Select Page

Cyren Security Blog

Cybercriminals Unleash Ukrainian Crypto Scams

Over 100K daily fake donation emails uncovered by the Cyren research team

By Magni Reynir Sigurðsson

Cybercriminals know which techniques increase their chances of successfully scamming unsuspecting victims, shamelessly exploiting any event regardless of human suffering to achieve monetary gain. The Russian invasion of Ukraine is no exception. Over the past two weeks, the Cyren research team has seen a huge increase in crypto scams taking advantage of the country’s political unrest.

Ukraine has received more than $50 million in crypto donations since the war started, with the majority of donations resulting from the Ukraine government twitter account requesting Bitcoin, Ethereum, Tether and Polkadot. So, it’s not surprising that cybercriminals are focusing on crypto donations to trick victims.

The team has discovered an endless wave of email scam messages with subject lines including “Help Ukraine”, “Help Ukraine war victims” and “Help Ukraine stop the war! – humanitarian fund raising”. While the victims are under the impression that they are helping Ukraine, the donation is going  straight into a scammer’s wallet. In the last few days, the research team has uncovered more than 100k emails per day. Over 50% of the emails are being routed through the US, however, this is not an indication that the emails originated in the US. The research team found emails coming from all over the globe, including Indonesia, Brazil, India, South Africa and Colombia.

As expected, a large number of the emails are sent from spoofed addresses with domain endings related to Ukraine to increase their “authenticity”. However, a significant number of emails are being sent from random Gmail addresses, highlighting the arrogance of cybercriminals who prey on trusting victims.

“Help Ukraine” crypto scan email

Volume and frequency of “Help Ukraine” crypto scam emails from March 3-9, 2022

How it Works

Prior to targeting victims through emails and SMS messages, the cybercriminals create websites using a website builder, then purchase a domain and upload their site to it. In this case, most of the domains include ‘Ukraine’ to increase legitimacy, for example: ‘help-ukraine-now.today’.

Once complete, the scammers spread the URL in an email or SMS message to drive traffic to the site where they list Bitcoin and Ethereum addresses, similar to the request from the Ukrainian government’s Twitter account. However, these donations will never help with the war effort. Instead, they will go to the cybercriminals, funding more theft and criminal behavior. 

Social Networks Targeted

The high-profile nature of the Russia-Ukraine conflict means that cybercriminals want to reach as many targets as possible to increase potential profitability. Consequently, it is not just the more ‘traditional’ avenues of email and SMS messages that cybercriminals are using to distribute their fake sites. The research team is also seeing fake donation scams proliferate Twitter, Facebook and YouTube. Consumers must remain vigilant and understand that even social media can be, and often is, used by cybercriminals to increase the reach of their scams.

Scam Twitter account with donation links (Source: Twitter.com)

YouTube videos are being used to scam people into donating via QR accounts (Source: Twitter.com)

Avoiding Cybercriminals – Steps to Keep Safe

As events escalate, so does the number of scammers that feed off of the emotional state of its victims. When donating to a cause, people must take the time to verify that the source is legitimate. While this is easier said than done, particularly in this case given how the official Twitter account of Ukraine is accepting donations through crypto, there are some precautions individuals can take to protect against scammers. First, scrutinize all emails asking to follow a link. Second, look for grammatical inconsistencies, spelling errors and incorrect logos. Third, do not open attachments or follow website links, especially as it relates to financial donations. And lastly, bypass the middleman and go directly to legitimate websites to make donations.

The official Twitter account and donation information (Source: Twitter.com)

You might also like

The Resurgence of Emotet

by Kervin Alintanahim Password Protected Docs One of the most recent Emotet samples we received were emails with password protected attachments. Although the malicious document needs an extra step to be accessed compared to just being attached as it is, the additional...