Many profitable phishing assaults end in a monetary loss or malware an infection. However falling for some phishing scams, like these at present concentrating on Russians looking out on-line for organizations which might be preventing the Kremlin battle machine, can value you your freedom or your life.<\/p>\n
![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/legionlibertyarmy.png\")
<\/p>\nThe true web site of the Ukrainian paramilitary group \u201cFreedom of Russia\u201d legion. The textual content has been machine-translated from Russian.<\/p>\n<\/div>\n
Researchers on the safety agency Silent Push<\/strong> mapped a community of a number of dozen phishing domains that spoof the recruitment web sites of Ukrainian paramilitary teams, in addition to Ukrainian authorities intelligence websites.<\/p>\n The web site legiohliberty[.]military<\/strong> includes a carbon copy of the homepage for the Freedom of Russia Legion<\/a> (a.ok.a. \u201cFree Russia Legion\u201d), a three-year-old Ukraine-based paramilitary unit made up of Russian residents who oppose Vladimir Putin and his invasion of Ukraine.<\/p>\n The phony model of that web site copies the authentic website \u2014 legionliberty[.]military \u2014 <\/strong>offering an interactive Google Kind<\/strong> the place candidates can share their contact and private particulars. The shape asks guests to offer their identify, gender, age, electronic mail deal with and\/or Telegram deal with, nation, citizenship, expertise within the armed forces; political opinions; motivations for becoming a member of; and any dangerous habits.<\/p>\n \u201cParticipation in such anti-war actions is taken into account unlawful within the Russian Federation, and collaborating residents are usually charged and arrested,\u201d Silent Push wrote in a report launched immediately. \u201cAll noticed campaigns had related traits and shared a standard goal: gathering private data from site-visiting victims. Our workforce believes it’s doubtless that this marketing campaign is the work of both Russian Intelligence Companies or a risk actor with equally aligned motives.\u201d<\/p>\n Silent Push\u2019s Zach Edwards<\/strong> mentioned the pretend Legion Liberty website shared a number of connections with rusvolcorps[.]web<\/strong>. That area mimics the recruitment web page for a Ukrainian far-right paramilitary group known as the Russian Volunteer Corps<\/a> (rusvolcorps[.]com), and makes use of an identical Google Varieties web page to gather data from would-be members.<\/p>\n Different domains Silent Push linked to the phishing scheme embrace: ciagov[.]icu<\/strong>, which mirrors the content material on the official web site of the U.S. Central Intelligence Company<\/strong>; and hochuzhitlife[.]com<\/strong>, which spoofs the Ministry of Protection of Ukraine & Common Directorate of Intelligence<\/strong> (whose precise area is hochuzhit[.]com<\/strong>).<\/p>\n Based on Edwards, there aren’t any indicators that these phishing websites are being marketed through electronic mail. Moderately, it seems these accountable are selling them by manipulating the search engine outcomes proven when somebody searches for one among these anti-Putin organizations.<\/p>\n In August 2024, safety researcher Artem Tamoian<\/strong> posted on Twitter\/X<\/a> about how he obtained startlingly totally different outcomes when he looked for \u201cFreedom of Russia legion\u201d in Russia\u2019s largest home search engine Yandex<\/strong> versus Google.com. The highest outcome returned by Google was the legion\u2019s precise web site, whereas the primary outcome on Yandex was a phishing web page concentrating on the group.<\/p>\n \u201cI feel at the very least a few of them are certainly promoted through search,\u201d Tamoian mentioned of the phishing domains. \u201cMy first thread on that accuses Yandex, however other than Yandex these web sites are persistently ranked above authentic in DuckDuckGo and Bing. Initially, I didn\u2019t notice the size of it. They maintain showing to at the present time.\u201d<\/p>\n The outcomes of a search at DuckDuckGo on Mar. 27, 2025 for \u201cFreedom of Russia legion\u201d reveals the primary outcome returned is a phishing area.<\/p>\n<\/div>\n Tamoian, a local Russian who left the nation in 2019, is the founding father of the cyber investigation platform malfors.com<\/a>. He not too long ago found two different websites impersonating the Ukrainian paramilitary teams \u2014 legionliberty[.]world<\/strong> and rusvolcorps[.]ru<\/strong> \u2014 and reported each to Cloudflare. When Cloudflare responded by blocking the websites with a phishing warning, the true Web deal with of those websites was uncovered<\/a> as belonging to a recognized \u201cbulletproof internet hosting\u201d community known as Stark Industries Options Ltd<\/strong>.<\/p>\n Stark Industries Options appeared two weeks earlier than Russia invaded Ukraine in February 2022, materializing out of nowhere with lots of of hundreds of Web addresses in its steady \u2014 lots of them initially assigned to Russian authorities organizations. In Could 2024, KrebsOnSecurity printed a deep dive on Stark<\/a>, which has repeatedly been used to host infrastructure for distributed denial-of-service (DDoS) assaults, phishing, malware and disinformation campaigns from Russian intelligence businesses and pro-Kremlin hacker teams.<\/p>\n In March 2023, Russia\u2019s Supreme Court docket designated the Freedom of Russia legion as a terrorist group, which means that Russians caught speaking with the group might face between 10 and 20 years in jail.<\/p>\n Tamoian mentioned these looking out on-line for details about these paramilitary teams have grow to be straightforward prey for Russian safety companies.<\/p>\n \u201cI began wanting into these phishing web sites, as a result of I stored stumbling upon information that somebody will get arrested for making an attempt to affix [the] Ukrainian Military or for making an attempt to assist them,\u201d Tamoian advised KrebsOnSecurity. \u201cI’ve additionally seen stories [of] FSB contacting individuals impersonating Ukrainian officers, in addition to utilizing pretend Telegram bots, so I believed pretend web sites is perhaps an choice as nicely.\u201d<\/p>\n Search outcomes exhibiting information articles about individuals in Russia being sentenced to prolonged jail phrases for trying to assist Ukrainian paramilitary teams.<\/p>\n<\/div>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/recruit-form.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/ddg-search.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/legion-arrests.png\")
<\/p>\n