Crypto Winter: Fraudsters Impersonate Ukraine’s Government to Steal NFTs and Cryptocurrency
Introduction
With winter approaching and Ukraine’s critical infrastructure repeatedly targeted by Russian missiles, impersonating a sovereign nation fighting for its survival to collect fraudulent donations from well-meaning people is objectionable but ultimately unsurprising. Donation estimates were near $1 billion in USD as of April and a specific note that cryptocurrency donations were given to Ukraine, especially early in the conflict. Crypto donations is a novel approach from Ukraine’s Ministry of Digital Transformation to seek support from a broader pool of people worldwide. Given the amount of money this represents, scams were sure to follow.
DomainTools observed and continues to track a cryptocurrency scam campaign impersonating Ukraine’s Ministry of Digital Transformation as part of a broader effort to steal non-fungible tokens (NFTs) and cryptocurrency from retail investors. Using the ruse of funding urgently needed military equipment and humanitarian supplies for Ukraine’s defense against a Russian invasion, a Twitter account with the username “@AidForUkraine_” began promoting two malicious lookalike domains central to this fraudulent fundraising campaign. Figure 1 features a screenshot of one such cryptocurrency scam. These two domains share a host that offers pivots to several different types of cryptocurrency scams likely operated by the same threat actors.
In addition to showcasing cybercriminal opportunism, this campaign helps illustrate broader themes related to the underlying social engineering methods cybercriminals use to bypass a target’s healthy skepticism for illegitimate purposes as well as the power of pivoting through Internet infrastructure to identify and track malicious activity.
Figure 1: A cryptocurrency scam impersonating Ukraine’s Ministry of Digital Transformation deployed at donate.thedigital-nft-ua[.]agency. This scam solicits NFT and cryptocurrency donations, ostensibly to fund military equipment for the defense of Ukraine from a Russian invasion.
Scam Promotion via Twitter
The “@AidForUkraine_” Twitter account is the primary medium for disseminating malicious URLs for this campaign and appears to target Twitter accounts that have an interest in cryptocurrencies, NFTs, and decentralized finance generally (Figure 2). The purpose of such targeting involves several factors:
- Targets require access to cryptocurrency for it to be stolen in the first place.
- Targeted spam affords a smaller footprint, making detection and remediation of fraudulent accounts less likely, or at least delays the inevitable.
- Promotion from a convincing impersonation account primes targets for deception, making them more likely to believe the malicious domain they access is legitimate. In essence, seeing is believing.
- This serves as a target self-selection mechanism, meaning that each subsequent phase of a scam has a higher likelihood of success because more skeptical targets are no longer participating.
The Twitter account “AidForUkraine_” (Figure 2) bears a striking resemblance to the legitimate “_AidForUkraine” account which Ukraine’s government promotes (Figure 3). Note the placement of the underscore in each account as well as the use of similar images and iconography.
Figure 2: Impersonation account “AidForUkraine_” account profile.
Figure 3: Legitimate account “_AidForUkraine” account profile.
The “@AidForUkraine_” account’s profile avoids referencing account usernames and instead uses mostly cryptocurrency-related hashtags. Including usernames creates a link in a user’s mind, connoting trust, whereas hashtags are more likely to drive traffic to their account. The account’s description also includes a broken URL to an impersonator domain. Though possibly some sort of obfuscation, a more likely explanation is simply user error. This profile also contains the URL donate.thedigital-ua[.]team.
Figure 4: A now-deleted tweet from the impersonator account @AidForUkraine_ promoting the malicious URL donate.thedigital-ua[.]agency. Collected on October 26, 2022.
A noteworthy characteristic of this fraud campaign is the disciplined approach to Twitter promotion. In what could be an effort to limit detection and abuse reports, tweets promoting malicious domains are regularly deleted by the tweet’s author (Figure 4). Such behavior does not appear to be the result of any Twitter moderation activity. Figure 5 shows a reply to a now-deleted tweet promoting an “Aid For Ukraine” cryptocurrency scam.
