Skip to main content
Sign in

Rublevka Team

avoid.net/rublevka-team2/100·92% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·3VJZfk…vfDw

Summary

Rublevka Team is a Russian-speaking, affiliate-driven drainer-as-a-service operation active since 2023 that has documented over $10.9 million in cryptocurrency theft across at least 240,000 wallet drain events. The group operates primarily on the Solana blockchain as of spring 2025 and markets its tooling to low-skill affiliates through Telegram bots and Russian-language cybercrime forums. No law enforcement actions or sanctions had been publicly reported as of the date of this investigation.

Connected Entities

1 entities · 10 linked investigations
Organizations
Rublevka Team
Relationships
    Also appears in
    Mach-O Man Malware Campaign (Lazarus / Chollima)·2Shunda Park Scam Compound·0Tudou Guarantee Telegram Marketplace·0Mass Address Poisoning Campaign (Ethereum 2025-2026)·0Resolv USR Stablecoin Minting Exploit (March 2026)·12Fake Uniswap V4 Airdrop Phishing Network (2026)·2Fake Chainbase Airdrop Phishing Campaign·2Solana Blinks / Durable-Nonce Drainer Kits (2026)·2LayerZero·38LayerZero Protocol·52
    Have evidence about Rublevka Team?
    0
    Accepted
    1
    Under review
    0
    Rejected / revoked

    Community submissions

    Timeline(9 events)

    2023-01-01

    Rublevka Team founded on LolzTeam Forum by alias 'denisssss_inactive'; initial phase operates fake cryptocurrency exchanges to harvest victim funds.

    Recorded Future Insikt Group CTA-2026-0204

    2024-05-01

    Telegram main chat '[RublevkaTeam] Chat' activity begins (messages documented from May 2024 onward). Group pivots from fake exchanges to custom JavaScript drainer targeting TON blockchain airdrop lures.

    Recorded Future Insikt Group CTA-2026-0204

    2025-04-01

    Rublevka Team abandons TON and pivots to Solana. Over 900 new domains registered in connection with SOL drainer infrastructure beginning this month.

    Recorded Future Insikt Group CTA-2026-0204

    2025-04-18

    Alias 'denisssss_inactive' posts latest recruitment advertisement for the SOL drainer affiliate program on LolzTeam Forum.

    Recorded Future Insikt Group CTA-2026-0204

    2025-08-01

    Recorded Future Insikt Group begins active monitoring of Rublevka Team operations.

    Recorded Future Insikt Group CTA-2026-0204

    2025-09-01

    Rublevka Team begins using X (Twitter) as a distribution vector through compromised Web3-branded accounts, interspersing malicious dApp links among legitimate reposts.

    Recorded Future Insikt Group CTA-2026-0204; Blockaid Blog

    2025-12-08

    Total documented revenue surpasses $10.9 million across 240,000+ wallet drain events, based on Insikt Group monitoring of the Rublevka Telegram profits channel.

    Recorded Future Insikt Group CTA-2026-0204

    2025-12-01

    Continuous disruptions to Rublevka Team's shared domain hosting service begin, extending into early 2026, causing operational friction but not cessation of activity.

    Recorded Future Insikt Group CTA-2026-0204

    2026-02-04

    Recorded Future Insikt Group publishes 'Rublevka Team: Anatomy of a Russian Crypto Drainer Operation' (CTA-2026-0204), the first major public intelligence disclosure on the group.

    Recorded Future Insikt Group CTA-2026-0204
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 5/27/2026, 2:44:35 AM

    last updated: 5/27/2026, 2:45:32 AM

    avoid.net — verified advice for a post-truth world