Rublevka Team — The Russian Drainer Operation That Stole From 240,000 Wallets

The Rublevka kit, per Recorded Future's analysis, automates the full drainer workflow:

1. **Phishing-site generation**: the kit produces fake project sites — spoofed Solana NFT mints, fake airdrop claims, fake DEX frontends — branded to imitate legitimate projects. The sites use approve() prompts that, when signed by the victim, grant the attacker's wallet permit-2 spender access to the victim's tokens.

2. **Wallet-connect injection**: the kit interfaces with Phantom, Solflare, and other Solana wallets via WalletConnect protocol. The victim signs what they believe is a transaction approval; the signature is a permit-2 grant.

3. **Automated draining**: once the permit-2 grant is signed, the kit's backend automatically initiates transferFrom calls that move the victim's tokens to attacker-controlled wallets. The draining is automated, completed in seconds, and runs without further user interaction.

4. **Cashout routing**: the drained tokens are swapped via Jupiter aggregator into SOL or USDC, then bridged to Ethereum or BNB Chain via Wormhole or Portal Bridge, then off-ramped via CEX deposits or instant-swap services (ChangeNOW, FixedFloat, StealthEX, SimpleSwap).

The economics: at an affiliate revenue split of 75-80 percent, an affiliate earning $50,000 in drains per month nets $37,500 to $40,000. The kit operator's 20-25 percent share, applied across an estimated 100-plus active affiliates, produces operator monthly revenue in the high six figures.

Rublevka Team is one of approximately six commercially-significant drainer operations active in 2026.

**Inferno Drainer** — fully operational despite a 2023 "shutdown." Check Point Research documented 30,000-plus new victims and 1,190 affiliate addresses from September 2024 to March 2025, with approximately $9 million stolen in that six-month window. Inferno spoofed more than 100 crypto brands across 16,000-plus unique domains. The kit uses single-use short-lived smart contracts, on-chain encrypted configs, and proxy communications. Inferno is reportedly transferring kit control to the Angel Drainer team — an evolution that Check Point flagged in early 2026.

**Angel Drainer** — inheriting Inferno's toolkit. Now supports TRON and TON in addition to the EVM and Solana baseline. The migration from Inferno to Angel is the most significant operator-level continuity event in the drainer ecosystem since 2023.

**Sector Drainer** — commercially launched March 17-18, 2026 per Brinztech's alert. The kit is positioned for "rapid deployment by low-technical-skill threat actors" targeting EVM chains. The marketing emphasizes ease-of-use; the implied target audience is affiliates with limited technical capability who want to operate a drainer without significant operational expertise.

**Eleven Drainer** — active since February 2026 per Recorded Future, operating a phishing-as-a-service syndicate model. The Eleven model bundles drainer kits with phishing-site hosting and Telegram-based customer support, lowering the operational barrier further.

**Riddance Drainer** — Solana-focused. Active January-February 2026. Collection address `8YauSj…`, fee address `G8Zot3kvzPVriX4bwLkgM384jPUyiCUMvbd2VnofziNT`. Operates on a 90/10 revenue split (affiliate/operator) — even more affiliate-friendly than Rublevka.

Adjacent: AiTM phishing kits (Tycoon 2FA, Mamba 2FA, Sneaky 2FA) operate in the same forum ecosystems but target Web2 credentials. Per Microsoft's March 2026 disclosure, Tycoon 2FA accounted for approximately 62 percent of all phishing attempts the company blocked prior to the March 2026 Microsoft-plus-Europol takedown of 330 Tycoon domains. Industry reporting through April-May 2026 has noted Tycoon-class kits returning to operational status within days of disruption — a pattern that has not produced an equivalent collapse in the drainer kit market either. Supply has remained elastic across both categories.

Recorded Future's report named Rublevka Team. The operators are visible on LolzTeam, XSS, and Exploit forums. The operator pseudonyms are public. The kit pricing is publicly advertised. The affiliate splits are publicly documented.

Yet no Rublevka operator has been criminally charged as of May 15, 2026. The reasons are structural.

**First, the operators are in Russia.** US extradition treaty coverage of Russia is essentially nonexistent in the current geopolitical environment. The operators face no realistic risk of US arrest unless they travel to a country with a US extradition relationship — an unforced error that experienced operators avoid.

**Second, US enforcement bandwidth is concentrated on higher-priority targets.** DPRK Lazarus prosecutions, Russia-corridor sanctions evasion (Garantex, Grinex), Iran enforcement (the $344 million April 23 freeze), and pig butchering compound takedowns (Chen Zhi's $15 billion forfeiture) absorb the bandwidth. Drainer operators producing $10 million per year are real harm but at a lower tier in the prosecutorial hierarchy.

**Third, the affiliate model distributes blame.** The kit operators sell tools; the affiliates use them. Conventional criminal prosecution of kit operators must navigate the conspiracy-vs-tool-provision distinction the Storm and Pertsev cases exposed. Affiliate operators — who actually execute drains — are scattered, individually small, and operationally anonymous.

**Fourth, the drainer-as-a-service model is itself a structural product.** Even if Rublevka Team operators were doxed and arrested tomorrow, the LolzTeam forum has multiple competing kits ready to absorb affiliate market share. Inferno-to-Angel was the most recent example of seamless operator handoff. The kit-level identification matters less than the affiliate-level identification.

Three operational responses exist in 2026.

**Wallet-side anti-drainer UI**. MetaMask, Phantom, Rabby, Frame, and Trust Wallet have all rolled out features detecting permit-2 approval prompts to non-canonical contracts. The features either block the signature or surface a warning. These are uneven in adoption — power-user wallets implement them more aggressively than mass-market wallets — but the trend is improving.

**Screening-side wallet labeling**. Sanctuary, Chainalysis, TRM Labs, and Elliptic maintain databases of known drainer hot-wallet addresses. Wallets that integrate the screening APIs can refuse to forward permit-2 grants to addresses scoring Critical for `drainer_hot_wallet_2026_q2`. This is the last-mile defense.

**Operation Atlantic-style sprint operations**. The March 2026 Operation Atlantic (US Secret Service + UK NCA + Canada OPP + OSC) identified 20,000-plus scam wallets, froze $12 million, and seized 120 scam domains in a coordinated week. The operation did not name Rublevka specifically — but it disrupted adjacent infrastructure. Repeated sprint operations are the operational equivalent of grinding down the drainer ecosystem without producing arrests.

For Rublevka specifically, no Operation-Atlantic-style action has been announced. The Recorded Future report is intelligence; it has not (publicly) produced operational consequence.

For Sanctuary's screening, the drainer ecosystem produces a clear operational pipeline:

- **Affiliate hot wallets** are tagged `drainer_affiliate_2026` with sub-categorizations by kit identity (Rublevka, Angel, Sector, Eleven, Riddance). The tags propagate to downstream consolidation addresses at configurable hop depth. - **Kit infrastructure addresses** — the operator-controlled fee-collection wallets — are tagged `drainer_kit_operator_2026` with higher confidence weighting. These addresses are smaller in count but represent the structural choke point. - **Cashout addresses** at instant-swap services and CEX deposits are tagged through cross-reference between the drainer-cluster outflows and the instant-swap deposit patterns. ChangeNOW, FixedFloat, StealthEX, and SimpleSwap deposit addresses that have consistently received drainer-attributed inflows carry elevated risk.

The Rublevka cluster, specifically, is tagged with provenance `recorded_future_insikt_feb_2026`. The tag propagates to 240,000 victim wallets (their drain trails inform the cluster expansion) plus the affiliate and consolidation graph that Recorded Future's analysis surfaced.

For exchanges and wallet vendors: integrating drainer-cluster screening produces a quantified reduction in approval-phishing exposure. The cost is the API call. The downside of not integrating is being the cashout venue for a Critical-flagged drain.

A quarter-million wallets drained. $10 million in operator revenue. Public-forum identification. Zero arrests.

The drainer ecosystem in 2026 is a structural product of jurisdictional asymmetry (operators in Russia) plus enforcement bandwidth (US focus on higher-priority targets) plus model resilience (kit-and-affiliate distributes accountability). It will not be solved by criminal prosecution alone.

The operational response is screening at scale. Sanctuary and adjacent vendors maintain the wallet clusters. Wallet vendors integrate the API. Exchanges screen the cashout deposits. The ecosystem grinds against the screening rather than against the prosecutors.

For end users: the chain records who drained you. The screening catches the next victim. Until the legal framework changes, the screening is the defense.