Cybercriminals are exploiting cryptocurrency donations to the Ukraine crisis

by Jack Chapman
Published on 14th Jun 2022

Our threat intelligence recently shared several threats they’ve uncovered through monitoring our B2B platform, in our recent report: Keeping pace with emerging threats: Summer 2022 roundup. One of the standout threats to keep your users aware of is a group of phishing emails impersonating Ukrainian charitable appeals – specifically those requesting cryptocurrency donations.

Quick summary of these attacks

  • Vector and type: Email phishing
  • Technique: Display name impersonation and social engineering
  • Payload: Cryptocurrency address
  • Targets: Organizations across the US and the UK
  • Platform: Microsoft 365
  • Bypassed secure email gateway: Yes

We’ve seen a surge in scammers latching onto communications and appeals regarding the Russia-Ukraine conflict. Essentially, they’re social engineering attacks that relies on playing on the consciences of people who want to do a good deed. People see the humanitarian crisis in Ukraine and want to help – so they miss the warning signs of phishing in their rush to offer support.

What the attacks look like

These phishing emails come in the form of donation requests for cryptocurrency, often impersonating known bodies in Ukraine and begging for assistance. For example, figure 1 shows an email impersonating the Ukrainian Government asking for cryptocurrency donations to assist their war effort. Other impersonated organizations and individuals have included:

  • Ukrainian Ministry of Defence
  • Aid for Ukraine (charity)
  • The United Nations
  • Ukrainian President Volodymyr Zelenskyy

Figure 1: Impersonation attempt of a Ukrainian government appeal

None of the cryptocurrency wallet addresses in these phishing emails match the ones posted publicly by the Ukrainian government. The donation links such as the one shown in figure 2 likely put the proceeds straight into the pockets of cybercriminals.

Of the 962 phishing emails we analyzed, we found 244 separate cryptocurrency addresses (174 Bitcoin and 70 Ethereum). Some requests contained addresses for lesser-known cryptocurrencies such as Litecoin, Tether, Dash, and Tron. These cryptocurrencies are also officially requested by the Ukrainian government – as they can be more secure and offer multiple avenues for donations. Attackers sometimes prefer them as they are less closely monitored by law enforcement than the better-known cryptocurrencies.

Figure 2: A QR code that would take a victim to the scammer’s crypto wallet

Egress analysis

Egress VP of Threat Intelligence Jack Chapman has offered the following analysis and advice you can share with your users:

“These attacks need two things to happen in order to be successful. Firstly, they need to use an obfuscation technique to evade email security. Samples of the emails we discovered have been analyzed and been found to include substitute lookalike UNIcode characters to bypass linguistic detection.

“Secondly, they need the person to act. The emails we’ve analyzed all use social engineering to exploit an emotional reaction in people. By asking people to help in the fight against the Russian invasion or for humanitarian help for refugees and children, they hope that people will overlook the warning signs of phishing in their rush to do a good deed.

“Communicate to your people to be wary of these scams. If they really want to donate cryptocurrency to a cause but are unsure of the legitimacy of an email, it’s best to search for information online from reputable sources and only use publicly available cryptocurrency addresses.”

The takeaway

Cybercriminals are quick to use social endearing to pounce on topical events. Advise people to treat all unsolicited requests for cryptocurrency donations with healthy suspicion – especially those aiming to elicit an emotional response regarding current world events. If people want to donate to a cause, advise them to try and find publicly displayed information and wallet addresses from reputable online resources.

Get the full emerging threat report

This is just one of the emerging threats our Threat Intelligence team picked up on in the past few months. For the latest info on sextortion emails, LinkedIn impersonation phishing, and several newly-discovered zero-day exploits, download your full report here