulting in the loss of all their funds. The TTPs and timeframe described in these reports match those associated with Rublevka Team, and we assess that these reports were highly likely made by Rublevka Team victims. Notably, in at least one report, users reported that in addition to their wallet funds being drained, they experienced a breach of their personal data and accounts; this may indicate that some Rublevka Team affiliates possibly conduct additional follow-on activity as part of their scams, such as credential theft. For a full list of the domains and malicious social media accounts listed in these reports, see Appendix C.

A complete list of SOL addresses extracted from the drainer script can be found in Appendix D; this section excludes addresses corresponding to SOL system programs and official token mints.

Outlook

Rublevka Team represents the maturation of cybercrime-as-a-service within the cryptocurrency threat landscape, signaling that sophisticated social engineering and scalable infrastructure now rival malware as the primary tool set for digital asset theft. As this affiliate-driven drainer ecosystem continues to expand, we expect similar models to proliferate across other blockchain ecosystems and decentralized platforms, particularly those with low transaction fees and fast settlement times, such as SOL. The low barrier to entry, combined with high financial incentives, will continue to attract a global pool of cybercriminals, accelerating the volume, complexity, and geographic diversity of crypto-targeted scams in the near term.

Looking ahead, brand impersonation campaigns tied to crypto drainers will become a strategic reputational risk for exchanges, Web3 platforms, and fintech providers. The effectiveness of these spoofing campaigns, especially those that mimic legitimate token airdrops or DeFi services, will continue to erode user trust in the broader crypto ecosystem. As threat actors like Rublevka Team improve their social engineering tactics, abuse of RPC APIs, and cloaking techniques to bypass detection, more platforms will likely come under regulatory pressure to implement proactive monitoring, takedown partnerships, and user verification mechanisms to mitigate liability.

Appendix A: Indicators of Compromise

Domains:
open-sol[.]cc
sol-galaxy[.]cc
web-core[.]cc
sol-hook[.]org
efficient-endpoint[.]site
g-app-d[.]cc
fontmaxplugin[.]cc
commontechrepo[.]cc
burn-shard-bridge[.]xyz
pumptoken[.]net
emailsecure[.]tech

Email Addresses:
alex.petrov.domain[@]emailsecure[.]tech

IP Addresses:
158[.]94[.]208[.]165

File Hashes:
9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489
b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15
fcf1bbac7dae24b6e0357bee6e8e184dfd193ddf8b341feaa9a3d83265af8f0a
ea8e780d0c292bfd1a3ee6bd9b8d77900a545bd3be3105891816c8f561eeb302
78bfb193ba291e17360126796ec9b93acdfec75867619fc50c5d45d7081009b6
93288b95db8cba2b8d3f38246be46e383990a9fcdd06bf26417a5935a8fe0a27
af5bed914f5406e7c1a3f30f91dfe34d81c5b06c571c59417fe4e2bde966325c

URLs:
hxxps://mainnet[.]helius-rpc[.]com/?api-key=
hxxps://mainnet[.]helius-rpc[.]com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705
hxxps://mainnet[.]helius-rpc[.]com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726
hxxps://mainnet[.]helius-rpc[.]com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04
hxxps://mainnet[.]helius-rpc[.]com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd
hxxps://mainnet[.]helius-rpc[.]com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b
hxxps://mainnet[.]helius-rpc[.]com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83
hxxps://mainnet[.]helius-rpc[.]com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf
hxxps://rpc[.]walletconnect[.]org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650
hxxps://solana-rpc[.]publicnode[.]com
hxxps://wallet-api[.]solflare[.]com

Appendix B: MITRE ATT&CK Techniques

Appendix C: Domains Included in Scam Reports for Rublevka-Affiliated Cryptocurrency Addresses

Domains:
minordao[.]co
token[.]pump-launch[.]fun
events-dege[.]com
soldrop[.]solvault[.]ws
check[.]me-fnd[.]com
vwa[.]lat
luna-memex[.]com
rugchecker[.]fun
sol-chey[.]com
pump-foundation[.]xyz
claim[.]juplter[.]app

Social media channels:
t[.]me/crypto_arbitrage_signal
t[.]me/solanadropper_bot/getrewardsol
x[.]com/Alien2Solana

Appendix D: Unattributed Cryptocurrency Addresses Contained in Rublevka Team SOL Drainer