Threat Research

Scammers are Exploiting Ukraine Donations | McAfee Blog

Securonix

McAfee Labs reports scammers exploiting Ukraine donation efforts by deploying crypto donation phishing sites and deceptive emails to harvest funds and personal data. The campaigns use fake chat boxes, donation verifiers, and counterfeit logos to appear legitimate, with a range of domains and wallets involved in funneling money. #UNICEF #BBC #McDonalds #Ukraine #Ethereum #Bitcoin #Phishing

Keypoints

  • The attackers created crypto donation phishing sites such as ukrainehelp.world and ukrainethereum.com to lure victims into donating cryptocurrency.
  • Ukrainehelp.world impersonates legitimate donation efforts (e.g., UNICEF) and links to Ethereum wallets linked to other scam domains; the wallet flow includes transfers to other addresses, with the final wallet holding sizable balances (313 ETH).
  • Ukrainethereum.com includes features intended to gain victim trust, such as a fake chatbox and a fake donation verifier.
  • The fake donation verifier demonstrates how the site manipulates users: clicking “Check” triggers JavaScript that shows a “Thanks!” message without any real donation verification.
  • A “Fake Chat” on the site shows messages that appear real but are populated from a prebuilt list via JavaScript.
  • Phishing emails accompany these sites; wallet IDs shown in the emails are not linked to official Ukraine accounts, and some domains even shifted tactics (e.g., McDonald’s phishing in the UAE).

MITRE Techniques

  • [T1566] Phishing – ‘phishing websites and emails that contain cryptocurrency wallets asking for donations.’
  • [T1036] Masquerading – ‘The website contains the BBC logo and several crypto wallet addresses.’
  • [T1056.003] Input Capture – ‘The goal of these sites it entices the victim into entering their credit card and personally identifiable information (PII) data by making them believe that the site being visited is official.’
  • [T1566.001] Phishing: Email Phishing – ‘The email is not addressed to anyone specifically as they are mass-mailed to multiple email addresses. The wallet IDs in the email are not associated with the official Ukraine Twitter and are owned by scammers.’

Indicators of Compromise

  • [URL] Phishing domains – ukrainehelp.world, ukrainethereum.com, unitedhelpukraine.kiev.ua/, donationukraine.io/donate, and other related domains
  • [Domain] Associated scam domain – eth-event20.com (older crypto scam site)
  • [Wallet Address] Ethereum wallets involved in transfers – 0xc95eb2aa75260781627e7171c679a490e2240070, 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d
  • [Wallet/Balance] Final wallet holding substantial ETH balance (313 ETH described in the article)

Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/