{ "type": "Domain", "indicator": "web-core.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/web-core.cc", "alexa": "http://www.alexa.com/siteinfo/web-core.cc", "indicator": "web-core.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4197100713, "indicator": "web-core.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "698364aade09c6acd9e673b9", "name": "Anatomy of a Russian Crypto Drainer Operation", "description": "A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.", "modified": "2026-03-06T15:01:37.981000", "created": "2026-02-04T15:24:26.608000", "tags": [ "wallet draining", "javascript drainer", "social engineering", "solana", "brand impersonation", "phishing", "cryptocurrency theft", "affiliate program" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "Rublevka Team", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 23, "hostname": 7 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 386564, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698408e23725b5d83f3ac6f4", "name": "IOC - Rublevka Team: Anatomy of a Russian Crypto Drainer Operation", "description": "Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker \u201cRublevka Team\u201d. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a \u201ctraffer team,\u201d composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions.", "modified": "2026-03-07T03:01:37.719000", "created": "2026-02-05T03:05:06.506000", "tags": [ "email" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 11, "email": 1, "hostname": 3 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69844eb49602db963a7caf60", "name": "Anatomy of a Russian Crypto Drainer Operation", "description": "", "modified": "2026-03-06T15:01:37.981000", "created": "2026-02-05T08:03:00.115000", "tags": [ "wallet draining", "javascript drainer", "social engineering", "solana", "brand impersonation", "phishing", "cryptocurrency theft", "affiliate program" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "Rublevka Team", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "698364aade09c6acd9e673b9", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 23, "hostname": 7 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "related": { "alienvault": { "adversary": [ "Rublevka Team" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Rublevka Team" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "698364aade09c6acd9e673b9", "name": "Anatomy of a Russian Crypto Drainer Operation", "description": "A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.", "modified": "2026-03-06T15:01:37.981000", "created": "2026-02-04T15:24:26.608000", "tags": [ "wallet draining", "javascript drainer", "social engineering", "solana", "brand impersonation", "phishing", "cryptocurrency theft", "affiliate program" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "Rublevka Team", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 23, "hostname": 7 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 386564, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698408e23725b5d83f3ac6f4", "name": "IOC - Rublevka Team: Anatomy of a Russian Crypto Drainer Operation", "description": "Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker \u201cRublevka Team\u201d. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a \u201ctraffer team,\u201d composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions.", "modified": "2026-03-07T03:01:37.719000", "created": "2026-02-05T03:05:06.506000", "tags": [ "email" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 11, "email": 1, "hostname": 3 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69844eb49602db963a7caf60", "name": "Anatomy of a Russian Crypto Drainer Operation", "description": "", "modified": "2026-03-06T15:01:37.981000", "created": "2026-02-05T08:03:00.115000", "tags": [ "wallet draining", "javascript drainer", "social engineering", "solana", "brand impersonation", "phishing", "cryptocurrency theft", "affiliate program" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "Rublevka Team", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "698364aade09c6acd9e673b9", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 23, "hostname": 7 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "web-core.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "web-core.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780255528.4976053 }