Self-funding Extremism: How Task Force Rusich Leveraged Malware to Steal and Mine Cryptocurrency

Key takeaways

• Extremist groups are increasingly self-funding through cybercrime. Task Force Rusich, a violent extremist faction associated with the Wagner Group, appears to have generated millions of dollars in cryptocurrency through addresses linked to both public donation campaigns and malware-enabled theft.
• A public Rusich donation address identified by TRM was embedded directly in a malware strain, creating a definitive on-chain link between extremist fundraising and criminal infrastructure.
• At least USD 6 million in on-chain volume is tied to malware-embedded addresses and surrounding networks.
• The malware likely supported dual revenue streams. In addition to clipboard hijacking, wallet activity and code references suggest possible covert cryptocurrency mining, pointing to a hybrid theft-and-mining funding model.
• The campaign remains active. Sustained inflows over multiple years indicate this is not a historical operation, but an ongoing revenue stream.
• Blockchain transparency enabled exposure. Despite attempts to monetize anonymously, address reuse and exchange clustering allowed for network mapping and financial quantification by TRM analysts.

{{horizontal-line}}

Wagner Group’s evolving financial playbook

For years, TRM Labs has tracked the Wagner Group’s financial infrastructure, documenting its use of cryptocurrency to support operations linked to conflict zones, sanctions evasion, and extremist activity. Prior TRM research has shown how Wagner-affiliated entities have leveraged digital assets for fundraising, logistics, and cross-border value transfer.

New intelligence now reveals an additional layer of that playbook.

Wagner’s paramilitary group, Task Force Rusich, is a far-right sabotage and assault reconnaissance group that operates as a specialized subunit within the Wagner Group. Established in 2014 by Alexey Milchakov and Yan Petrovsky, Rusich has fought alongside Wagner in Ukraine, Syria, and other conflict zones. It appears to have partially self-funded its activities for years through cryptocurrency-focused malware. This campaign remains active today. This campaign combines:

• Clipboard hijacking (crypto address replacement),
• Theft of victim funds,
• And potential covert cryptocurrency mining.

On-chain evidence directly links the malware infrastructure to wallets publicly associated with the group and has identified over USD 6 million in volume associated with addresses embedded in the malware.

In addition to clipboard hijacking, analysis indicates the malware may also support supplementary revenue generation through cryptocurrency mining. The code references XMRig, an open-source tool commonly used to mine Monero (XMR), and several Rusich-linked addresses have received funds from mining pools. While direct cryptojacking activity was not conclusively observed in every sample, the convergence of stolen funds, mining pool payouts, and embedded mining functionality suggests the malware may have served a dual purpose: both theft and covert computational exploitation.

If confirmed, this would reflect a hybrid funding model combining opportunistic victim theft, potential passive mining revenue, and broader extremist fundraising infrastructure.

The malware: Clipboard hijacking and embedded wallets

The malware, first observed around 2021–2022, incorporates clipboard hijacking functionality commonly referred to as “clipper” malware.

When sending cryptocurrency, users typically copy and paste the recipient’s wallet address because the strings are long and must be entered exactly. Clipper malware exploits this behavior by monitoring the clipboard and silently replacing the copied address with one controlled by the attacker, causing funds to be sent to the wrong destination. This feature, however, allowed TRM analysts to identify addresses hardcoded in the malware files, which were then connected to addresses linked to Task Force Rusich. The same malware also references infrastructure consistent with cryptocurrency mining activity, including indications of Monero-related functionality.

Direct attribution: Donation address overlap

The strongest link between the malware activity and Taskforce Rusich is a clear operational overlap. A cryptocurrency donation address publicly shared by Taskforce Rusich on Telegram was identified among the wallet addresses embedded in the malware, directly connecting the group’s public-facing fundraising infrastructure with wallets used to receive stolen funds. This reuse of financial infrastructure represents a significant operational security failure and materially strengthens attribution confidence by tying the malware-enabled theft activity to the group’s known support network.

Such reuse of infrastructure is a significant operational security failure and materially strengthens attribution confidence.

Following the funds: Exchange consolidation

On-chain tracing reveals that stolen funds from multiple victim wallets were ultimately consolidated into shared exchange deposit infrastructure.

In particular, we identified flows into TradeOgre deposit addresses, with multiple Rusich-linked wallets depositing into the same exchange endpoint.

TradeOgre was a cryptocurrency exchange that operated with limited transparency and minimal compliance controls, which made it a popular place for criminals to hide money. Canadian authorities seized TradeOgre in late 2025.

This suggests:

• Control of a shared exchange account,
• Or close coordination within a broader financial network.

‍

Wagner’s enduring financial infrastructure

Wagner Group remains a significant threat actor with global operational reach, and its affiliated units, including Task Force Rusich, warrant continued scrutiny. Understanding how these networks finance and sustain activity is critical to assessing their operational resilience.

On-chain analysis enables investigators to connect disparate elements across fundraising campaigns, malware infrastructure, and exchange activity, revealing relationships that would otherwise remain fragmented. By tracing hardcoded wallet addresses and related transaction flows, TRM was able to link cyber-enabled theft activity directly to Rusich-associated infrastructure.

Notably, this malware-linked revenue stream remains active. The persistence of these inflows underscores how extremist financial infrastructure can continue operating beneath the surface — and how blockchain analysis is essential to bringing those connections to light.

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What is Task Force Rusich?

Task Force Rusich is a far-right paramilitary group associated with the Wagner Group, a Russian private military organization. Founded in 2014 by Alexey Milchakov and Yan Petrovsky, the group has operated in several conflict zones, including Ukraine and Syria.

Rusich has also used online channels to solicit cryptocurrency donations. TRM analysis suggests that some wallets used in these campaigns overlap with addresses embedded in malware.

2. What is clipper malware?

Clipper malware is a type of malicious software designed to steal cryptocurrency transactions.

It monitors a victim’s clipboard for copied wallet addresses and silently replaces them with an attacker-controlled address. If the victim sends the transaction without noticing the change, the funds are redirected to the attacker.

3. What is cryptojacking?

Cryptojacking is the unauthorized use of a device’s computing power to mine cryptocurrency. Attackers install malware that secretly runs mining software, allowing them to generate cryptocurrency using victims’ hardware resources.

Code references in the Rusich-linked malware suggest the potential use of XMRig, a tool commonly used to mine Monero (XMR).

4. How can malware generate cryptocurrency revenue?

Malware can generate cryptocurrency revenue in several ways, including:

• Clipboard hijacking to redirect payments
  
• Cryptojacking to mine cryptocurrency using victims’ devices
  
• Credential theft that enables attackers to access digital wallets
  

In some campaigns, attackers combine multiple techniques to create several revenue streams simultaneously.

5. Why do extremist groups use cryptocurrency?

Cryptocurrency allows groups to raise funds globally and transfer value without relying on traditional financial intermediaries.

At the same time, blockchain transactions are recorded on public ledgers. This transparency allows investigators to trace financial activity and identify networks involved in illicit activity.

6. How does blockchain analysis help investigators trace illicit activity?

Blockchain analysis examines transaction histories and relationships between wallet addresses. Investigators can identify patterns such as address reuse, exchange deposits, and shared infrastructure.

These insights help connect separate activities — such as malware operations, fundraising campaigns, and exchange withdrawals — into a broader financial network.

7. What role do cryptocurrency exchanges play in laundering funds?

Cryptocurrency exchanges often serve as points where illicit funds are consolidated, traded, or converted into fiat currency.

Investigators can trace deposits into exchange infrastructure and, in some cases, work with compliant exchanges to identify account holders and disrupt illicit financial networks.