Verify a decision

{"actor":"system:backfill","investigation_id":"736e1af9-f40d-4511-a028-d3056aed9a71","kind":"publish","page_slug":"rublevka-team","published_at":"2026-05-27T02:45:31.940Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Rublevka Team","sections":[{"content":"Rublevka Team is a cybercriminal organization operating as a drainer-as-a-service (DaaS) platform, first documented on LolzTeam Forum in 2023 under the alias 'denisssss_inactive.' The group's name is a probable reference to the Rublevka neighborhood of Moscow, a prestigious suburb historically associated with Russian business elites and government officials. The operation is structured as a 'traffer team,' in which a core administrative group provides technical infrastructure to a distributed network of affiliates — referred to internally as 'traffers' — who conduct social engineering campaigns to direct victims to malicious landing pages. As of February 2026, the group was administered by aliases 'Jesse Pinkman' and 'Shell,' with the original founder 'denisssss_inactive' remaining the primary public-facing recruiter. The operation's Telegram main chat, '[RublevkaTeam] Chat,' had approximately 6,821 members as of the Recorded Future report date.","heading":"Overview and Identity","severity":"critical","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":1,"name":"Recorded Future CTA-2026-0204 Full Report PDF","type":"research","url":"https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0204.pdf"}]},{"content":"According to Recorded Future's Insikt Group, Rublevka Team had generated over $10.9 million in total revenue as of December 8, 2025, based on transaction records documented in the group's private Telegram 'profits' channel. The automated profits channel logged at least 240,000 messages, each corresponding to a successful wallet drain event, with individual transaction values ranging from $0.16 to over $20,000. The group's Solana-focused campaign, which began in spring 2025, alone accounted for approximately $8.2 million of that total. The operation's top-earning affiliate, identified by the handle 'hard working guy,' generated over $1.3 million from 799 transactions. A second affiliate using the handle 'think about it' accumulated over $1.04 million from 145 transactions. An affiliate leaderboard visible within the group's Telegram infrastructure tracked cumulative earnings and transaction counts.","heading":"Financial Impact and Scale","severity":"critical","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":2,"name":"SecurityOnline: Hard Working Thieves — Rublevka Team Steals $10M in Solana Scam-as-a-Service","type":"news_article","url":"https://securityonline.info/hard-working-thieves-rublevka-team-steals-10m-in-solana-scam-as-a-service/"}]},{"content":"The operation proceeded through three documented phases. In its initial phase (2023 through early 2024), Rublevka Team operated fake cryptocurrency exchanges to harvest victim funds. In a second phase (mid-2024), the group pivoted to deploying a custom JavaScript wallet drainer against the TON (The Open Network) blockchain, using fake airdrop and token giveaway lures. In spring 2025, the group abandoned TON in favor of Solana, citing the network's fast transaction times and low fees as operationally advantageous. A recruitment post on LolzTeam Forum dated April 18, 2025 explicitly advertises the SOL drainer program to prospective affiliates. Insikt Group began monitoring the operation in August 2025. By the time of the February 2026 report, Rublevka Team's Solana campaign had become the dominant revenue source, accounting for approximately 75 percent of all documented losses. Infrastructure disruptions to the group's shared domain hosting service were observed from December 2025 into early 2026, suggesting partial operational friction but not cessation of activity.","heading":"Operational History and Blockchain Targeting","severity":"critical","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":2,"name":"Russian crypto gang caught stealing millions on Solana and TON — CyberNews","type":"news_article","url":"https://cybernews.com/cybercrime/russian-crypto-criminals-behind-solana-ton-draining-campaigns/"}]},{"content":"Rublevka Team's Solana drainer is a custom JavaScript payload embedded in spoofed landing pages. It supports over 90 wallet types, including Phantom, Solflare, Backpack, Coinbase, Bitget, OKX, MetaMask, Ledger, KuCoin, Atomic, CoinEx, Trezor, and Arculus. The drainer is capable of extracting SOL, SPL tokens, SPL2022 extension tokens, NFTs, and Native Stake. Code obfuscation is performed using the js-confuser toolset. The drainer includes seven documented interaction modes specifically targeting Phantom wallet: Honeypot, Honeypot2, Fake Return, Crasher, Whitelist, Warning, and Remove Phantom. The 'Crasher Mode' functions as a stealth bypass: it generates a simulated transaction error, causing victims to dismiss the failure as a glitch and re-sign the transaction, thereby unintentionally bypassing Phantom's security warnings. The 'Fake Return' mode falsely represents that assets will be automatically recovered. Backend RPC abuse was documented against Helius, WalletConnect, PublicNode, and Solflare API endpoints. The platform also includes a Google detection evasion feature internally termed 'Red Table Bypass' and an advanced customization API called PiterAPI. Domain cloaking and DDoS protection are provided to all affiliates as part of the base service offering.","heading":"Technical Capabilities: Solana Drainer","severity":"critical","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":2,"name":"ShieldGuard Protocol — The Rublevka