Cybersecurity researchers reported that criminal groups with ties to Russia are behind a wave of digital asset draining campaigns targeting wallets on the Solana and TON blockchain networks. The campaigns involve automated bots that exploit weaknesses in decentralized finance (DeFi) protocols to rapidly transfer funds out of user accounts without authorization, according to blockchain security firms tracking the activity.
Analysts said the campaigns first emerged in late 2025 and have continued into early 2026, with attackers focusing on non-custodial wallets linked to Solana and The Open Network (TON) ecosystems. Attackers deploy automated scripts that scan for misconfigured wallets or smart contract interaction flaws, then initiate transactions that transfer assets to accounts controlled by the criminals. The schemes have drained millions of dollars worth of cryptocurrency in aggregated value, security firms said.
Blockchain forensics specialists have attributed the activity to clusters of wallet addresses and transaction patterns associated with groups believed to be based in Russia. These clusters show links to previously documented campaigns that also targeted other decentralized networks. Researchers noted that the use of automated bots allows attackers to act at a high speed and scale, overwhelming some users’ ability to respond before funds are moved out of their control.
The campaigns have exploited a range of vulnerabilities, including faulty wallet configuration and weak permission settings that grant smart contracts excessive access to user funds. In many cases, asset owners authorised interactions with decentralized applications (dApps) without fully understanding permission scopes, enabling attackers to withdraw tokens once control was gained. Security experts advise users to revoke unused permissions and to review wallet interactions carefully before authorising transactions.
Solana and TON community developers have responded by issuing alerts and recommending precautionary steps for users. These include updating wallet software to the latest versions, enabling enhanced security features, and avoiding interaction with unverified smart contracts or dApps. Both ecosystems’ developers said they are monitoring suspicious wallet activity and collaborating with external security researchers to identify and address emerging threats.
Industry observers noted that blockchain networks, by design, allow direct control of assets by individual wallet holders, putting a strong emphasis on users’ own security practices. Unlike centralized exchanges, non-custodial wallet users bear responsibility for safeguarding private keys and managing permissions. The recent draining campaigns highlight persistent risks in decentralized finance environments and the need for continued vigilance and security improvements.