Image
stories

‘Just the tip of the iceberg’ How Russian neo-Nazi paramilitary fighters steal cryptocurrency through Ukrainian charity sites — and use it to fund the war

Source: Meduza

Мы говорим как есть не только про политику. Скачайте приложение.

Story by Lilia Yapparova. Abridged translation by Sam Breazeale.

The paramilitary group Rusich is one of multiple Russian far-right and neo-Nazi organizations that have fought in the war in Ukraine. Because it’s not an official part of the Russian Armed Forces, Rusich has had to find alternative ways of funding its members’ military equipment and medical needs — and has found the perfect solution in cryptocurrency. Meduza special correspondent Lilia Yapparova explains how Russian white supremacists have used the blockchain Ethereum to siphon money from a Ukrainian charity foundation — and how they’ve encouraged other Russian fighters to use crypto to extort money from the families of murdered POWs.

Mercenaries turned hackers

The logo of the Ukrainian charity foundation Happy New Life depicts two hands opening towards the sky, a “tree of life” growing out of them. On its website, donors can send money to support the Ukrainian Armed Forces, provide aid to refugees, and even assist victims in the case of “radiation contamination in Europe” — a potential consequence of Russia's occupation of the Zaporizhzhia Nuclear Power Plant, the site explains.

The foundation, created in June 2022, was an outgrowth of a volunteer initiative from Dnipro, its director, Daniel Ovcharenko, told Meduza. And to give the organization "at least some kind of [online] face,” he said, its creators made a “very inexpensive” website for it. The site shows pictures of Ukrainian children and soldiers along with a call to action: “Today, we’re fighting against a terrorist state. And our victory will be the victory of the entire civilized world… Sometimes lighting a candle is enough to overpower the darkness.” The other half of the screen shows large “Donate” button.”

But Meduza has learned that at least a portion of the money donated through the site has gone not to Ukrainian causes but to the Russian paramilitary group Rusich — a detachment of neo-Nazis fighting in Ukraine on the side of the Russian army. At the very least, that’s who owns the cryptocurrency wallet listed as a donation method on the Happy New Life site, according to financial investigator Artem Irgebaev, who has thoroughly examined Rusich’s network of crypto accounts.

Rusich is known for its brutality. It leader, neo-Nazi Alexey Milchakov, has been photographed next to the mutilated bodies of Ukrainian soldiers, and the detachment’s Telegram channel has called for the torture of Ukrainian POWs and the murder of civilians.

Happy New Life founder Daniel Ovcharenko doesn’t know how the address for Rusich's crypto wallet got on the foundation’s site; according to him, a link to the charity’s own wallet used to be in the same spot on the homepage.

“I got the wallet that the foundation uses from [the cryptocurrency wallet software] MetaMask — and it’s completely different, except that the first three characters are the same [as the address of Rusich's wallet],” Ovcharenko told Meduza. He admitted that he himself had very little involvement with the site, and that he “didn’t double check the digits in the address [listed on its homepage].”

At some point, Rusich managed to hack into the Happy New Life site and switch out the crypto wallet link, Irgebaev told Meduza.

“A similar thing happened with a site that sold proxy servers, where one of the payment methods was crypto. An attacker replaced the site owner’s [crypto wallet] address with his own, and the site then worked like that for two days: people sent money not to the person selling servers, but to the hacker,” he explained. “Internet scammers do this regularly. And Rusich, it’s becoming clear, is a group with wide-ranging ‘talents’ — they have both mercenaries and hackers.”

The Rusich crypto wallet linked on the Happy New Life site is still receiving deposits. According to Etherscan.io, a website that catalogs Ethereum blockchain transactions, the wallet contains more than $7,000 with the current exchange rate.

Funding body armor through cybercrime

In late July, financial investigator Artem Irgebaev downloaded a game called Synthetik: Legion Rising from a torrent website. 

“My friends and I downloaded this ancient shooting game [Editor's note: the game came out in 2018] that was 700 megabytes, and we noticed that [after the torrent file downloaded on our computers, they started exhibiting] this sort of unhealthy behavior,” Irgebaev said. “We shut off the Internet and started digging to find out what kind of malware this was and what it was doing.”

The program didn’t steal any passwords, nor did it try to hijack their accounts. But upon closer inspection, Irgebaev “found several crypto wallet addresses directly in binary code.” It became clear that his device had been infected by something called clipboard malware that was built to steal cryptocurrency:

Here’s how it looks to the victim. Let’s say you want to send money to your friend. Entering his 32-character crypto wallet address is a tedious task, so you just copy it from your notes [to paste it] straight into your wallet or exchange account. The address goes onto your clipboard, and at that moment, the malware replaces it with the attackers’ address. Then, instead of going to the person the user intended, the money goes to the scammers.

Irgebaev gave Meduza the addresses found in the malware’s code. Both of them appear on lists of addresses associated with clipboard malware on the sites Bitcoinabuse.com and Checkbitcoinaddress.com, where people can post complaints about crypto wallets used by hackers and blackmailers.

But according to Irgebaev, the malware that infected his computer also had another function: it automatically installed cryptocurrency mining software on the infected device. “And the victim’s computer would start mining crypto,” he said.

Irgebaev stressed that at first, the malware didn’t surprise him: “It’s a standard scam. Nothing stood out.” But out of curiosity, he decided to Google the crypto wallet addresses contained in the code. That’s how he learned that they belonged not to run-of-the-mill hackers, but to the Russian neo-Nazi paramilitary group Rusich.

“[When I Googled the addresses], I immediately saw Telegram posts from Z (Editor’s note: pro-war) channels where users were soliciting donations for uniforms and gear for members of the pro-war activist group Rusich,” Irgebaev said. “Before, I thought that Russian hackers were focused on interfering in American elections. But as it turned out, this clipboard malware was a way of raising money for body armor.”

The funds sent to the paramilitary group’s crypto wallet are indeed used to fund combat equipment for Rusich fighters, who were seen on the Ukrainian front in April 2022. (By September, five crypto wallets belonging to the group came under U.S. sanctions.)

According to the group’s own Telegram channel, since the start of the full-scale war in Ukraine, Rusich fighters have “worked” in the Kharkiv region, including in the village of Dovhenke, where they reportedly suffered serious losses (likely in July 2022). Later, in August, the group attacked the village of Marinka in the Donetsk region; the same month, multiple Rusich fighters were injured in combat in Zaporizhzhia. In October, the group posted a video on social media that showed its fighters firing on a Ukrainian evacuation brigade as it rushed to a medical vehicle.

Neo-Nazis on the dark web

The malware used by Rusich infected Irgebaev's computer after he downloaded a torrent file. That meant the paramilitary group must have had the necessary skills not only to built the program itself, but also to embed it in the file — in other words, the group had managed to gain access to the site with the torrest catalog.

However, Irgebaev told Meduza, planting the malware on the site may not have taken much technical expertise at all: the most likely explanation was that the neo-Nazis had paid professional cybercriminals to do the job for them.

This is called cybercrime as a service: every step of the crime consists of a service that can be purchased.

First, you buy access to the program you need on a shadow forum. Malware is usually something people rent — for example, $200 for a monthly subscription.

And to ensure that potential victims install the software, you can just pay the torrent catalog owner to add the malicious code to their torrents.

On the dark web, Rusich established relationships not only with hackers but also with drug traffickers — and, according to the group’s crypto wallets, they did deals with them as well.

“Between July and October 2022, the [Rusich] Sabotage and Assault Reconnaissance Group received $1,787 from three separate shadow marketplaces for drugs,” Irgebaev said.

The vendors or administrators of these dark web platforms may also have fallen victim to the malware distributed by Rusich — or they may have just paid for the group's services, according to Irgebaev. (Meduza has not found evidence that Rusich fighters were hired by these drug dealers.)

But there’s also another possibility: the entities who sent money to Rusich may have used the drug marketplaces to anonymize their transactions.

“Dark web stores act as large [money] laundering [schemes],” Irgebaev explained. “Upon registering, users receive personal accounts that they can deposit money into — but inside of the shop, transactions are done not with cryptocurrency, but with the platform’s internal currency. So the transactions themselves between clients and sellers are not visible in the blockchain; you can determine that money went into the marketplace, but it’s impossible to track where it went from there.”

That’s why Irgebaev knows the amounts Rusich received from the dark web stores, but not who sent the money.

Rusich itself also made purchases on the dark web, though not large ones. “An offering to the mephedrone demon, probably,” said Irgebaev. “The amount they spent will buy you a gram of something.”

$160,000 of ‘donations’

Large sums of money are constantly passing through Rusich’s crypto wallets. According to Irgebaev, the paramilitary group has received about $1,100 from mining, though it’s unclear whether the crypto was mined using servers that belong to the neo-Nazis themselves or with mining software planted on computers belonging to malware victims.

