Phishers Using Ukraine Invasion to Solicit Cryptocurrency

Cyber-criminals are impersonating legitimate aid organizations to steal financial donations intended for the people of Ukraine, according to new research by managed detection and response provider, Expel

Analysis of attack vectors and incident trends performed by the company’s security operations center (SOC) for Expel’s February Attack Vectors Threat Report found multiple phishing emails referencing the invasion of Ukraine to target cryptocurrency.

Malicious emails detected by the SOC had subject lines including “Help save children in Ukraine,” “Ukraine Donations” and “Help – Bitcoin.”

One of the individuals who the threat actors impersonated over email was Aronov Maxim, a doctor at Smile Children’s Hospital in Ukraine. The email told targets that a children’s clinic had been destroyed because of the Russian invasion and that donations were needed “to help the sick and wounded children.”

The email said that the usual portals through which donations were received “are currently closed due to the invasions,” then asked targets to donate cryptocurrency to a specified digital wallet. 

“It’s horrible that bad actors are trying to take advantage of the crisis in Ukraine for personal gain,” said Jon Hencinski, director of global operations at Expel.

“We want people to be aware of these scams at play so those thinking of donating can verify their donations are going to a legitimate place to help those in need.”

Asked what action donors should take to ensure their funds fall into the right hands, Hencinski said: “If you’re thinking about donating crypto, double-check the public wallet address and transaction history before hitting ‘send.’ 

“You can review transaction history of a public wallet address using blockchain explorer sites like blockchain.com and Polkascan.”

He went on to warn donors to be wary of public addresses with minimal transaction history and low balances. He advised them to perform a quick internet search of the public address before parting with their money.

“If the public address isn’t linked to Ukraine crypto donation efforts, that’s likely another warning sign,” said Hencinski. 

“The Ukraine government’s verified Twitter account shared three cryptocurrency wallet addresses – a Bitcoin wallet address, Ethereum wallet address, and Polkadot address. All of these addresses have recorded tens of thousands of transactions.”