The drainer campaign, active since 2023, leverages spoofed versions of legitimate services such as Phantom, Bitget, and Jito to maximize user trust and conversion
Insikt Group has been monitoring Rublevka Team since August 2025, when we first encountered the threat group’s advertisement banner on Exploit Forum. The name “Rublevka Team” is likely a reference to the Rublevka neighborhood of Moscow, a prestigious and wealthy suburb largely populated by elite Russian businesspeople and government officials. Like other traffer teams previously reported by Insikt Group, such as Marko Polo and Crazy Evil, Rublevka Team is a “cryptoscam” team primarily operating on LolzTeam Forum, as well as maintaining a smaller presence on high-tier forums Exploit and XSS. However, in contrast to the traffer teams previously reported by Insikt Group, Rublevka Team does not rely on infostealer malware to target victims; instead, it operates a drainer script embedded in its landing pages to connect to victims’ cryptocurrency wallets and drain their funds.
Based on analysis by Insikt Group, Rublevka Team has been active since 2023, when it was first launched on LolzTeam Forum by the user “denisssss_inactive”. Based on an analysis of its reported profits within its private channel, Rublevka Team has a lifetime revenue of over $10 million USD as of the time of writing. The team’s tactics, techniques, and procedures (TTPs) have evolved since it began operations in 2023. Originally, the threat group operated fake cryptocurrency exchanges to convince users to connect their wallets and deposit funds, focusing on generating traffic through Instagram and, later, TikTok. In 2024, however, Rublevka Team fundamentally shifted its tactics to deploy a custom JavaScript-based cryptocurrency wallet drainer on its landing pages, which impersonated cryptocurrency token airdrops and giveaways. The threat group initially targeted The Open Network (TON), then shifted to SOL in spring 2025. Its latest campaign, which is ongoing as of writing, has generated the majority of its total revenue (approximately $8.2 million).
Rublevka Team’s latest post on LolzTeam Forum, which was published by denisssss_inactive on April 18, 2025, advertises Rublevka Team’s SOL drainer scam program. Since Rublevka Team’s original postings advertising its cryptocurrency exchange scams and TON token campaigns, the payout rates have shifted significantly in affiliates’ favor, with a starting percentage of 75% and 80% for “experienced users.” The increase in commission rates for starting affiliates may indicate a shift over time in the team’s monetization strategies based on the financial success the threat group has seen; it may now be more favorable to prioritize expanding the pool of workers rather than extracting maximum income from any individual affiliate.
The post also advertises a fully automated Telegram bot for conducting operations, a landing page generator, and free domains and hosting services with included cloaking features and distributed denial-of-service (DDoS) protections. The advertisement also describes the SOL drainer used on the landing pages, which supports over 90 wallet types, draining capabilities for SOL, Solana Program Library (SPL) tokens (including SPL2022 extension tokens), non-fungible tokens (NFTs), and Native Stake, spoofing and bypass features for Phantom wallet, a drainer API, and over 35 ready-to-use landing pages integrated with the drainer.
The posts do not specify any hard requirements for prospective affiliates, who are instructed to apply for the team via the Telegram bot [@]RublevkaTeam_Bot. Applications are likely vetted by Rublevka Team’s leader, denisssss_inactive, or the administrative team (“Jesse Pinkman” and “Shell” at the time of writing).
Once an applicant is accepted to Rublevka Team, they are directed to join the following private channels:
Rublevka Team hosts an informational manual for affiliates on the domain rublevkateam[.]cc. This manual outlines the procedures for working on the team, including how to use the Telegram bot, how to conduct cryptoscams, how to configure the drainer, and more.
The stated goal of the Rublevka Team scam is to create a “drainer-based offer” (usually a promotion, an airdrop notice, a KYC request, or other) and to attract traffic to the website. From the perspective of a victim (referred to as a “lead”), they will encounter the website, connect their cryptocurrency wallet to the website, and then receive an offer to perform a crypto transaction. Upon confirming and signing the transaction, all assets from the lead’s wallet are transferred to the website’s operator.
According to the manual, the team opted for SOL due to its fast transaction time and low fees, as well as its support for smart contracts, decentralized apps (dApps), and NFTs. The manual includes a table of popular wallets that support SOL and are compatible with the Rublevka drainer, which includes Solflare, Phantom, Backpack, Coinbase, Bitget, OKX, Metamask, and others.
Notably, configuration for an affiliate’s campaign is done within the [@]RublevkaTeam_bot, which is available in English, Russian, and Chinese, and in most cases requires no interaction with the support team. This provides affiliates with full control and visibility into their own campaigns.
Rublevka Team affiliates have three options when creating a domain for hosting a landing page:
Users can also choose to register subdomains of their private domain using the bot, with each subdomain functioning as a fully autonomous landing page.
Once a domain is created, the affiliate can configure their landing page. Within the bot, the user has the option to create either a “regular” page, which includes a drainer, or a “white” page, which does not have a drainer and is used to evade abuse detection services. The white pages are used as part of the “Red Table Bypass” feature, designed to unblock a domain that has been blocked by Google by temporarily displaying a harmless web page. In both cases, the user has the option to choose from a wide selection of pre-created landing pages.
Alternatively, users can choose to generate their own landing page based on a template, which can be customized to a token of the user’s choice. They can also choose to “copy” an existing website by providing a URL to the bot; however, as of writing, this functionality appears to be broken.
In addition to generating landing pages, the Telegram bot also allows users to configure “cloaking settings” for their domains. Cloaking is a technique used by cybercriminals that involves presenting website content to a search engine in a way that differs from what the victim will see after navigating to the website. However, Rublevka Team uses the term to describe access restrictions for users from certain countries, IP addresses, internet service providers (ISPs), or virtual private network (VPN) or proxy users. Affiliates can also configure redirect logic and CAPTCHAs via Cloudflare to redirect victims to another landing page if the primary domain is blocked; they can also filter out bots to reduce the likelihood of the domain being blocked. The Telegram bot also supports configurations that allow only the user’s domain to open as a Telegram Mini App for Telegram-based traffic schemes, as well as the option to block specific “leads” (victims).
Rublevka Team affiliates can configure the settings for the drainer to fit their specific needs. The drainer can display a custom fake transaction for receiving SOL or a fake token, based on the contents of an affiliate’s landing page, and can be configured to display a fake credit for each asset drain operation on the wallet. Affiliates can also set up minimum balance alerts to lure victims into buying additional SOL to use on their landing page.
The drainer has additional settings specifically for Phantom wallet, which the manual states is one of the most popular SOL wallets and can allow for a significant boost in “traffic conversion.” The drainer supports the following Phantom wallet “modes,” which are ways to connect with a user’s Phantom wallet to convince a user to sign a malicious drainer transaction:
The user can configure notifications in Telegram to notify them when a user visits their website, receives a withdrawal request, does not have funds, and more. Additionally, they can use the “Autosplit” feature, which will send any stolen funds directly to their private wallet, bypassing any intermediaries such as smart contracts or the shared Rublevka Team wallet, which is the default behavior. In this case, the profits are sent as they are, with each drained token being sent without conversion to the threat actor’s wallet.
Additionally, Rublevka Team provides an API (PiterAPI) stored in the variable within the JavaScript code to allow more advanced users to further customize drainer behavior. This API includes the following functions:
Through the Telegram bot, Rublevka Team provides affiliates with an extensive catalog of landing pages available for use in their campaigns. As of October 2025, the Insikt Group identified 50 unique drainer landing pages and eleven “white” landing pages provided to affiliates. It is possible that additional landing pages have been added to the Telegram bot since then.
The drainer landing pages spoofed meme coin and stablecoin token airdrops, token mints, decentralized finance (DeFi) trading platforms, SOL staking services, and more. For the most part, the landing pages impersonate existing “legitimate” services, such as Axiom, Bitget, Photon, Jito, and Marinade. The landing pages also impersonate existing meme coin and social coin tokens for airdrops, including “Bonk,” “DogWifHat,” “Trump,” “Pengu,” and “Fartcoin.” The SOL-specific services pages typically reference SOL liquid staking, “burning” or “incineration,” faucets, airdrops, snipers, and multipliers. Generally, the landing pages included social media and informational links to the actual websites of the coins and services they were impersonating, likely to appear legitimate in a cursory check.
The landing page generator also included a panel for selecting a crypto wallet to connect to the malicious page, which prompts users to either connect an existing wallet or create a new one.
It is likely that these landing pages are used to lure victims to connect their wallet to the website, after which the embedded drainer script, , will enumerate the wallet’s holdings, trick the user into signing a malicious transaction, and drain all held funds.
Based on Insikt Group’s analysis of the malicious landing pages, we identified that each page contained the file (). This file is heavily obfuscated; Insikt Group assesses that the authors possibly used js-confuser, a free open-source JavaScript obfuscation tool with no available deobfuscator. However, Insikt Group was still able to identify strings of interest within the code, including indicators that may suggest parts of the script’s functionality.
The drainer includes the following URLs:
These are likely authorization calls to the Solana remote procedure call (RPC) API endpoints provided by RPC platforms Helius and WalletConnect, as well as the free Solana RPC endpoint provided by PublicNode. These endpoints are likely used to conduct the malicious drainer transactions. Notably, the Helius and WalletConnect URLs include API keys, as both services require sign-up and have various service tiers. As such, these API keys likely belong to Rublevka Team developers. The Solflare endpoint is likely used to connect to a victim’s wallet for enumeration and draining. The strings also included the domain efficient-endpoint[.]site (discussed further in the Domains and Infrastructure section below).
The drainer code also includes the following strings (verbatim):
Insikt Group also identified approximately 160 unique strings within the drainer that resembled SOL addresses. Of these, approximately 30 corresponded to known addresses in the SOL ecosystem, including system programs and token mints. The remaining approximately 130 addresses do not have any official SOL affiliation and are likely private addresses linked to attacker infrastructure. These addresses are discussed further in the Cryptocurrency Addresses section below.
Rublevka Team has tracked their profits in the closed Telegram channel “[RublevkaTeam] Profits” since at least June 2024. Each entry contains a user’s “Worker” name (sometimes hidden) and the profit from a single transaction in SOL (or TON, during their previous campaign) and USD. As of this writing, the channel has over 240,000 messages and approximately 3,000 subscribers. Insikt Group performed an analysis of the total sum of profits generated by affiliates since the channel’s inception, totaling approximately $10.9 million USD as of December 8, 2025. The sums for individual profit messages span from as little as $0.16 per transaction to upwards of $20,000.
According to the main chat channel, Rublevka Team has also operated a more private channel for “top earners” to receive “exclusive” information and landing pages. As of May 2025, the eligibility requirements for this channel are:
Although a high number (approximately 14%) of “worker” names are hidden in the channel messages, Insikt Group was able to identify the top named earners in Rublevka Team based on the number of transactions posted to the channel, as well as based on the highest revenue per individual. The worker named “🇨🇦🇹🇷🇮🇷🇪🇪🇪🇺🇫🇮🇫🇷🇩🇪🇯🇵🇳🇱🇰🇷🇺🇸”, for example, has a total of 24,625 posts in the profits channel, the most among any other individual user, and has grossed $292,033.85 USD during their time in Rublevka Team. Other top posters include “Zatecky Gus 🍎🩸🍎🩸🍎🩸🍎🩸🍎🩸🍎🩸🍎” (9,804 posts valued at $95,106.91), “🍎🦮💥💥💥💥💥💥💥💥💥💥💥💥👀” (8,165 posts valued at $76,228.84), and others.
The top earner per the profits channel is the user “hard working guy”; though there are only 799 transactions associated with this user, they are valued at over $1.3 million. Multiple users within the “[RublevkaTeam] Chat” channel expressed amazement at this user’s high profits, with several users asking “hard working guy” to message them for collaboration and speculating on what type of traffic “hard working guy” uses to generate such high profits per transaction. However, “hard working guy” is not active within the chat channel, and several users have cast doubt on whether this user exists, or if they are a fake user created by Rublevka Team administrators to motivate other affiliates to “work harder.” The user “think about it” is a close second to “hard working guy”, with 145 transactions valued at $1.04 million. The next top earner, “Mr. Zelensky” (no relation to the President of Ukraine), made only $325,662.67 with 195 transactions, indicating a significant gradation between these earning tiers. This likely demonstrates the differing approaches between individual affiliates of Rublevka Team, which involve either extracting small sums of money from individual victims over a prolonged period or draining large quantities in fewer transactions.
Insikt Group collected a sample of domains associated with Rublevka Team based on the Telegram bot and channels linked to the threat group. Based on proprietary sources, it is evident that Rublevka Team is constantly changing and rotating their infrastructure, including the domains used to host their shared pages for affiliate use, as well as other staging infrastructure to host aspects of their drainer. Over the last year, shared Rublevka Team domains have included:
Using open-source intelligence (OSINT) tools, Insikt Group identified approximately 70 unique subdomains historically associated with open-sol[.]cc, 400 associated with sol-hook[.]org, 300 associated with sol-galaxy[.]cc, 30 associated with web-core[.]cc, and 40 associated with sol-coin[.]xyz, as of writing. A cursory analysis of these domains’ hosting information showed that Rublevka Team primarily hides their shared infrastructure behind Cloudflare, with variation in registrars (using CNOBIN, Public Domain Registry, and an unspecified Hong Kong-based registrar). Notably, in November and December 2025, three of the domains (sol-galaxy[.]cc, web-core[.]cc, and sol-coin[.]xyz) migrated to IP address 158[.]94[.]208[.]165, registered to “Lanedonet Datacenter,” previously named “Metaspinner Net Gmbh.” Insikt Group recently identified Metaspinner net GmbH as a fraudulently registered hosting network that impersonated a legitimate German software company. Following RIPE NCC intervention, the network was re-registered under Lanedonet Datacenter. Insikt Group assessed with high confidence that Lanedonet Datacenter is operated by threat activity enabler (TAE) Virtualine Technologies.
Insikt Group also identified several domains used for Rublevka Team’s shared drainer backend hosting (“selfhost”) service: g-app-d[.]cc, fontmaxplugin[.]cc, and commontechrepo[.]cc. These domains are also behind Cloudflare and have obfuscated registration information. We identified approximately 60 unique subdomains under g-app-d[.]cc, approximately 20 under fontmaxplugin[.]cc, and approximately 40 under commontechrepo[.]cc, all of which followed the naming convention “[word1]-[word2].[domain].cc,” where “word1” and “word2” appeared to be randomly selected words. This is likely due to the specific domain generation algorithm (DGA) used by Rublevka Team to automatically spin up domains as they rotate them.
Insikt Group also identified the domain efficient-endpoint[.]site contained within the drainer file . This domain was registered on September 24, 2025, and was hosted behind Cloudflare until December 12, 2025. After this date, the WHOIS record indicated it was registered via Namecheap to “Alexander Petrov,” with a physical address at 742 Evergreen Drive, Springfield, OR (likely fake), and the email address alex[.]petrov[.]domain[@]emailsecure[.]tech.
Insikt Group identified additional domains registered to this individual and email address, with over 900 registered since April 2025. These subdomains followed several DGA patterns since first being registered, including “[word 1]-[word 2]-[word 3]” and “[word 1][word 2][word 3]” (where each word is themed around decentralized finance and technology), “[word 1][word 2]”, and “[word 1]-[word 2]”. They used the top-level domains .xyz, .online, .site, .store, .space, .online, and .com.
The first website observed in OSINT sources registered to the email address alex[.]petrov[.]domain[@]emailsecure[.]tech is burn-shard-bridge[.]xyz, first observed on April 15, 2025. Around this time, the website displayed a “Connect Wallet” window similar to that observed in the Rublevka Team landing page generator, and an analysis of calls made by the website included and , matching the name of the “Piter” drainer API described in Rublevka Team’s manual. We identified the following five additional domains that shared similar features and were registered to the same email address:
All of these websites demonstrated similar behavior, including displaying the same “Connect Wallet” window, calls to the PiterAPI function , and references to a JavaScript file that is highly similar to the drainer analyzed by Insikt Group. Hashes for the JavaScript drainer files observed on these websites are included in Appendix A.
We assess that the domains registered to Alexander Petrov are possibly automatically generated infrastructure for use by Rublevka Team to host backend functions of their drainer operation, where the high volume of the domains is likely intended to enable the threat group to frequently rotate their infrastructure.
Insikt Group identified a set of cryptocurrency addresses connected to Rublevka Team operations. Approximately 160 unique strings resembling SOL addresses were extracted from the JavaScript drainer attached to the team’s malicious landing pages, and several others were obtained by tracing transactions within affiliate screenshots showing proof of their payouts on forums and the “[RublevkaTeam] Chat” Telegram channel. We focused on the following addresses for further analysis:
Insikt Group identified seventeen references to the above addresses in the Recorded Future Platform, all of which involved posts from users on social media and Telegram stating that those addresses had stolen crypto assets from them, with the earliest post dated July 10, 2025. One such post specifically named pumptoken[.]net as the phishing website that had initiated the transaction; via further historical analysis, Insikt Group identified a JavaScript file linked to this website () that had a high degree of similarity with the drainer file analyzed above, including the same obfuscation technique and overlap in listed addresses. We assess that these users were likely victims of Rublevka Team.
