Pulse Detail — Threat Intelligence

PULSE NAME

IOC - Rublevka Team: Anatomy of a Russian Crypto Drainer Operation

WHITE celestre 2026-02-05 Modified: 2026-03-07

IOCs

MEDIUM VOLUME

Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions.

Indicators of Compromise (33)

All URL FileHash-MD5 FileHash-SHA256 domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://solana-rpc.publicnode.com	—	2026-02-05
FileHash-MD5	730eede4c040eafa7a928a503b6cd650	—	2026-02-05
FileHash-SHA256	78bfb193ba291e17360126796ec9b93acdfec75867619fc50c5d45d7081009b6	—	2026-02-05
FileHash-SHA256	93288b95db8cba2b8d3f38246be46e383990a9fcdd06bf26417a5935a8fe0a27	—	2026-02-05
FileHash-SHA256	9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489	—	2026-02-05
FileHash-SHA256	af5bed914f5406e7c1a3f30f91dfe34d81c5b06c571c59417fe4e2bde966325c	—	2026-02-05
FileHash-SHA256	b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15	—	2026-02-05
FileHash-SHA256	ea8e780d0c292bfd1a3ee6bd9b8d77900a545bd3be3105891816c8f561eeb302	—	2026-02-05
FileHash-SHA256	fcf1bbac7dae24b6e0357bee6e8e184dfd193ddf8b341feaa9a3d83265af8f0a	—	2026-02-05
URL	https://mainnet.helius-rpc.com/?api-key=	—	2026-02-05
URL	https://mainnet.helius-rpc.com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf	—	2026-02-05
URL	https://mainnet.helius-rpc.com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd	—	2026-02-05
URL	https://mainnet.helius-rpc.com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726	—	2026-02-05
URL	https://mainnet.helius-rpc.com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705	—	2026-02-05
URL	https://mainnet.helius-rpc.com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b	—	2026-02-05
URL	https://mainnet.helius-rpc.com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04	—	2026-02-05
URL	https://mainnet.helius-rpc.com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83	—	2026-02-05
URL	https://rpc.walletconnect.org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650	—	2026-02-05
domain	burn-shard-bridge.xyz	—	2026-02-05
domain	commontechrepo.cc	—	2026-02-05
domain	efficient-endpoint.site	—	2026-02-05
domain	emailsecure.tech	—	2026-02-05
domain	fontmaxplugin.cc	—	2026-02-05
domain	g-app-d.cc	—	2026-02-05
domain	open-sol.cc	—	2026-02-05
domain	pumptoken.net	—	2026-02-05
domain	sol-galaxy.cc	—	2026-02-05
domain	sol-hook.org	—	2026-02-05
domain	web-core.cc	—	2026-02-05
email	alex.petrov.domain@emailsecure.tech	—	2026-02-05
hostname	mainnet.helius-rpc.com	—	2026-02-05
hostname	rpc.walletconnect.org	—	2026-02-05
hostname	solana-rpc.publicnode.com	—	2026-02-05

References (1)

↗ https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation