When Russian tanks rolled across the Ukrainian border last year, another frontier opened up online.
Neo-Nazis, cybercriminals and pro-Russian groups embarked on a propaganda campaign on Telegram, the social media platform widely used in the crypto community, to raise money for Vladimir Putin’s war machine, according to CertiK, a blockchain security auditor.
In a report released this week, CertiK said there is evidence several of these nefarious groups are promoting the same wallets to crowdfund millions in crypto donations to arm the Kremlin’s troops and fund their own activities.
“They’re really all the same people behind the scenes – they’re just using different recruiting methods and channels to do it,” Hugh Brooks, director of security operations at CertiK, told DL News.
Stuff of nightmares
He said these types of groups have raised around $5 million since the war began. The particular groups analysed by CertiK raised a fifth of that sum, with around $1.05 million in Bitcoin and Etherum wallets.
The material posted on Telegram is the stuff of nightmares. The posts are a mix of fascist posturing, showing off guns, shitposting and images of dead bodies. “They are some of the worst corners of the internet,” Brook said.
Telegram did not respond to requests for comment. It is not the only social media platform struggling with hate-speech: Hundreds of Twitter accounts reinstated during Elon Musk’s ownership of the Blue Bird have spread abuse and disinformation, according to a new BBC investigation.
“They are some of the worst corners of the internet.”
Since Russian forces invaded Ukraine last February 24, 2022, CertiK researchers have tracked and analysed activities on 23 Telegram channels, 27 Bitcoin wallets and 14 Ethereum wallets.
More than 40% of those channels started at the outbreak of hostilities. Some of these wallets have been abandoned or been blocked by exchanges while others remain active.
The researchers found a complex web of wallet promotion content on Telegram that guides sympathisers to like-minded channels and social media, oftentimes sharing banking details and cryptocurrency wallet addresses where supporters can send donations.
The crowdfunded cryptocurrencies support the procurement of weapons, equipment and supplies purchases, CertiK said. Groups are also using the social media platform to solicit funds for cybercriminals and their own operations, including the purchase of drones.
CertiK has identified more than 550 similar channels, Brooks said.
CertiK said eight channels are linked to neo-Nazi groups, including Task Force Rusich, which the US Treasury has linked to Wagner Group, the Russian mercenary force that has been recruiting convicts and sending them into battle with little training. The US has sanctioned Task Force Rusich. The researchers did not find any wallets belonging to the Wagner Group.
Task Force Rusich was seemingly linked to the Russian hacking collective Killnet, according to the report, as both of them promoted the same wallets. The cyber gang started off as a hacker-for-hire service, renting botnets and distributed denial of service software to other bad actors.
Last May, the US Cybersecurity Infrastructure Security Agency named Killnet as one of eight “Russian-aligned cybercrime groups” seeking to steal and extort money by deploying ransomware attacks. The agency said Killnet carried out distributed-denial-of-service attacks against Ukrainian defence organisations and claimed credit for a DDoS attack on an airport in Connecticut.
Cybersecurity authorities of the US, Australia, Canada, New Zealand and the UK warned that Russian cybercriminals were likely to target Ukraine’s allies with “increased malicious cyber activity.”
The crypto crowdfunding has occurred despite the unprecedented level of sanctions imposed on Russia and its affiliated online groups since the war started. US officials have sought to block crypto-funded support for the Kremlin’s military effort.
In April, for instance, the US Treasury Department imposed sanctions against Hydra, a darknet market, and the Russian exchange Garantex. In October, the European Union banned crypto exchanges from serving Russian citizens and residents.
Brooks said sanctions are having an effect. “It has gotten significantly harder [to crowdfund to Russia],” he said.
Moreover, Brooks said the transparent and immutable nature of blockchains makes it easier to track the groups’ activity and cross-reference it with Telegram posts.
“If you have illegal goods or your fundraising for a terrorist group or a neo-Nazi group or something else, you have to advertise and you have to [provide] a way to pay you – and that is always going to leave some kind of trail,” Brooks said.
Another sign that the sanctions are having an effect is the disparity between how much the two sides of the conflict have raised, Brooks argued. Last month, Chainalysis estimated that nearly $70 million in crypto had been donated to Ukraine during the war.
“Even with all of the pro-Russia propaganda, and country level support for Russia, we haven’t seen that same massive amount of funds go to them,” Brooks said.
As for where the groups are based, that’s tougher to nail down. Brooks said the groups operate using Russian, English, French, Turkish, Slavic and a number of Asian languages.
He also noted how several groups had expressed sympathies with American and European neo-Nazi groups.