Team Drainer Network","type":"research","url":"https://shieldguard.io/the-rublevka-team-drainer-network/"}]},{"content":"Rublevka Team operates as a fully commercialized drainer-as-a-service platform in which affiliates receive between 75 and 80 percent of all funds drained, with the higher 80 percent rate reserved for affiliates self-identified as 'experienced users.' Affiliates are recruited primarily through LolzTeam Forum, with additional presence on the Exploit and XSS forums. Applications are submitted and vetted via the @RublevkaTeam_Bot Telegram bot. Upon acceptance, affiliates receive access to a Telegram bot (@RublevkaUtils_bot) that generates spoofed landing pages impersonating legitimate Web3 brands such as Phantom, Jito, Marinade, and Bitget. The bot also provides campaign tracking, domain and hosting provisioning, cloaking features, and DDoS protection. Affiliate earners are tracked on a public leaderboard within the group's Telegram channels. A separate private channel exists for top-50 earners who have met a minimum profit threshold of 10 TON. The overall Telegram ecosystem includes a main chat, a profits channel, informational channels in both English and Russian, and a landing page repository channel.","heading":"Affiliate Model and Recruitment","severity":"high","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":1,"name":"Recorded Future CTA-2026-0204 Full Report PDF","type":"research","url":"https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0204.pdf"}]},{"content":"Affiliates distribute malicious landing page links via social media platforms including X (formerly Twitter), TikTok, and Instagram, typically framing the lure as an airdrop event, staking reward, or promotional token offering. On X, Rublevka-affiliated accounts were observed using a documented pattern: maintaining primarily legitimate Web3 content reposts to establish credibility, then interspersing malicious dApp links at irregular intervals — typically one malicious post per approximately ten legitimate reposts. This low-signal approach is designed to reduce detection by automated content moderation. The X-based campaign appears to have begun in late 2025. Victims encounter the spoofed page, connect their wallet via a prompted interaction, and are then presented with a transaction to sign. Signing the transaction authorizes the drainer script to transfer all accessible assets. The impersonated services — including Phantom, Bitget, and Jito — are selected to maximize victim trust and conversion rates.","heading":"Distribution and Social Engineering Vectors","severity":"high","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":2,"name":"How Crypto Drainers Are Using X (Twitter) to Target Web3 Users — Blockaid","type":"research","url":"https://blockaid.io/blog/how-crypto-drainers-are-using-x-twitter-to-target-web3-users"}]},{"content":"Rublevka Team's primary shared domains identified by Insikt Group include open-sol[.]cc, sol-galaxy[.]cc, web-core[.]cc, sol-hook[.]org, and sol-coin[.]xyz. Backend infrastructure was hosted at domains including g-app-d[.]cc, fontmaxplugin[.]cc, and commontechrepo[.]cc. The primary IP address associated with the backend hosting is 158[.]94[.]208[.]165, registered to 'Lanedonet Datacenter,' which Insikt Group assessed with high confidence to be operated by the threat-enabling hosting provider Virtualine Technologies — a network previously registered as 'Metaspinner Net Gmbh' before re-registration following RIPE NCC intervention. Approximately 900 or more domains were registered in connection with Rublevka infrastructure since April 2025, with individual shared domains hosting between 70 and 400 subdomains. Domain registrations used fabricated registrant information, including the alias 'Alexander Petrov' with the email address alex.petrov.domain@emailsecure.tech and a fictitious address at 742 Evergreen Drive, Springfield, OR. Domain rotation is frequent; the group experienced continuous disruptions to shared domain service from December 2025 into early 2026.","heading":"Infrastructure and Hosting","severity":"high","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":2,"name":"Lanedonet Datacenter IP addresses — NetworksDB","type":"other","url":"https://networksdb.io/ip-addresses-of/lanedonet-datacenter"},{"credibility":2,"name":"Virtualine Technologies IP addresses — NetworksDB","type":"other","url":"https://networksdb.io/ip-addresses-of/virtualine-technologies"}]},{"content":"Recorded Future identified the following aliases associated with the operation, all unverified as to real-world identity. The founding operator used the alias 'denisssss_inactive' on LolzTeam Forum and is believed to remain involved in vetting affiliate applications. Two administrators identified at the time of the February 2026 report used the aliases 'Jesse Pinkman' and 'Shell.' Among documented affiliate earners, 'hard working guy' is the top earner with over $1.3 million from 799 transactions; 'think about it' is the second-highest earner with over $1.04 million from 145 transactions. Other named affiliates from the leaderboard include 'Zatecky Gus' and 'Mr. Zelensky.' No real-world identities were confirmed for any of these aliases. Infrastructure domain registrations used the alleged name 'Alexander Petrov,' assessed by Insikt Group as likely fabricated.","heading":"Known Aliases and Operator Identities","severity":"medium","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"}]},{"content":"As of the date of this investigation (May 2026), no publicly documented law enforcement actions, arrests, indictments, or sanctions specifically targeting Rublevka Team or its identified