Pulse Detail — Threat Intelligence

PULSE NAME

Anatomy of a Russian Crypto Drainer Operation

WHITE Rublevka Team AlienVault 2026-02-04 Modified: 2026-03-06

IOCs

MEDIUM VOLUME

A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.

Indicators of Compromise (48)

All URL FileHash-MD5 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://solana-rpc.publicnode.com	—	2026-02-04
FileHash-MD5	730eede4c040eafa7a928a503b6cd650	—	2026-02-04
FileHash-SHA256	78bfb193ba291e17360126796ec9b93acdfec75867619fc50c5d45d7081009b6	—	2026-02-04
FileHash-SHA256	93288b95db8cba2b8d3f38246be46e383990a9fcdd06bf26417a5935a8fe0a27	—	2026-02-04
FileHash-SHA256	9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489	—	2026-02-04
FileHash-SHA256	af5bed914f5406e7c1a3f30f91dfe34d81c5b06c571c59417fe4e2bde966325c	—	2026-02-04
FileHash-SHA256	b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15	—	2026-02-04
FileHash-SHA256	ea8e780d0c292bfd1a3ee6bd9b8d77900a545bd3be3105891816c8f561eeb302	—	2026-02-04
FileHash-SHA256	fcf1bbac7dae24b6e0357bee6e8e184dfd193ddf8b341feaa9a3d83265af8f0a	—	2026-02-04
URL	https://mainnet.helius-rpc.com/?api-key=	—	2026-02-04
URL	https://mainnet.helius-rpc.com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf	—	2026-02-04
URL	https://mainnet.helius-rpc.com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd	—	2026-02-04
URL	https://mainnet.helius-rpc.com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726	—	2026-02-04
URL	https://mainnet.helius-rpc.com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705	—	2026-02-04
URL	https://mainnet.helius-rpc.com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b	—	2026-02-04
URL	https://mainnet.helius-rpc.com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04	—	2026-02-04
URL	https://mainnet.helius-rpc.com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83	—	2026-02-04
URL	https://rpc.walletconnect.org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650	—	2026-02-04
domain	burn-shard-bridge.xyz	—	2026-02-04
domain	commontechrepo.cc	—	2026-02-04
domain	efficient-endpoint.site	—	2026-02-04
domain	emailsecure.tech	—	2026-02-04
domain	events-dege.com	—	2026-02-04
domain	g-app-d.cc	—	2026-02-04
domain	highperformance-kit.online	—	2026-02-04
domain	highperformance-shard.online	—	2026-02-04
domain	instant-automated-matrix.website	—	2026-02-04
domain	luna-memex.com	—	2026-02-04
domain	minordao.co	—	2026-02-04
domain	open-sol.cc	—	2026-02-04
domain	private-peer.store	—	2026-02-04
domain	public-proof.online	—	2026-02-04
domain	pump-foundation.xyz	—	2026-02-04
domain	pumptoken.net	—	2026-02-04
domain	rublevkateam.cc	—	2026-02-04
domain	rugchecker.fun	—	2026-02-04
domain	sol-chey.com	—	2026-02-04
domain	sol-coin.xyz	—	2026-02-04
domain	sol-galaxy.cc	—	2026-02-04
domain	sol-hook.org	—	2026-02-04
domain	web-core.cc	—	2026-02-04
hostname	check.me-fnd.com	—	2026-02-04
hostname	fortunawhee.sol-galaxy.cc	—	2026-02-04
hostname	rewards.sol-galaxy.cc	—	2026-02-04
hostname	solana-rpc.publicnode.com	—	2026-02-04
hostname	soldrop.solvault.ws	—	2026-02-04
hostname	token.pump-launch.fun	—	2026-02-04
hostname	usdcoin.sol-galaxy.cc	—	2026-02-04

References (2)

↗ https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation ↗ https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium