Full Report
Rublevka Team exemplifies the industrialization of crypto scams. Learn how traffer teams and wallet drainers enable high-volume theft.
Analysis Summary
# Threat Actor: Rublevka Team
## Attribution & Identity
* **Attribution:** Russian cybercriminal operation. The name is likely a reference to the wealthy Rublevka neighborhood of Moscow.
* **Known Aliases/Groups:** Operates as a "traffer team." Associated with the ecosystem of other traffer teams like Marko Polo and CrazyEvil, but utilizes a different primary method (drainers vs. infostealers).
* **Operational Platforms:** Primarily operates on LolzTeam Forum, with smaller presences on Exploit Forum and XSS.
## Activity Summary
* **Inception:** Active since 2023 (first launched on LolzTeam Forum by user “denisssss\_inactive”).
* **Financial Scope:** Generated over $10 million through affiliate-driven wallet draining campaigns as of the time of analysis.
* **Campaign Characteristics:** Employs an affiliate model industrializing crypto scams. Campaigns involve creating attractive SOL-based offers (e.g., promotions, airdrops), generating traffic via social media/advertisements, luring victims to spoofed landing pages, tricking them into connecting their wallets, and authorizing fraudulent transactions that drain funds.
* **Scale:** Their automated "profits" channel shows over 240,000 messages, suggesting at least 240,000 successful wallet drains, with individual losses ranging up to $20,000.
## Tactics, Techniques & Procedures
* **Deceptive Lures:** Uses spoofed landing pages impersonating legitimate crypto services (e.g., Phantom, Bitget, Jito) to maximize user trust.
* **Wallet Draining:** Deploys custom JavaScript wallet drainers embedded in landing pages to exfiltrate victim assets by tricking users into signing transactions.
* **Targeted Chain Exploitation:** Focuses on lower-cost chains like Solana (SOL).
* **API Abuse:** Exploits Remote Procedure Call (RPC) APIs for transaction authorization/draining.
* **Evasion:** Utilizes frequently rotating domains to undermine traditional domain takedown efforts.
* **Automation/Service Model:** Infrastructure is fully automated via Telegram bots, offering affiliates tools for landing page creation, campaign tracking, cloaking, and DDoS protection. This mimics a Ransomware-as-a-Service (RaaS) model.
* **Compatibility:** The custom drainer is compatible with over 90 distinct SOL wallet types.
## Targeting
* **Sectors:** Cryptocurrency platforms, fintech providers, exchanges, wallet providers, and any entity whose brand identity can be effectively impersonated.
* **Geography:** Global (implied by the scope of affiliate-driven campaigns and wallet support).
* **Victims:** Individual cryptocurrency holders, particularly those active in the Solana ecosystem.
## Tools & Infrastructure
* **Primary Tool:** Custom JavaScript wallet drainer script.
* **Infrastructure:** Fully automated system supported by Telegram bots providing:
* Landing page generators
* Campaign tracking tools
* Cloaking features
* DDoS protection
* **C2/Shared Assets:** Telegram channels (primary channel ~7,000 members; automated "profits" channel for transaction logging). No specific C2 domains/IPs were provided in the summary context, only associated wallet addresses.
## Implications
* **Industrialization of Scams:** Rublevka Team exemplifies the industrialization and service-based nature of modern crypto crime, significantly lowering the technical barrier for high-volume theft.
* **Reputational Risk:** Poses significant reputational and legal risk to legitimate crypto brands whose identities are impersonated, even if the compromise occurs off-platform.
* **Detection Challenges:** Frequent domain rotation and API exploitation make traditional fraud detection and takedown procedures difficult to sustain.
* **Ecosystem Threat:** Their success signals a growing reliance on affiliate networks to scale fraudulent activity globally.
## Mitigations
* **Enhanced Domain Monitoring:** Proactively monitor for and rapidly respond to domains impersonating the organization (especially for crypto-related lures).
* **User Education:** Educate customers (especially those using Solana) about connection risks, transaction authorization warnings, and avoiding unexpected promotions/airdrops originating from untrusted sources.
* **Fraud Detection Focus:** Employ advanced fraud detection capable of analyzing transaction signatures originating from spoofed interfaces, rather than relying solely on traditional network indicators.
* **RPC Endpoint Security:** Review and potentially restrict the use of public RPC endpoints if possible, or implement stronger validation checks on transactions initiated via external sources.