Security researchers attribute coordinated draining operations on Solana and TON to a Russia‑linked criminal group that siphoned more than $10 million. Reporting highlights continued use of automated draining flows and infrastructure enabling rapid conversion and laundering of stolen crypto.

Researchers tracking blockchain thefts have tied a sophisticated, Russia‑linked criminal group to large‑scale draining campaigns that targeted Solana and TON wallets, with reported losses exceeding $10 million. The group employed automated scraping and draining tooling to identify funded wallets, exploit weak access controls or trick users into signing malicious transactions, and then moved assets through an infrastructure optimized for quick swaps and mixing to obscure origins. Analysts note the attackers relied on high‑throughput automation to execute parallel drains, minimizing the window for victim response and enabling rapid aggregation of stolen funds. Subsequent onramps and cross‑chain bridges facilitated conversion into fiat or other tokens, complicating recovery. The disclosures underscore persistent risks to hot wallets and mistake‑prone signing flows, and spotlight challenges for exchanges and onramps in detecting laundering patterns that exploit throughput and speed. The reporting calls for enhanced wallet‑security hygiene, improved detection of mass‑drain flows, and cross‑platform cooperation to disrupt laundering rails.