Security researchers have identified another Russia-linked crypto crime organization that is said to be behind more than $10 million worth of cryptoasset thefts.
After monitoring the Rublevka Team organization since August 2025, researchers at Recorded Future’s Insikt Group found that this crypto-focused cybercrime-as-a-service group, operational since 2023, contributed to at least 240,000 cryptoasset wallet drains, worth up to $20,000 per transaction.
According to Insikt, the criminal group is an example of a "traffer team," composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages.
Initially, these criminals targeted the TON blockchain ecosystem, supported by the company behind the Telegram messenger, before moving on to the Solana (SOL) blockchain in the spring of 2025. This ongoing campaign resulted in the biggest losses, as Solana's ecosystem users lost around $8.2 million.
The researchers have identified that, after tricking a victim into connecting their cryptoasset wallet to a fraudulent website, threat actors ask to perform a crypto transaction, which drains all funds from the wallet.
Rublevka Team offers tools and guidance for wannabe criminals that help spoof landing pages that impersonate legitimate cryptoasset services, airdrops, and giveaways, tricking victims into connecting their wallets and authorizing fraudulent transactions.
According to the researchers, since inception, the payout rates have increased significantly, starting from 75–80% for "experienced users." At least two of the "workers" have stolen more than $1 million worth of cryptoassets, per Insikt's data.
"Their infrastructure is fully automated and scalable, offering affiliates access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types," Insikt Group said, naming services such as Phantom, Backpack, Coinbase, Bitget, OKX, Metamask, Axiom, Bitget, Photon, Jito, and Marinade among those being impersonated.
Curious what others think about this story? Contribute your thoughts to the debate below.
What's more, as of October 2025, the Insikt Group identified 50 unique drainer landing pages and eleven "white" landing pages provided to affiliates.
"As this affiliate-driven drainer ecosystem continues to expand, we expect similar models to proliferate across other blockchain ecosystems and decentralized platforms, particularly those with low transaction fees and fast settlement times, such as SOL," Insikt Group concluded, adding that brand impersonation campaigns are a reputational risk for cryptoasset firms.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked