🚨 High-Level Scam Alert: The “Rublevka Team” Drainer Network

Status: ACTIVE / CRITICAL

Target Ecosystem: Solana (SOL), SPL Tokens, NFTs

Threat Actor Type: “Traffer Team” (Affiliate-Driven Social Engineering)

Executive Summary for ShieldGuard Members

The Rublevka Team is a highly organized cybercriminal syndicate that has stolen over $10.8 million since 2023. Unlike traditional hackers who use viruses, Rublevka uses “Traffers”—thousands of individual specialists who lure victims into signing malicious transactions. They currently operate over 50+ spoofed landing pages impersonating trusted brands like Phantom, Jito, Marinade, and Bitget.

1. How the “Human Hack” Works

The Rublevka operation succeeds by lowering the victim’s guard through familiar interfaces and “HoneyPot” psychology.

• The Lure: You encounter a promotion on X (Twitter), TikTok, or Instagram promising airdrops (e.g., Trump Coin, Bonk, DogWifHat), staking rewards, or “wallet verification.”
• The Spoof: You land on a page that looks 100% identical to a legitimate DeFi service (e.g., Jupiter, Marinade).
• The Trap (Drainer Logic): When you click “Connect Wallet,” a custom JavaScript (index.js) scans your holdings. It then presents a transaction that looks harmless but is programmed to drain every SOL and SPL token you own.

2. Deceptive “Phantom Wallet” Modes

ShieldGuard has identified that Rublevka uses specific technical “modes” to trick your wallet interface:

• Honeypot Mode: Shows a fake “incoming” transfer of tokens to make you feel like you’ve won. You are then asked to sign a second transaction to “claim” them, which actually drains your wallet.
• Crasher Mode: A stealth mode that creates a generic “simulation error.” Most users think it’s a glitch and sign again, unintentionally bypassing Phantom’s security warnings.
• Fake Return: The UI tells you that any assets sent will be “automatically returned” via a smart contract. This is a lie. Once signed, the assets are gone.

3. ShieldGuard Preventive Guidelines (The Human Firewall)

To protect your assets from the Rublevka Team, follow these ShieldGuard Learn protocols:

1. Trust No Link from Social Media: 99% of “Surprise Airdrops” promoted via comments or tagged posts are Rublevka lures. Always navigate to the official project website via CoinMarketCap or CoinGecko.
2. Inspect the “Sign” Request: If your wallet (Phantom/Solflare) displays a warning like “This dApp has not been reviewed” or “Sign to Verify Owner,” DISCONNECT IMMEDIATELY. Rublevka specifically exploits “Warning Fatigue.”
3. Use a “Burner” Wallet: Never connect your primary “cold” storage or long-term holding wallet to a new dApp. Use a fresh wallet with only a small amount of SOL for gas fees.
4. Verify the URL: Rublevka frequently rotates domains (e.g., open-sol.cc, sol-galaxy.cc). If the URL ends in .cc, .xyz, or .site, treat it as high-risk.

4. Technical Indicators (For Advanced Users)

If you are monitoring network traffic, look for these Rublevka-linked RPC endpoints. If your wallet is communicating with these while you are on a site, it is a drainer:

• mainnet.helius-rpc.com (using specific hijacked API keys)
• efficient-endpoint.site
• solana-rpc.publicnode.com

ShieldGuard’s Commitment

The Rublevka Team’s success (over 240,000 successful drains) proves that technology alone is not enough. Education is the only permanent patch for the “Human Hack.”

ShieldGuard Labs is currently analyzing the obfuscated index.js scripts used by this group to develop automated interceptors for our upcoming security suite.

Stay Alert. Stay Educated. Stay Shielded.