aliases have been reported. The Recorded Future report published February 4, 2026 constitutes the primary public intelligence disclosure. The operation's Russian-language orientation and use of bulletproof-hosting-adjacent infrastructure (Virtualine Technologies / Lanedonet Datacenter) may complicate jurisdictional enforcement. No OFAC designations, DOJ charges, or Europol actions associated with Rublevka Team were found in available public records.","heading":"Law Enforcement and Regulatory Status","severity":"medium","sources":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"}]}],"sources_used":[{"credibility":1,"name":"Rublevka Team: Anatomy of a Russian Crypto Drainer Operation — Recorded Future Insikt Group","type":"research","url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"credibility":1,"name":"Recorded Future CTA-2026-0204 Full Report PDF","type":"research","url":"https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0204.pdf"},{"credibility":2,"name":"Russian crypto gang caught stealing millions on Solana and TON — CyberNews","type":"news_article","url":"https://cybernews.com/cybercrime/russian-crypto-criminals-behind-solana-ton-draining-campaigns/"},{"credibility":2,"name":"SecurityOnline: Hard Working Thieves — Rublevka Team Steals $10M in Solana Scam-as-a-Service","type":"news_article","url":"https://securityonline.info/hard-working-thieves-rublevka-team-steals-10m-in-solana-scam-as-a-service/"},{"credibility":2,"name":"ShieldGuard Protocol — The Rublevka Team Drainer Network","type":"research","url":"https://shieldguard.io/the-rublevka-team-drainer-network/"},{"credibility":2,"name":"How Crypto Drainers Are Using X (Twitter) to Target Web3 Users — Blockaid","type":"research","url":"https://blockaid.io/blog/how-crypto-drainers-are-using-x-twitter-to-target-web3-users"},{"credibility":2,"name":"Lanedonet Datacenter IP addresses — NetworksDB","type":"other","url":"https://networksdb.io/ip-addresses-of/lanedonet-datacenter"},{"credibility":2,"name":"Virtualine Technologies IP addresses — NetworksDB","type":"other","url":"https://networksdb.io/ip-addresses-of/virtualine-technologies"},{"credibility":2,"name":"Gurucul Threat Research — Rublevka Team: Anatomy of a Russian Crypto Drainer Operation","type":"research","url":"https://gurucul.com/latest-threats/rublevka-team-anatomy-of-a-russian-crypto-drainer-operation/"},{"credibility":2,"name":"Malware News — Rublevka Team: Anatomy of a Russian Crypto Drainer Operation","type":"news_article","url":"https://malware.news/t/rublevka-team-anatomy-of-a-russian-crypto-drainer-operation/103854"}],"summary":"Rublevka Team is a Russian-speaking, affiliate-driven drainer-as-a-service operation active since 2023 that has documented over $10.9 million in cryptocurrency theft across at least 240,000 wallet drain events. The group operates primarily on the Solana blockchain as of spring 2025 and markets its tooling to low-skill affiliates through Telegram bots and Russian-language cybercrime forums. No law enforcement actions or sanctions had been publicly reported as of the date of this investigation.","timeline":[{"date":"2023-01-01","event":"Rublevka Team founded on LolzTeam Forum by alias 'denisssss_inactive'; initial phase operates fake cryptocurrency exchanges to harvest victim funds.","source":"Recorded Future Insikt Group CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2024-05-01","event":"Telegram main chat '[RublevkaTeam] Chat' activity begins (messages documented from May 2024 onward). Group pivots from fake exchanges to custom JavaScript drainer targeting TON blockchain airdrop lures.","source":"Recorded Future Insikt Group CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2025-04-01","event":"Rublevka Team abandons TON and pivots to Solana. Over 900 new domains registered in connection with SOL drainer infrastructure beginning this month.","source":"Recorded Future Insikt Group CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2025-04-18","event":"Alias 'denisssss_inactive' posts latest recruitment advertisement for the SOL drainer affiliate program on LolzTeam Forum.","source":"Recorded Future Insikt Group CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2025-08-01","event":"Recorded Future Insikt Group begins active monitoring of Rublevka Team operations.","source":"Recorded Future Insikt Group CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2025-09-01","event":"Rublevka Team begins using X (Twitter) as a distribution vector through compromised Web3-branded accounts, interspersing malicious dApp links among legitimate reposts.","source":"Recorded Future Insikt Group CTA-2026-0204; Blockaid Blog","source_url":"https://blockaid.io/blog/how-crypto-drainers-are-using-x-twitter-to-target-web3-users"},{"date":"2025-12-08","event":"Total documented revenue surpasses $10.9 million across 240,000+ wallet drain events, based on Insikt Group monitoring of the Rublevka Telegram profits channel.","source":"Recorded Future Insikt Group CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2025-12-01","event":"Continuous disruptions to Rublevka Team's shared domain hosting service begin, extending into early 2026, causing operational friction but not cessation of activity.","source":"Recorded Future Insikt Group CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"},{"date":"2026-02-04","event":"Recorded Future Insikt Group publishes 'Rublevka Team: Anatomy of a Russian Crypto Drainer Operation' (CTA-2026-0204), the first major public intelligence disclosure on the group.","source":"Recorded Future Insikt Group CTA-2026-0204","source_url":"https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation"}]},"v":1}