Date: 02/05/2026
Severity: High
Summary
Rublevka Team is a large-scale, affiliate-driven crypto-theft operation active since 2023 that has generated over $10 million by luring victims with fake promotions or airdrops and tricking them into signing wallet-draining transactions. Unlike traditional malware-based approaches used by traffer teams such as Marko Polo and CrazyEvil, which distributed infostealer malware, Rublevka Team operates a fully automated SOL-based crypto drainer, using custom JavaScript payloads compatible with 90+ Solana wallets, spoofed interfaces of trusted services like Phantom, Bitget, and Jito, and turnkey Telegram-bot infrastructure for affiliates—enabling highly scalable, low-barrier scams that have resulted in hundreds of thousands of successful wallet drains while evading traditional fraud detection and takedown efforts.
Indicators of Compromise (IOC) List
URLs/Domains | open-sol.cc sol-galaxy.cc web-core.cc sol-hook.org efficient-endpoint.site g-app-d.cc fontmaxplugin.cc commontechrepo.cc burn-shard-bridge.xyz pumptoken.net emailsecure.tech
https://mainnet.helius-rpc.com/?api-key= https://mainnet.helius-rpc.com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705 https://mainnet.helius-rpc.com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726 https://mainnet.helius-rpc.com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04 https://mainnet.helius-rpc.com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd https://mainnet.helius-rpc.com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b https://mainnet.helius-rpc.com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83 https://mainnet.helius-rpc.com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf https://rpc.walletconnect.org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650 https://solana-rpc.publicnode.com https://wallet-api.solflare.com |
IP Address | 158.94.208.165 |
Hash | 9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489
b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15
fcf1bbac7dae24b6e0357bee6e8e184dfd193ddf8b341feaa9a3d83265af8f0a
ea8e780d0c292bfd1a3ee6bd9b8d77900a545bd3be3105891816c8f561eeb302
78bfb193ba291e17360126796ec9b93acdfec75867619fc50c5d45d7081009b6
93288b95db8cba2b8d3f38246be46e383990a9fcdd06bf26417a5935a8fe0a27
af5bed914f5406e7c1a3f30f91dfe34d81c5b06c571c59417fe4e2bde966325c
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://mainnet.helius-rpc.com/?api-key=" or siteurl like "https://mainnet.helius-rpc.com/?api-key=" or url like "https://mainnet.helius-rpc.com/?api-key=" or domainname like "https://mainnet.helius-rpc.com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705" or siteurl like "https://mainnet.helius-rpc.com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705" or url like "https://mainnet.helius-rpc.com/?api-key=8e0e9a34-2648-421a-8f22-6460b4a68705" or domainname like "https://mainnet.helius-rpc.com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726" or siteurl like "https://mainnet.helius-rpc.com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726" or url like "https://mainnet.helius-rpc.com/?api-key=55065729-bda8-4cf8-87a1-7bd64cf22726" or domainname like "https://mainnet.helius-rpc.com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04" or siteurl like "https://mainnet.helius-rpc.com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04" or url like "https://mainnet.helius-rpc.com/?api-key=db25ae76-7277-45ce-b21a-5be1a61f2f04" or domainname like "https://mainnet.helius-rpc.com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd" or siteurl like "https://mainnet.helius-rpc.com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd" or url like "https://mainnet.helius-rpc.com/?api-key=44b7171f-7de7-4e68-9d08-eff1ef7529bd" or domainname like "https://mainnet.helius-rpc.com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b" or siteurl like "https://mainnet.helius-rpc.com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b" or url like "https://mainnet.helius-rpc.com/?api-key=bfd713ef-c9a7-404f-804c-e682c2bd0d3b" or domainname like "https://mainnet.helius-rpc.com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83" or siteurl like "https://mainnet.helius-rpc.com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83" or url like "https://mainnet.helius-rpc.com/?api-key=f30d6a96-5fa2-4318-b2da-0f6d1deb5c83" or domainname like "https://mainnet.helius-rpc.com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf" or siteurl like "https://mainnet.helius-rpc.com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf" or url like "https://mainnet.helius-rpc.com/?api-key=3b5315ac-170e-4e0e-a60e-4ff5b444fbcf" or domainname like "https://rpc.walletconnect.org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650" or siteurl like "https://rpc.walletconnect.org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650" or url like "https://rpc.walletconnect.org/v1/?chainId=solana%3A5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp&projectId=730eede4c040eafa7a928a503b6cd650" |
Detection Query 2 : | dstipaddress IN ("158.94.208.165") or srcipaddress IN ("158.94.208.165") |
Detection Query 3 : | sha256hash IN ("9c21d538c2a556f4a5b351b29f3513097ac57643f291ff6d751400d8dbc69489","b9157f6bff6a6ee6ba5932ebac2c8796836b21eb3c69df08fbeb102e9228ba15","fcf1bbac7dae24b6e0357bee6e8e184dfd193ddf8b341feaa9a3d83265af8f0a","ea8e780d0c292bfd1a3ee6bd9b8d77900a545bd3be3105891816c8f561eeb302","78bfb193ba291e17360126796ec9b93acdfec75867619fc50c5d45d7081009b6","93288b95db8cba2b8d3f38246be46e383990a9fcdd06bf26417a5935a8fe0a27","af5bed914f5406e7c1a3f30f91dfe34d81c5b06c571c59417fe4e2bde966325c")
|
Detection Query 4 : | sender IN ("alex.petrov.domain@emailsecure.tech") or recipients IN ("alex.petrov.domain@emailsecure.tech") or from IN ("alex.petrov.domain@emailsecure.tech") |
Reference:
https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation