Blog
Funding and the Russia-Ukraine War: KYC for Crypto Transactions Proving Difficult
Flashpoint analysts have uncovered 262 cryptocurrency addresses used in advertisements for donations to either Ukrainian or Russian causes related to the war since February 21, 2022. As the Russian invasion of Ukraine draws more need for financial contributions to fund military and humanitarian relief needs, cryptocurrency has become a way for governments to directly source funds and bypass traditional aid processes that delay or restrict the aid they receive.
Table Of Contents
Click here for Flashpoint’s coverage of the role of intelligence in Russia’s war on Ukraine.
Flashpoint analysts have uncovered 262 cryptocurrency addresses used in advertisements for donations to either Ukrainian or Russian causes related to the war since February 21, 2022. As the Russian invasion of Ukraine draws more need for financial contributions to fund military and humanitarian relief needs, cryptocurrency has become a way for governments to directly source funds and bypass traditional aid processes that delay or restrict the aid they receive.
Although there have been official calls from the Ukrainian government to make cryptocurrency donations through associated accounts, Flashpoint analysts have also noted various people attempting to attract funds to support specific military units in the war, as well as threat actors taking advantage of the crisis to scam victims into paying them instead. This will likely continue as opportunities for scams proliferate in the wake of this war and an influx of donors willing to contribute using cryptocurrency.
Official calls for cryptocurrency donations
On February 26, 2022, the Ukrainian government tweeted Bitcoin and Ethereum addresses to solicit aid during the ongoing war with Russia. The preponderance of addresses, 131 in total, are Bitcoin wallets, but analysts also uncovered 67 Ethereum addresses associated with the war. The addresses were then circulated through chat service platforms and social media sites by users looking to draw support for Ukraine.
Telegram’s role
Actors are primarily sharing the wallet addresses on Telegram. Analysts have recorded over 740 messages using the addresses tied to the war, which direct users to donate to verifiable and legitimate organization addresses, to wallets claiming to support humanitarian causes in Ukraine, and to military efforts on both sides of the conflict.
Cryptocurrency addresses
Of the 131 Bitcoin addresses advertised on Telegram channels supporting either Ukrainian or Russian efforts, analysts uncovered that only 40 had transacted on Bitcoin’s blockchain. The other 91 wallets’ addresses are advertised, but have not received any funds. Additionally, analysts uncovered 67 Ethereum addresses, with 28 present on Ethereum’s blockchain.
Verifiable addresses
Various organizations—such as the Ukrainian government, the Cyberpolice of Ukraine, and the Come Back Alive Foundation—have promoted cryptocurrency addresses to raise funds in support of Ukraine in its war with Russia. Several verified social media accounts and credible websites have publicized the addresses to direct potential donors to legitimate resources and humanitarian aid organizations.
According to Alex Bornyakov, Ukraine’s deputy minister at the Ministry of Digital Transformation, the Ukrainian government and NGOs have together raised almost US$100 million in cryptocurrencies and other digital assets in support of Ukrainian interests as of March 9.
Flashpoint has identified eleven credible Bitcoin addresses circulating through Telegram that have raised 680.95 BTC (US$26,841,210). The vast majority of these funds are going to two wallets, one owned by the Ukrainian government and the other by NGO Come Back Alive. Flashpoint has also identified thirteen credible Ethereum addresses that have raised 18,153.78 ETH (US$47,395,707). The Ukrainian government and NGOs have also been collecting donations in other digital assets as well, such as nonfungible tokens and additional cryptocurrencies.
Specific military support
Flashpoint has identified three specific instances in which Bitcoin wallets and two instances in which Ethereum wallets have been associated with fundraising support for named military units operating in the Ukraine-Russia war. Two of the Bitcoin wallets are rallying funds for the far-right Ukrainian Azov Battalion, while the other is associated with Russia’s Donetsk People’s Republic (DNR) forces. The Azov Battalion originates from a Ukrainian extremist white nationalist organization known as the “Patriot of Ukraine,” which reformed into a paramilitary regiment in late 2014. The DNR forces, formed in 2014, are pro-Russian separatist forces from the Donetsk region.
The Azov donation addresses have received 0.16126313 BTC (US$6,356) across 38 transactions, while the DNR address received 0.00004406 BTC (US$1.74) from one transaction. Additionally, analysts identified two Ethereum addresses for Azov donations, which have received 0.89471 ETH (~US$2,335) across 21 transactions.
On February 22, 2022, user “DefenderZ of Donbass / Защитники Донбасса” on the Telegram channel “Defenders of Donbass / Защитники Донбасса 🅉” provided a list of cryptocurrency wallets and money transfer addresses supporting the DNR army. The message provides wallet addresses for Bitcoin and Monero, as well as card numbers and contact information.
Suspicious addresses
Analysts identified 26 suspicious Bitcoin wallet addresses and 13 suspicious Ethereum wallet addresses that have transacted on the blockchain and have been advertised in Telegram messages supporting military or humanitarian aid for Ukraine. The posts that include these addresses do not associate them with verifiable organizations or provide proof that the donated funds will reach the alleged intended sources of aid. It is plausible that the low-credibility wallets are designed to fraudulently accumulate funds under the guise of humanitarian and defense support for Ukraine. The 26 Bitcoin wallets have received a total of 2.27355422 BTC (~US$89,617), while the Ethereum wallets have received a total of 33.30149 ETH (~US$86,943) throughout their lifetime.
For example, Telegram user “Lorraine McDaniel” posted cryptocurrency wallet addresses in the Telegram channel “😀🇦🇺 Australia Freedom Rally [Sat 19th March 12:00pm]” under the guise of fundraising on behalf of Ukraine’s efforts in the war. They attached a screenshot of a social media post sent by the Ukrainian government, but changed the addresses, likely in an attempt to get others to send money to wallets under their control.
New trends for governments and threat actors
The Ukrainian government’s call for cryptocurrency donations is a novel approach for nation-states to directly raise funds from the international community without relying on traditional vehicles of foreign aid. However, malicious actors are also able to more easily monetize donations intended for the Ukrainian government by advertising and proliferating their own cryptocurrency wallet addresses rather than the legitimate addresses. This tactic is similar to traditional charity scam methods, in which threat actors solicit donations for charitable causes but then withhold the funds.
Cryptocurrency addresses offer users greater anonymity when donating to causes than other monetary instruments, though that anonymity also makes verifying the intended recipient more difficult. Analysts expect threat actors to continue to advertise fraudulent Ukrainian support addresses as the war continues.
Get Flashpoint intelligence on your team
Any organization’s security capabilities are only as good as its threat intelligence. Flashpoint’s suite of tools offer you a comprehensive overview of your threat landscape and the ability to proactively address risks and protect your critical data assets. To unlock the power of great threat intelligence, sign up for a demo or get started with a free trial.