Figure 5: A Twitter user replying to a now-deleted tweet from the “AidForUkraine_” impersonator account.
Cryptocurrency Scam Websites Impersonating Ukraine’s Ministry of Digital Transformation
Twitter promotion related to this fraud campaign uses impersonator websites requesting donations of NFTs and cryptocurrencies. These websites closely resemble those deployed by the Ukraine government with the most obvious difference being cryptocurrency wallet addresses being replaced with ones controlled by threat actors as well as the use of Ukraine’s Ministry of Digital Transformation official emblem. Figure 6 shows the legitimate “Aid For Ukraine” website and Figures 7 and 8 show scam websites.
Figure 6: Screenshot of the legitimate “Aid For Ukraine” website.
Figure 7: Cryptocurrency scam deployed at thedigital-nft-ua[.]agency.
Figure 8: Cryptocurrency scam variant deployed at donate.thedigital-ua[.]agency and donate.thedigital-ua[.]team.
The scam webpages highlighted in Figures 7 and 8 prominently display the official Ministry of Digital Transformation of Ukraine’s insignia along with the same headline used on the legitimate website: “[D]on’t leave us alone with the enemy.” Another impersonation website tied to this fraud campaign borrows language from the legitimate website as well, stating that gifting cryptocurrency is to “support people in their fight for freedom.” This use of the same logos, content, and overall visual esthetic can easily confuse well-meaning people looking to donate. Unfortunately, such donations serve only to enrich a cryptocurrency fraud operation with ties to a very different geographical region.
Domains and Hosting Infrastructure
DomainTools Iris Investigate and Farsight DNSDB offer a number of helpful pivots to identify and track malicious activity related to 137.220.245[.]24, the IP address hosting thedigital-ua[.]team. Passive DNS records, for example, reveal a notable history of cryptocurrency scam activity. Virtually all passive DNS records for this host appear to be cryptocurrency scams or otherwise suspicious domains.
As of December 6th, 2022, these results include the following domains. While DomainTools has not confirmed malicious activity for every domain on this list, many of them are confirmed cryptocurrency scams or otherwise flagged as suspicious.
Ukraine-focused cryptocurrency scams:
donate.thedigital-nft-ua[.]agency
donate.thedigital-nft-ua[.]team
donate.thedigital-ua[.]agency
donate.thedigital-ua[.]team
donate-thedigital[.]live
Suspicious domains and cryptocurrency scams:
alienfrens.nft-premint[.]xyz
aopandaainyllc.nft-premint[.]xyz
azuki.nft-premint[.]xyz
azuki.vip-mint[.]com
cryptobabyanimals.nft-premint[.]xyz
cryptobabyanimals.sole-vip[.]com
donate-thedigital[.]live
donate.thedigital-nft-ua[.]agency
donate.thedigital-nft-ua[.]team
donate.thedigital-ua[.]agency
donate.thedigital-ua[.]team
dragonfish.nft-premint[.]xyz
dragonfish.sole-vip[.]com
dvdathecult.nft-premint[.]xyz
dvdathecult[.]vip
girypto.nft-premint[.]xyz
girypto.sole-vip[.]com
googlewizard.ocry[.]com
homagang[.]art
homagang[.]live
hosenw.ns02[.]info
hoshiboshi.nft-premint[.]xyz
humankind.nft-premint[.]xyz
humankind.vip-mint[.]com
jianime.limitedwl[.]xyz
jianime.nft-premint[.]xyz
jianime.sole-vip[.]com
jianime.vip-mint[.]com
letstweet.toh[.]info
limitedwl[.]xyz
mitama-mint[.]live
nft-aopanda[.]art
nft-premint[.]xyz
nftaopanda.sole-vip[.]com
nftaopanda[.]xyz
nftaopandaainyllc.sole-vip[.]com
sole-vip[.]com
testing.limitedwl[.]xyz
testsite.mints-livenow[.]com
vip-mint[.]com
vipevent[.]top
voiders.nft-premint[.]xyz
voiders.sole-vip[.]com
xana.nft-premint[.]xyz
xana.sole-vip[.]com
xana.vip-mint[.]com
Possible Silver Lining
Thanks to early detection and short duration, this specific impersonation campaign against Ukraine’s government lost steam and its operators appear to have pivoted to different lures. This includes impersonating several other NFT-focused cryptocurrency projects. As shown in Figure 9, a tweet from the impersonator account “AidForUkraine_” illustrates this potential shift in targeting by referencing dvdathecult[.]vip. This maliciousdomain shared the host 137.220.245[.]24 along with the Ukrainian government impersonation websites mentioned in this report. Figure 10 is a screenshot of a website for the “event” being promoted regarding NFTs.
