Following the Ukrainian government’s crypto donation requests via Twitter in late February just as tensions escalated in the region, scammers quickly rushed to intercept donations by luring victims to expertly crafted malicious websites containing fraudulent cryptocurrency wallets, McAfee said.
The Phishing Email
Oftentimes, donation scams like these start with phishing emails. According to McAfee, these Ukrainian donation emails are mass-mailed to many different email addresses and do not address anyone specifically. In one of the phishing emails pulled by security researchers, the subject line “Help Ukraine” was combined with text urging for donations and crypto wallet addresses in the body of the email. The wallet addresses owned by scammers do not align with the official Ukraine crypto donation wallet, but “they are similar as the first 3 characters are the same,” the report said.
The Phishing Sites
Scammers have been actively targeting Bitcoin, Ethereum, and USDT (ERC-20) donations publicly requested by the Ukrainian government via a legitimate Twitter post. Security researchers have unearthed a phishing site called “Ukrainehelp.world” asking for donations for UNICEF under the title “Donate to protect children in Ukraine” McAfee said. A second phishing site named “Ukrainethereum.com” includes a “fake chatbox and a fake donation verifier” security researchers added. Both of these functions are not real, existing only to instill trust in victims. However, the site contains a functioning QR code that leads to the scammers’ wallets. The phishing site was expertly crafted, even including a legitimate BBC logo. Several fraudulent crypto wallet addresses are also part of the site, Mcafee added. Several other phishing sites have been listed in McAfee’s report such as “ukrainewar.support”, “sendhelptoukraine.com”, and “paytoukraine.space.”
Credit card information theft scheme
Yet another phishing site called “Razonforukrain.com” under the guise of a “Save the Children” NGO fund was discovered, complete with heart-wrenching images, McAfee wrote. These kinds of malicious sites encourage visitors to make donations by entering their credit card info and personal information. Once entered into the form, scammers will often use the payment information for online fraud or put it up for sale on the dark web. The site has since completely flipped its appearance to resemble a McDonald’s website, attempting to phish victims in the UAE.
Scammer Wallet Worth Over $850,000
During the investigations, security researchers discovered that multiple wallets are involved in this scam, with one of them being “associated with an older crypto scam site called eth-event20.com.” The final wallet “0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d” currently holds 313 ETH, which translates to over $850,000, the report said. “This shows the large sums of money scammers can generate with phishing sites” McAfee added.
Important Security and Donation Information
For those wanting to donate to Ukraine amid the ongoing crisis, it is critical to check whether wallet addresses align with the official government crypto wallets posted on Twitter. The official wallet addresses are:
BTC – 357a3So9CbsNfBBgFYACGvxxS6tMaDoa1P ETH and USDT (ERC-20) – 0x165CD37b4C644C2921454429E7F9358d18A45e14
Once again, users must consult the official Twitter donation thread to acquire the official wallet information. McAfee also posted the following tips to avoid phishing emails and websites:
Checking where an email comes from can reveal a scam Performing a web search for crypto wallet addresses to see whether they exist and are legitimate (be suspicious if there is a low number of search results) Performing a web search for website URLs Checking for poor grammar and suspicious logos Looking for URL alterations, e.g., logln-paypal.com instead of login.paypal.com Hovering your mouse over the hyperlink or call-to-action button in the email and checking whether this is shortened or different from what you would expect Verifying whether the URL and title of the page match e.g., the URL points to donations for Ukraine but the title of the page reads “McDonald’s Delivery”
Keep your personal information and your finances away from scams by following our full guide to cryptocurrency scams in 2022, as well as our comprehensive phishing guide.