Rublevka Team: Anatomy of a Russian Crypto Drainer Operation

Rublevka Team is an affiliate-driven cryptoscam operation that uses JavaScript-based Solana wallet drainers embedded in spoofed landing pages to trick victims into connecting wallets and signing malicious transactions, generating approximately $10.9 million in reported profits. Their infrastructure and monetization include a Telegram bot for campaign automation, shared and rotating domains, ready-made landing pages, and support for many wallet types (notably Phantom) to drain SOL and SPL tokens. #RublevkaTeam #Solana

Keypoints

Rublevka Team operates an affiliate-based drainer ecosystem (launched 2023) that shifted from fake exchanges to JavaScript wallet drainers in 2024, targeting SOL and SPL tokens.
The group runs automated affiliate tooling via a multilingual Telegram bot that provides landing page generation, cloaking, hosting options, and campaign management.
The SOL drainer is a heavily obfuscated index.js file that enumerates wallet holdings, prompts malicious signatures, and supports specialized Phantom wallet modes (e.g., Honeypot, Crasher, Fake Return).
Insikt Group attributed over $10 million in lifetime revenue to Rublevka Team, with approximately $8.2 million from the latest SOL campaign and detailed profit reporting in private Telegram channels.
Infrastructure is rotated and hidden behind services like Cloudflare, includes hundreds of subdomains and DGA-like naming patterns, and uses shared, private, and self-hosted domain options for affiliates.
Observed IOCs include malicious domains, JavaScript hashes, API/RPC URLs (Helius, WalletConnect, PublicNode), an identified hosting IP, and ~160 Solana addresses used for collection and laundering.

MITRE Techniques

[T1566 ] Phishing – Used to lure victims to fraudulent airdrop/giveaway landing pages that prompt wallet connections and signature approvals; ‘the stated goal of the Rublevka Team scam is to create a “drainer-based offer” (usually a promotion, an airdrop notice, a KYC request, or other) and to attract traffic to the website.’
[T1027 ] Obfuscated Files or Information – The drainer JavaScript (index.js) is heavily obfuscated to evade analysis and detection; ‘each page contained the file index.js … This file is heavily obfuscated; Insikt Group assesses that the authors possibly used js-confuser.’
[T1071.001 ] Application Layer Protocol: Web Protocols – The drainer abuses web-based RPC and API endpoints (Helius, WalletConnect, PublicNode, Solflare) to build and submit Solana transactions; ‘These are likely authorization calls to the Solana remote procedure call (RPC) API endpoints provided by RPC platforms Helius and WalletConnect.’
[T1568.001 ] Domain Generation Algorithms – The threat rotates and auto-generates large numbers of domains and subdomains for shared hosting and backend functions consistent with DGA-like patterns; ‘These subdomains followed several DGA patterns since first being registered… used the top-level domains .xyz, .online, .site, .store, .space…’
[T1572 ] Hide Infrastructure – Operators hide shared infrastructure behind Cloudflare and frequently rotate domains and hosting to impede takedown and attribution; ‘Rublevka Team primarily hides their shared infrastructure behind Cloudflare, with variation in registrars… constantly changing and rotating their infrastructure.’
[T1496 ] Financial Theft – The primary impact technique is direct theft of cryptocurrency by tricking victims to sign drain transactions and moving funds through attacker-controlled SOL addresses for laundering; ‘Upon confirming and signing the transaction, all assets from the lead’s wallet are transferred to the website’s operator.’

Indicators of Compromise

[Domain ] shared and malicious landing pages and backend hosts – open-sol[.]cc, sol-galaxy[.]cc, and 10+ other rotating domains (e.g., web-core[.]cc, sol-hook[.]org, efficient-endpoint[.]site)
[Email ] registrant used for automated domain registrations – alex.petrov.domain[@]emailsecure[.]tech
[IP Address ] hosting tied to shared domains – 158[.]94[.]208[.]165 (Lanedonet Datacenter / Metaspinner Net activity)
[File Hash ] malicious JavaScript drainer samples – 9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489, b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15, and 5 more hashes
[URL / API ] Solana RPC and wallet API endpoints used by the drainer – hxxps://mainnet[.]helius-rpc[.]com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705, hxxps://rpc[.]walletconnect[.]org/v1/?chainId=solana…, and hxxps://solana-rpc[.]publicnode[.]com
[Cryptocurrency Address ] Solana addresses used to collect and launder stolen funds – 8VHDwr45BNnyMpMvfGFZwvoUXU4ZPQk4YFj6b5V2Duzd, 8tzYaoRju2KwLqYD1LSrcvAEFxJQi7f6aw1aYb9MUqew, and ~158 additional addresses extracted from the drainer script