Update on Ukrainian Crypto Donations

Outlining the Crypto-Fundraising Landscape in Ukraine

TRM investigators have seen a surge in cryptocurrency donation campaigns for Ukraine since the start of the invasion, with funds raised totaling more than $135.7 million dollars between February 22 and March 28 alone. An analysis of about 50 crypto-donations campaigns for Ukraine by TRM Investigators since the start of the Russian invasion on February 24, 2022, has identified some fundraising campaigns using new approaches to raise funds — and dozens of scams.

Key Findings

The Russian invasion of Ukraine has created the opportunity and need for crowdfunding to provide military and humanitarian support in Ukraine. TRM investigators have been tracking crypto-donation campaigns run by official government entities, non-state actors, non-governmental organizations (NGOs), private companies, and–with anything involving opportunities for quick financial gains–scammers. Some key findings TRM Investigators have compiled:

• Official government entities, including Aid for Ukraine, the Cyberpolice of Ukraine, and the Ministry of Health of Ukraine, received over $50 million inbound donations [of over $135.7 million raised thus far overall];
• NGO’s popularized primarily on Twitter such as UkraineDAO and Come Back Alive combined have received $50 million in inbound donations alone, by fundraising across multiple chains such as Bitcoin, Ethereum, Tron, and Binance Smart Chain;
• Over 85% of the campaigns solicited donations in Bitcoin and Ethereum, with Tron, Litecoin, and Binance Smart Chain following distantly behind;
• Donations across all campaigns peaked on March 2, with around $30 million USD received. Since then, donations have declined steadily, and for the week of March 21, donations averaged around $500,000 per day.

With these numbers in mind, let’s dig into how these campaigns are being conducted.

Crypto-donation campaigns have been advertised primarily on Twitter, YouTube, Discord, Telegram, Facebook, and Instagram. However, a subset of scam campaigns disseminated their information via email or created imitation websites and accounts of legitimate campaigns.

Many crypto-donation campaigns have diversified supported assets beyond Bitcoin and Ethereum, often adding new cryptocurrencies after the request of donors. In addition, some campaigns have turned to a novel approach, attempting to act as decentralized autonomous organizations (DAOs), launching tokens and minting non-fungible tokens (NFTs) as an additional means of liquidity.

Most interestingly, non-state actors such as the Ukrainian Cyber Alliance and other hacktivist groups claiming to launch cyber-attacks against Russian media are soliciting donations—truly taking crowdfunding to a new level.

Diversification of Crypto-Donation Campaigns

Crypto-donation campaigns have diversified in two ways since the start of the invasion: the types of actors who have employed blockchain technology to fundraise and the technological tactics and multi-pronged approach by which organizations have adapted to utilize an array of blockchain capabilities to fundraise. TRM investigators analyzed over 50 of these crypto-donation campaigns to assess promotion, fundraising, and distribution tactics utilized. Recent crypto-donation campaigns illustrate how an organization could launch a potentially successful campaign via social media. These crypto-donation campaigns also represent the uncertainty that comes from the decentralized nature of crypto-donation campaigns run by semi-anonymous actors and pop-up organizations on social media.

Crypto-Donation Campaign Typologies

The types of organizations leading donation campaigns for Ukraine are diverse, ranging from Ukrainian government officials to Twitter activists. TRM Investigators have classified these organizations into the following categories: official Ukrainian government and military campaigns; non-governmental organizations (NGOs); non-state actors who are engaging in military action or cyber-attacks; and private, for-profit companies. Some specific groups within these categories include:

• Ukraine’s Vice Prime Minister of Digital Transformation, Mykhailo Federov, publicized a Solana-based donation address, as did the Ministry of Health , and the Cyberpolice of Ukraine.
• Crypto platforms such as EXMO, WhiteBIT/WhitePay, Kuna, and Any.Cash have all launched donation campaigns to support various humanitarian efforts in Ukraine.
• NGO’s popularized primarily on Twitter such as UkraineDAO and Come Back Alive launched fundraising efforts through token launches, minting an NFT, and supporting donation addresses across multiple chains.
• Non-state actors, to include hacktivist groups like the Belarusian Cyber-Partisans, and cybersecurity company DisBalancer, looking to crowdsource DDoS attacks on Russian sites, have launched their own campaign efforts as well.

In addition to these types of campaigns, there have been many pop-up organizations led by alleged activists with newly-created unverified Twitter accounts with few followers, whose legitimacy is more questionable.

‍

NGO-backed campaigns were the most numerous of the typologies, at close to half of all campaigns analyzed, with the amounts raised from BTC and ETH donations alone bringing in around $48 million. Although state-backed organizations encapsulate a smaller percentage of distinct existing campaigns, they have raised a large percentage of funds per campaign amongst the varying typologies, raising over $50 million across different chains.

Charities run by private companies such as Binance, Kuna, WhiteBit, and EXMO, account for slightly less than a third of organizations identified. However, total donations received by these private charities are difficult to calculate because their backend payment processors and crypto-custodian partnerships frequently utilize user interfaces (UIs) that auto-generate new addresses per donor, making consolidation donation addresses initially harder to identify.

Obvious scam campaigns comprised about half of the over 50 distinct crypto-donation campaigns alleging to send funds to humanitarian or military efforts that TRM investigators analyzed, but accounted for a small percentage of overall trade volume.

‍

‍

Across all campaigns, organizers utilized a total of 33 different assets, including less commonly-used assets such as IoTEX and SAMO.

Common Crypto-Fundraising Tactics

Organizations commonly begin by posting their donation address(es) on their websites and social media profiles as well as using a more novel approach: setting up a Decentralized Autonomous Organization, or DAO, launch their own token ICOs, and mint Non-Fungible Tokens (NFTS). Individuals bid on the NFTs, and then send the proceeds of these NFTs and other token sales to recipients.

The conflict has also created opportunities for scammers to promote sham fundraising efforts for their own profit. TRM investigators identified dozens of notable scams claiming to alleviate and provide aid to Ukraine such as Support Ukraine, Ukraine-Fund, Ukraine Embassy Scam, and Ukraine NOW. Most of these scams were quickly identified as such by researchers and hosting providers, and their sites were taken down. They raised anywhere from a couple of hundred dollars to a couple thousand, before being taken down.

Potential Indicators of Illegitimate Donation Campaigns

TRM Investigators compiled the following indicators of potential flags of illegitimate donation campaigns after analyzing over 50 unique Ukrainian crypto-donation campaigns:

• A crypto-donation campaign takes down their web domain or deletes Twitter handle hours after launching;
• A crypto-donation campaign’s address is flagged on various scam alert websites;
• A crypto-donation campaign holds an unverified Twitter handle;
• A crypto-donation campaign receives endorsements on Twitter from unverified accounts;
• A crypto-donation campaign’s Twitter handle has a large number of new Twitter users following them, suggesting bot-like activity;
• A crypto-donation campaign’s website will have broken links or non-clickable icons to verify social media accounts.

For example, the following images represent the flags that can be found via the open web by conducting appropriate due diligence prior to sending funds to a crypto-donation campaign. In the case of UkraineDAO, an organization raising funds for humanitarian efforts, over a dozen imitation accounts result when conducting a basic search, posing as the legitimate DAO. Only one account out of the search results is a verified Twitter account for UkraineDAO.

The following images are open web results relating to a flash scam before shutting down its site and running away with users’ funds. By searching the organization, the initial website URL and associated donation addresses can be found on a scam-alert website by prior donors.

🔎 TRM Tips For the Individual Donor:  Vet the internet presence of a donation campaign operator prior to donating and to read reviews from prior donors or run targeted searches on the donation addresses to see if scam-related flags appear on the open web.

For the Payment Processor: Virtual Asset Providers (VASPs) can track donation address outflows to look for notable withdrawal patterns that may signify nefarious activity.

Investigators at TRM Labs will continue to assess the legitimacy of these donation campaigns and monitor both the sources and destinations of the funds raised.

About TRM Labs

TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.

TRM is based in San Francisco, CA, and is hiring across engineering, product, sales, and data science. To learn more, visit www.trmlabs.com.

To report a lead to Global Investigations, email us at investigations@trmlabs.com.