Rusich has received more than $160,000 through direct transactions to its crypto wallets. In its official fundraising announcements, the group shares the addresses of the same wallets it uses for hacking. According to Irgebaev, however, it’s quite possible that all of the money has come from malware and that none of it was willingly donated. This includes:

  • A total of 27.895704431 ETH (more than $45,000) was sent to Rusich's wallet on the Ethereum blockchain over the course of 146 transactions, with an average “donation” of more than $300;
  • A total of 2.26113377 BTC (more than $47,000) was sent to Rusich’s wallet on the Bitcoin blockchain over the course of 433 transactions, with an average “donation” of about $108;
  • 51.811099906 ETC (about $1,228) was sent to Rusich’s wallet on the Ethereum Classic blockchain, with an average “donation” of about $1,228;
  • 20,142.378595 USDC (more than $20,000) was sent to Rusich’s wallet on the USD Coin blockchain, with an average donation of $5,000;
  • And 51,000 USDT (about $51,000) was sent to Rusich’s wallet on the Ethereum blockchain over the course of 49 transactions, with an average “donation” of more than $1,000.

The scale of these transactions, and especially the sizes of the average individual deposits, led Irgebaev to suspect that they weren’t just casual contributions from Telegram users who encountered Rusich's calls for donations on “patriotic” channels.

“For me, the ‘donations’ of 0.1 bitcoin — which is a little over $2,000 — from addresses that emptied their accounts look quite dubious,” he told Meduza. “In other words, the entire balances of these wallets were sent to Rusich. And the wallets haven't been used since.”

Meduza asked Rusich leader Alexey Milchakov about all of it: the incoming money, the deals with the online drug marketplaces, the hacking of the Ukrainian charity foundation, and the malware that was used to steal cryptocurrency. He confirmed everything:

We have our own IT and finance departments that do indeed perform the operations you asked about. Yes, our IT department’s capabilities include hacking websites and other Internet resources belonging to the enemy, as well as other subversive activities in the information sphere, including work not only against the former so-called “Ukraine” (our work is much broader). And hacking the resource you mentioned [i.e. the Ukrainian charity website] is just the tip of the iceberg. And the department’s employees who have a direct impact on the deaths of the greatest number of people each month, by the way, are awarded very generously.

The finance department handles operations related to cryptocurrency, gemstones, money laundering (only outside of Russia: we respect the laws of our country) and cash-in-transit, including frequent trips to black market businessmen interested in becoming major sponsors (Mexico, Hong Kong, Somali, etc.). Our project receives huge (in our opinion) support from gangs, cartels, and syndicates who are unhappy with the planetary hegemony of the U.S.

Milchakov added that the Russians fighting in Ukraine as part of Rusich may receive donations from online drug dealers, including in the form of painkillers. In Milchakov’s view, the darknet marketplaces are “true patriots of Russia.”

“I personally don’t receive or store the division’s money,” he stressed. “I only decide how it gets spent.”

‘You relish their cries’

Rusich spends the crypto funds it raises on medical treatment for injured fighters as well as on the equipment it needs to keep fighting in the war: Motorola walkie-talkies, helmets, drone jammers, diesel generators, winter uniforms, sleeping bags, sights for anti-tank grenade launchers, stoves, and more.

Image
Medical supplies purchased using crypto “donations”
Rusich on Telegram

But since the start of the full-scale war in Ukraine, in addition to using the blockchain for its own purposes, Rusich also started promoting crypto among other Russian soldiers fighting in Ukraine. In September 2022, the group proposed that other Russian formations use bitcoin to extort money from the relatives of Ukrainian POWs.

“Don’t just give up [...] the bodies of POWs [after you kill them],” the group urged on its Telegram channel. “Take a photo where the face is visible, and offer to let the relatives purchase information about their son or husband’s burial location for an amount between $2,000 and $5,000. The money can be sent to a Bitcoin wallet.”

That’s just a small excerpt of the group’s advice for interrogating Ukrainian soldiers; they also instructed Russian fighters to use torture when necessary to extract information from POWs that can later be used to target their families. “Chop off their fingers, cut off an ear, hit them in the groin or around their joints, [or] drive needs under their fingernails,” they wrote on social media. “Don’t be afraid to kill prisoners!”

Rusich fighters have advocated for the murder of civilians as well — for example, if they’ve witnessed Russian soldiers “screwing up.” The neo-Nazis have also called for ethnic cleansing on the occupied territories. “The entire non-white population [...] should be physically destroyed (some of them through scientific experiments),” representatives of the detachment wrote on Telegram. (The post was later deleted.)

Rusich's leaders have made no secret of the fact that they never planned to comply with international humanitarian law. “When you kill a piglet — everyone knows who I mean by ‘piglet’ — you enjoy the fact that his wife is becoming a widow,” Rusich member Yevgeny Rasskazov said in an interview in August. “You relish how they cry out for their whole family, how he’ll come home in a coffin. And you get an erection.”

“When you kill a person, you feel the excitement of the hunt. If you haven’t hunted, try it,” said Rusich leader Alexey Milchakov in an interview published in December 2020. One year and three months later, Russia launched its full-scale invasion of Ukraine.

Story by Lilia Yapparova

Abridged translation by Sam Breazeale