Crypto fundraising for Ukraine found on the Darknet, used by cyber criminals for fraud

According to the founder of Kiev-based crypto exchange Kina, over $26 million in crypto has been raised by the Ukrainian government since the beginning of the war.
Check Point Research (CPR) researchers, who frequently scan the Darknet have spotted several ads and sites, which aim at raising money for the Ukrainian people, mostly on a cryptocurrency basis.
CPR’s investigation shows that whilst some of these sites are part of the official Ukrainian government fund raising campaign, others appear to be questionable, and raise a concern that once again there are cyber criminals behind them, leveraging the current crisis for fraudulent activities.

The Darknet’s playground

Though it is not illegal to access and use the Darknet, many of the activities within it appear to be illegitimate sales and transactions.
During the pandemic, CPR researches uncovered corona related ads and mini sites dedicated to sellers offering anything from fake COVID certificates, vaccines and test results.
In this report, CPR shows examples of ads found on the Darknet, both, legitimate and questionable, asking for money to help the victims of the Russia Ukraine war.

Marina is requesting assistance, on the Darknet

CPR came across a Darknet web page (onion) that is requesting donations for “Marina”.
A short description states that ‘Marina’ and her children are trying to escape Ukraine due to the “very bad situation” and are asking money, to be donated in cryptocurrency, to do so. The appeal also states, “Every coin helps”.

Whilst the QR codes attached are addresses to crypto currency wallets, a quick check shows that the main image on the site seems to be taken from a newspaper article from the German international news broadcaster called Deutsche Welle (DW). No other information seems to be provided, raising questions about the overall authenticity and legitimacy of the page.

Cryptocurrency now being legitimate central coin for fund raising

A quick scan of more websites on the Darknet shows more mini-sites containing requests for donations. Some redirect to the official legitimate sites of the government and call out for fund raising, but some link to either void links or empty pages. Some sites are linking back to what appeared to be fraudulent websites.

“Defend Ukraine” with crypto donations

Some of the sites referenced on the Darknet are actually pointing to reliable websites.
The one standing out is: a website calling people to “Help the Ukrainian army and their wounded, as well as the families and children caught in the developing conflict”

It also refers to the “Defend Ukraine” Twitter account. The domain was registered on the 16th of February, a week before the war in Ukraine started.
The site itself is simple and contains a list of different organizations and NGOs in Ukraine, as well as Crypto Currency – Bitcoin, Ethereum, and USDT.
Bitcoin Addresses:
This site has currently received (from 2022-02-24 12:58, first transaction) 261.16141073 BTC valued at $9,880,525.93

Defend Ukraine website

Over $9.8 million in crypto donations to Ukraine



Cryptocurrency donations to the Ukrainian Government in the Darknet

In times of crisis and extreme circumstances, like this war, there is always a proliferation of cyber criminals trying to leverage the situation and an increase in fraudulent activities.
In a recent report, CPR released data on the increase in cyber-attacks that researchers have observed since the beginning of the war. Attacks on Ukraine’s Government and military sector surged by a staggering 196% in the first three days of combat.
Not surprisingly attackers are now finding their way to the Darknet in search of further offensive activities.

Beware of where you send your money

CPR urges potential donors, who seek to help the Ukrainians, and in general, everyone donating to any cause, to beware of the links they go to, and the websites they use to send money.
The Darknet is usually not the right platform for fundraising, unless you are tech savvy and know your way within it.

The CPR teams are constantly monitoring the developing situation in search of additional potential threats that might surface and will update accordingly.