Executive Summary
Insikt Group has uncovered a sophisticated cybercriminal enterprise specializing in cryptocurrency theft at scale, operating under the alias "Rublevka Team". Since launching operations in 2023, this threat actor has amassed over $10 million in illicit proceeds through affiliate-based wallet compromise campaigns. Rublevka Team exemplifies the emerging "traffer team" model—a distributed network comprising thousands of social engineering operatives who funnel victim traffic toward malicious infrastructure. Diverging from conventional malware distribution tactics employed by similar traffer operations like Marko Polo and CrazyEvil (both previously documented by Insikt Group as infostealer distributors), Rublevka Team weaponizes bespoke JavaScript payloads delivered through counterfeit landing pages that masquerade as trusted cryptocurrency platforms. These pages deceive users into authorizing wallet connections and executing transactions that siphon funds directly to attacker-controlled addresses. The operation's technical foundation is highly automated and horizontally scalable, providing affiliates with turnkey access to Telegram-based command infrastructure, dynamic landing page generation tools, anti-detection mechanisms, and compatibility across more than 90 wallet implementations. By eliminating technical prerequisites for participation, Rublevka Team has cultivated a sprawling affiliate ecosystem capable of executing high-velocity fraud campaigns with minimal centralized coordination.
This operational model represents an escalating risk vector for cryptocurrency exchanges, fintech service providers, and consumer brands subjected to identity spoofing. Entities facilitating blockchain-based financial transactions—including digital asset custodians, decentralized finance platforms, and wallet infrastructure providers—confront heightened reputational exposure and potential legal liability when end users are victimized by these schemes. Even when credential compromise occurs beyond a platform's direct control, inadequate detection of fraudulent domains or referral traffic can precipitate consumer confidence erosion, brand damage, and intensified regulatory examination of customer protection frameworks and Know Your Customer compliance protocols. The adversary's tactical adaptability—demonstrated through rapid domain rotation, strategic focus on lower-fee blockchain networks such as Solana, and exploitation of Remote Procedure Call API endpoints—systematically undermines conventional fraud mitigation strategies and domain interdiction workflows. Their architecture closely parallels ransomware-as-a-service delivery models, underscoring the ongoing evolution toward commoditized, infrastructure-driven cybercrime that demands proactive threat intelligence, coordinated disruption efforts, and robust defensive postures to safeguard customer assets and preserve institutional credibility.
Key Findings
- The core methodology of a Rublevka Team operation involves crafting compelling SOL-denominated incentives—such as promotional campaigns or token airdrop announcements—driving user engagement through social media channels and paid advertising placements, then exploiting user trust to facilitate wallet authentication and transaction authorization that results in complete asset exfiltration.
- At the time of analysis, Rublevka Team's principal Telegram channel maintains approximately 7,000 active subscribers. The operation's automated transaction notification channel has logged over 240,000 discrete messages, corresponding to a minimum of 240,000 confirmed wallet compromise events, with individual transaction values spanning from $0.16 to amounts exceeding $20,000.
- Rublevka Team deploys a proprietary JavaScript-based draining mechanism integrated directly into fraudulent landing pages, engineered to extract victims' Solana-based digital assets through systematic token liquidation. The drainer maintains interoperability with more than 90 distinct SOL wallet implementations.
- The adversary's operational infrastructure operates autonomously through Telegram bot interfaces, furnishing affiliate participants with comprehensive tooling for phishing page deployment, campaign performance analytics, traffic filtering capabilities, and distributed denial-of-service mitigation services.
- The wallet draining campaign, continuously active since 2023, exploits fraudulent replicas of established platforms including Phantom, Bitget, and Jito to exploit brand recognition and optimize victim conversion rates.
