CHECK Point Research (CPR), has seen a trend where advertisements that request donations to Ukrainians are appearing on the Darknet. Although some advertisements are legitimate, many are fraudulent. CPR provides examples of both. All advertisements are requesting donation funds in the form of cryptocurrency. The Darknet is a part of the internet that isn’t visible to search engines, requiring the use of anonymized browsers for access. CPR warns the public to not donate to Ukraine via the Darknet, as cyber criminals are looking to quickly capitalize off the high-interest in the Russia-Ukraine conflict.
· In one example, a woman alleging to be named “Marina” requests donations via a personal photo. CPR followed the trail to learn the image was taken from a German newspaper.
· In another example, a Darknet advertisement points to a legitimate website that has already raised nearly $10 million in crypto in donation funds
· CPR urges potential donors seeking to help the Ukrainians to beware of the links they go to and the websites used to send funds
Check Point Research (CPR) sees fraudulent donation pages to aid Ukraine on the Darknet. The dark web is part of the internet that isn’t visible to search engines and requires the use of an anonymizing browser to be accessed. There, a person can purchase credit card numbers, drugs, guns, and software that can help break into people’s computers. Some of the advertisements are legitimate, whereas others are clearly questionable. CPR provides examples of both. All of the advertisements request donations in the form of crypto currency.
CPR found the advertisement above (see main image Example A) requesting donations for alleged Ukrainian named Marina. A short description states that ‘Marina’ and her children are trying to escape Ukraine due to the “very bad situation” and are asking money, to be donated in cryptocurrency, to do so. The appeal also states, “Every coin helps”. Whilst the QR codes attached are addresses to crypto currency wallets, a quick check shows that the main image on the site seems to be taken from a newspaper article from the German international news broadcaster called Deutsche Welle (DW). No other information seems to be provided, raising questions about the overall authenticity and legitimacy of the page.
Some of the sites referenced on the Darknet are actually pointing to reliable websites. The one standing out is defendukraine.org , a website calling people to “Help the Ukrainian army and their wounded, as well as the families and children caught in the developing conflict”. It also refers to the “Defend Ukraine” Twitter account. The domain was registered on the 16th of February, a week before the war in Ukraine started. The site itself is simple and contains a list of different organizations and NGOs in Ukraine, as well as Crypto Currency – Bitcoin, Ethereum, and USDT.
The Bitcoin Addresses have currently received (from 2022-02-24 12:58, first transaction) 261.16141073 BTC valued at $9,880,525.93.
Defend Ukraine website:
Over $9.8 million in crypto donations to Ukraine:
Cryptocurrency donations to the Ukrainian Government in the Dark net:
Oded Vanunu, Head of Product Vulnerabilities Research, at Check Point Software, commented:
“CPR has always taken a close look at the Darknet. Last year, we found advertisements for fake coronavirus services. Now, we’re seeing donation scams appear on the Darknet, as the Russia-Ukraine conflict intensifies. These advertisements are using fake names and personal stories to lure people into donating. In one example, we saw someone alleging to be the name ‘Marina’, displaying a personal photo with her children in hand. It turns out that the image is actually taken from a German newspaper. At the same time, we’re seeing legitimate advertisements for donations to help Ukrainians, where we show one example that managed to raise nearly ten million dollars. Thus, legitimate and fraudulent advertisements are being mixed on the Darknet. The Darknet can be a dangerous place.”
“I strongly urge anyone looking to donate to use trusted sources and mediums. CPR will continue to monitor the Darknet throughout the ongoing war and report any other wrongdoing.”