Figure 9: Twitter account “AidForUkraine_” promoting “God Hates NFTs” and the malicious domain dvdathecult[.]vip promoted by an impersonator Twitter account “GodHatesNFTese.”
Figure 10: Screenshot of dvdathecult[.]vip website promoted by an impersonator account “GodHatesNFTese” and the impersonation website targeting the “DVDA: The Cult” project and its members.
Compared to other cryptocurrency scams, the max value of wallets associated with this threat actor are low. Figures 10 and 11 show two cryptocurrency wallets connected to this group. Between these two wallets, a total of 5.882 ETH has been received by both accounts. As of Dec 6h, 2022, that translates to roughly $7,350 USD. Due to the dates associated with the transfers, we cannot definitively correlate any of the transactions–whether cryptocurrency or NFT–to this scam. Although welcome news, it does not necessarily mean this fraud campaign had no additional victims; frequently changing wallet addresses is a common occurrence in cryptocurrency fraud campaigns.
Wallet address: 0x3f23e13897436467de8aa50dd145743554111d27
Figure 10: Blockchain activity summary for the Ethereum wallet 0x3f23e13897436467de8aa50dd145743554111d27 as of December 6th, 2022.
Wallet address: 0xadaddf80697b8c2740456107509badae1c4113a1
Figure 11: Blockchain activity summary for the Ethereum wallet 0xadaddf80697b8c2740456107509badae1c4113a1 as of December 6th, 2022.
Notably, the Ethereum wallet 0xadaddf80697b8c2740456107509badae1c4113a has a history of transferring and, in some cases, selling NFTs. Figure 12 includes an example of one such NFT being sold and transferred to a likely innocent third party wallet. DomainTools cannot confirm that this specific sale or other NFT sales related to this wallet are directly connected to the “@AidForUkraine_” scam.
Figure 12: An example of an NFT sold for 0.05656 WETH by the actor controlling the Ethereum wallet 0xadaddf80697b8c2740456107509badae1c4113a1, the same address used in the cryptocurrency scam impersonating Ukraine’s government.
Moving forward
When turmoil or uncertainty happens across the world, cybercriminals are there looking to profit from the experience. The ongoing conflict in Ukraine is no different with bad actors looking to capitalize on the Ukraine Government’s own novel approach to fundraising: using cryptocurrency & NFTs.
It remains to be seen whether the “@AidForUkraine_” fraud ring renews its interest in impersonating the Ukrainian government to steal cryptocurrency, NFTs, and other digital assets. We do believe that the actors behind this will continue to find new avenues to defraud people online.
DomainTools recommends cryptocurrency holders approach any request for donations with extreme caution. Given the extreme difficulty of recovering stolen funds, any cryptocurrency transaction–especially ones that require connections to a cryptocurrency wallet or execution of a smart contract–should only occur with thoroughly vetted and trusted sources. Finally, network defenders and threat hunters can use tools like Iris Investigate or Farsight DNSDB to identify pivots between IP addresses and hosted domains to find active relationships in domains used by cybercriminals and map out the extent of their activities, contact us to learn more.