The Russian invasion of Ukraine on February 24th is causing a humanitarian and refugee crisis in Ukraine. Supporters of Ukraine from all around the world are rushing to the internet to offer any assistance they can to the Ukrainian people.

According to the Google search trends data, there is a huge number of search queries for terms such as “donate to Ukraine”, “help Ukraine” and similar terms worldwide.

Ukraine’s official government made a call for help on their social media, announcing that they’ve started accepting donations using cryptocurrencies and bank transfers.

Ukraine’s official Twitter account made a call for crypto donations

Cyber Criminals took notice of this opportunity and started impersonating the Ukrainian government’s messages, charity websites, and fundraisers to collect crypto for their personal gain.

It’s neither the first time cybercriminals have exploited a crisis for personal gain, nor it will be the last. Benefitting from a humanitarian crisis shows how low cybercriminals are willing to go in order to make money.

In this blog, we take a look at different crypto scams, fake websites, and social media campaigns run by cyber criminals to benefit the crisis in Ukraine.

Domain Registration Trend

Right after the 24th of February invasion, there was an increase in the registration of domains with Ukraine related keywords and domains with “ukrain” as a substring.

Domains with substring “Ukrain” registration trend

The registrations peaked on March 1st and daily domain registrations are still at a much-higher count than before the invasion day.

As the Russian forces advance deeper into Ukraine and continue to cause an even greater humanitarian crisis, threat actors will be looking to profit from people’s sentiment and goodwill towards the situation. We can expect this domain registration trend to continue.

Few of these domains are being registered for legitimate reasons such as showing solidarity, fundraising, or increasing awareness about the horrors of invasion.

A vast majority of these domains are actually being registered for the purpose of impersonating charities and official government donation pages to scam people looking to help Ukraine by financial means.

Domains registered with Ukraine and other keywords like (help, aid, support, fund, crypto)

Various Ongoing Scams

Donation Scam Websites

Criminals have been setting up new websites, and in some cases cloning the existing legitimate charity web pages, in order to set up fake crypto donation pages.

On the left, legitimate rescure.org Donation Page. On the right, a cloned scam page.

Numerous scam pages’ screenshots are shown below. A few of these pages may resemble legitimate websites. Attackers clone legitimate websites and modify the payment information part with their own Bitcoin or Ethereum wallet addresses, to receive the funds.

Various Ukraine Donation Themed crypto scam pages [Few websites are clones of legitimate donation pages with changed crypto, payment address]

Scam Emails

Email-based scams using the Ukrainian crisis as a lure have risen as well. Many users on Twitter have reported receiving Ukraine crisis-themed crypto donation spam emails.

Some spam emails pose as the Ministry of Foreign Affairs of Ukraine, a victim trapped in Ukraine, or as charity/fundraisers in order to receive cryptocurrency donations.

Ukraine crypto donation themed spam emails

Twitter

Scammer profiles on Twitter and other social media platforms continue to promote fake BTC and ETH addresses as the official Ukrainian government donation address in the hopes of luring a few victims.

Some criminals even include pictures of victims, injured/dead women, and children in their posts in the hopes of guilt-tripping the audience into contributing money without realizing the profile or mentioned crypto address is not legitimate.

Different Twitter Profiles promoting fake crypto donation address

Instagram

Similar to Twitter, scammers are actively creating fraudulent Instagram profiles disguised as legitimate charities to receive donations.

The number of accounts impersonating the Ukrainian Red Cross on Instagram was so high that the Ukrainian Red Cross had to start a warning Twitter thread about the fake accounts collecting money on their behalf using their name and emblem.

YouTube

In the early days of the invasion, there were numerous fake live streams on YouTube asking for donations on behalf of the Ukrainian government.

Subsequently, YouTube cracked down on such live streams and now such live streams are few and far between.

Hijacked YouTube channel running a Ukraine Donation Crypto Scam Livestream

Donations Received

  • As of writing this blog, the official government crypto wallets have received over 50 million dollars in donations.
  • Many of the malicious websites, social media campaigns, and live streams have also managed to scam many victims out of their hard-earned money using the donation scams.
  • The bitcoin address shown in the YouTube live stream screenshot above managed to get over $1,000 in donations, and the Ethereum address received over $2,600 in donations.
  • There are many small websites that were created after the invasion and the wallets listed on those profiles have received quite some money as well. Many of these websites are suspicious and verifying the genuineness of each website is challenging.

How to avoid such scams

  1. Don’t trust random social media accounts and random websites.
  2. Always use the official donation address listed on official Ukrainian government websites or legitimate charity websites.
  3. Don’t trust screenshots and QR codes screenshots. They could be easily forged or altered.
  4. Always verify that the social media account asking for a donation is the legitimate account for the said organization.

About Us

This blog is published by Bolster Research Labs. We are also creators of https://checkphish.ai – a free URL scanner to detect phishing and scams sites in real-time.

If you are interested in advanced research and uncovering new scams or working with cutting-edge AI, come work with us at the Bolster Research Labs. Check out open positions here

Resources