Ddos 
A sophisticated Russian cybercrime syndicate has stolen over $10 million in cryptocurrency since 2023, leveraging a highly automated “scam-as-a-service” platform to drain victims’ wallets. A new analysis by Insikt Group exposes the inner workings of the Rublevka Team, a threat group that has popularized digital theft by offering low-skill affiliates a turnkey solution for looting Solana (SOL) and other assets.
Named after the wealthy Moscow suburb of Rublevka, the group operates not as hackers in the traditional sense, but as “traffers”—social engineering specialists who drive traffic to malicious landing pages.
What sets Rublevka Team apart is the sheer scale and automation of its operation. It functions like a legitimate software-as-a-service (SaaS) company, but for fraud.
“Rublevka Team offers affiliates turnkey tooling, including Telegram bots, landing page generators, cloaking features, and automated payout infrastructure, enabling low-skill threat actors to launch high-volume scams,” the report explains.
Affiliates don’t need to know how to code. They simply use a Telegram bot to generate a fake landing page—often impersonating trusted brands like Phantom, Jito, or Bitget—and then spread the link via social media or ads. The bot even provides “cloaking” to hide the malicious nature of the site from security scanners.
While the group initially targeted The Open Network (TON), they pivoted hard to Solana in 2024. This strategic shift has paid off immensely.
“The threat group initially targeted The Open Network (TON), then shifted to SOL in spring 2025. Its latest campaign… has generated the majority of its total revenue (approximately $8.2 million),” Insikt Group notes.
The drainer script itself is highly advanced, capable of targeting over 90 different wallet types. It tricks users into signing malicious transactions by promising airdrops or rewards. “The drainer is compatible with over 90 SOL wallet types,” including major providers like Phantom and Solflare.
The operation is incredibly lucrative for its top affiliates. The group tracks profits in a private Telegram channel, creating a leaderboard of theft.
One user, ominously named “hard working guy,” sits near the top of the pile. “The top earner per the profits channel is the user ‘hard working guy’… valued at over $1.3 million,” the report reveals .
However, there is suspicion among the ranks. Some affiliates believe “hard working guy” might be a fabrication by the admins to motivate others to work harder. Real or not, the second-place earner, “think about it,” has also cleared over $1 million.
The Rublevka Team model represents a “maturation of cybercrime-as-a-service.” By lowering the barrier to entry, they have created a global army of scammers who can launch attacks with minimal oversight.
As the report concludes, “Their model mirrors ransomware-as-a-service (RaaS) operations, signaling a continuation of the broader shift toward scalable, service-based cybercrime”.
For crypto users, the lesson is stark: if a deal looks too good to be true—especially on a Solana airdrop site—it’s likely a Rublevka trap.
Related Posts:
- Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
- Hidden Theft: ‘Crypto Copilot’ Chrome Extension Drains Solana Wallets on X
- Inferno Drainer Steals Millions in Evolving Crypto Attacks
- Malicious npm Packages Target Solana Developers, Stealing Private Keys via Gmail
- Supply Chain Attack: Malicious Rust Crates Steal Solana and Ethereum Private Keys
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
