Check Point Research, the threat intelligence arm of the cybersecurity solutions provider, says there is a trend where advertisements requesting donations to Ukrainians are appearing on the Darknet and while some of these are legitimate, many are fraudulent.
All advertisements are requesting donation funds in the form of cryptocurrency, it says.
The Darknet is a part of the internet that isn't visible to search engines, requiring the use of anonymised browsers for access. CPR is warning the public to not donate to Ukraine via the Darknet, as cybercriminals are looking to quickly capitalise off the high-interest in the Russia-Ukraine conflict.
“CPR has always taken a close look at the Darknet. Last year, we found advertisements for fake coronavirus services. Now, we're seeing donation scams appear on the Darknet, as the Russia-Ukraine conflict intensifies," says Oded Vanunu, head of product vulnerabilities research at Check Point Software.
"These advertisements are using fake names and personal stories to lure people into donating. In one example, we saw someone alleging to be the name ‘Marina', displaying a personal photo with her children in hand. It turns out that the image is actually taken from a German newspaper," he says.
"At the same time, we're seeing legitimate advertisements for donations to help Ukrainians, where we show one example that managed to raise nearly ten million dollars. Thus, legitimate and fraudulent advertisements are being mixed on the Darknet."
CPR found an advertisement requesting donations for an alleged Ukrainian named Marina. A short description states that ‘Marina' and her children are trying to escape Ukraine due to the “very bad situation” and are asking money to be donated in cryptocurrency to help them to do so.
The appeal also states, “Every coin helps”. A quick check shows that the main image on the site seems to be taken from a newspaper article from the German international news broadcaster called Deutsche Welle. No other information seems to be provided, raising questions about the overall authenticity and legitimacy of the page.
CPR says some of the sites referenced on the Darknet are actually pointing to reliable websites, including www.defendukraine.org/donate, a website calling people to “Help the Ukrainian army and their wounded, as well as the families and children caught in the developing conflict”. It also refers to the “Defend Ukraine” Twitter account. The domain was registered on the 16 February, a week before the war in Ukraine started. The site itself is simple and contains a list of different organisations and NGOs in Ukraine, as well as cryptocurrency - Bitcoin, Ethereum, and USDT.
The Bitcoin Addresses is www.blockchain.com/btc/address/357a3So9CbsNfBBgFYACGvxxS6tMaDoa1P. This site has currently received 261.16141073 BTC valued at $9,880,525.93.
"The Darknet can be a dangerous place. I strongly urge anyone looking to donate to use trusted sources and mediums," Vanunu says.
"CPR will continue to monitor the Darknet throughout the ongoing war and report any other wrongdoing.