Since the start of the war in Ukraine, Russia-backed groups have relied on a network of Telegram channels to crowdfund financial support from international sympathizers in the form of cryptocurrencies. This network of channels represents groups ranging from pro-Russian English language propaganda channels to sanctioned militias. The channel sample includes a complex web of wallet promotion content that guides sympathizers to like-minded channels and social media, oftentimes sharing banking details and cryptocurrency wallet addresses where supporters can send donations. Many of these groups do not appear to transact between each other directly, instead relying on a combination of centralized exchange (CEX) wallets and self-custody wallets to obscure any direct interactions.
The Russian incursion into Ukraine just entered its second year. Since the beginning of the conflict, both sides have leveraged crypto to fund their war efforts. Pro-Russian groups have used Web3 ecosystems to support Telegram channels, militias, hacking groups, and English language propaganda channels that operate in support of the state. Digital assets provide a way to skirt growing European and American sanctions by avoiding legacy financial systems.
Less than a week after Russia crossed into Ukrainian territory, it was already being called "the world’s first crypto war." The use of cryptocurrency for terrorism financing is not a new phenomenon. Islamic State (IS), Al-Qaeda, Hamas, and far right-wing groups have all used cryptocurrency to fund their activities. However, the war in Ukraine marks the first time two nation states have turned to digital assets to solicit donations from global supporters. For Russia, a significant portion of these funds are procured through a broad network of pro-Russia Telegram channels and organizations and then distributed in support of Russia’s state and non-state clients.
Ukraine led the most visible and successful campaign to solicit crypto donations from the international community. These efforts, though still active, have waned since the EU and the United States began sending Ukraine foreign aid. Russia-backed groups still appear to rely heavily on donations sourced through their network of channels after being cut off from the international financial system.
Russia and Russia-backed groups are facing increasing obstacles following the invasion of Ukraine, and so the state and its clients have turned to relying more heavily on Telegram and other online mediums to solicit funds and equipment. This became clear after we identified and analyzed a group of pro-Russia Telegram channels and discovered that 41% of channels in our sample were created immediately after the invasion. Channels that existed before the invasion significantly increased their activity after the war began, including posting cryptocurrency addresses to solicit donations or promote other channels' crowdfunding efforts.
This report will specifically focus on pro-Russian activity related to these groups. Pro-Russian channels exhibit numerous activities that threaten the safety and reputation of the Web3 space, including the financing and arming of non-state paramilitaries, the funding of extremist ideologies and groups, and the promotion of illicit financial activities. Previous analyses of these groups vary in their focus, with some focusing on aggregate funds raised and material procurements, while others compare the crowdfunding strategies of both countries. Notably missing from these reports is an examination of how this community of channels interacts. This report will look deeper into these interactions through both transaction flows between community wallets and wallet promotion across channels.
This report covers 23 channels, 26 Bitcoin wallets, 14 Ethereum wallets, two cryptocurrency exchanges that promote themselves as not having KYC/AML requirements, and one Russian-backed hacking group. These entities can be further grouped into five community categories and one outlier entity. These categories are further defined below. While the true number of channels conducting this kind of activity is difficult to measure, we are currently examining an additional 245 channels that were promoted or shared in the 23 channels examined here.
Each data set analyzed in this report includes the cumulative activities of these channels and wallets from the start of the war through January 2023. In this time period some of these wallets have been abandoned, blocked by exchanges, or remain active. This specific analysis is less about cumulative financial activity and will be more focused on interactions between wallets and channels, with wallet transactions being one component.
Of the 23 channels, eight included content or activity that we classify as supporting the US-sanctioned paramilitary Task Force Rusich (TFR). We classified channels as Task Force Rusich Affiliates (TFRA) if they mentioned or shared a wallet directly connected to Task Force Rusich. It is also worth noting that TFR operates on the ground with the more well-known Wagner Group, though we did not identify wallets belonging to the Wagner Group in this sample. Wagner Group is a Russian paramilitary organization which has also been sanctioned by the US. Wagner has operated in support of Russian state operations in Syria, Libya, as well as the Donbas and other occupied regions of Ukraine.
Exceptions were made for English language channels as these channels serve a different purpose from their Russian language counterparts and are designed to target international sympathizers.
Channels labeled Crowdfunding did not have known direct connections to wallets shared by or affiliated with TFR, with the exception of the English language channels.
Channels labeled Sanctioned Entity include accounts that are sanctioned by the US, EU, Switzerland, Japan, Australia, New Zealand, and others. These accounts are owned and operated by TFR and the Sabotage Assault Reconnaissance Group Rusich (DShRG), the combat detachment of TFR.
Several channels found in the network were English language “news aggregator” channels. These channels include mostly pro-Russia content, in addition to commentary on events in Europe and the United States. Some content promotes extremist sympathies and encourages readers to support other individuals and projects with those extremist views.
One channel claims to receive direct support from various organizations in the Russian security apparatus, including the FSB and GRU.
Two exchanges were specifically promoted in this network, one run out of Russia and the other from the United Arab Emirates. Promotional content touted these exchanges as not requiring their users to submit to Know Your Customer (KYC) and anti-money laundering (AML) requirements. We could not verify transactions between these channels and these exchanges in this sample.
Killnet is a pro-Russian hacking group that started as a hacker-for-hire service renting out botnets and distributed denial of service (DDoS) software to bad actors online. Following Russia’s invasion of Ukraine, the group became more political in its operations, targeting public and private sector organizations in Ukraine, Europe, and the United States. Western intelligence agencies issued a warning in April 2022 claiming the group poses a significant threat to critical infrastructure targets. The group’s BTC and ETH addresses have both been promoted by TFR.
Grouping these channels as communities helps us better understand some of the potential dynamics at play between these entities, including:
That said, there is still significant crossover in terms of content across channels because these channels broadly support similar goals. For this reason, this summary will focus on these activities in aggregate with the descriptions below broadly describing the groups' fundraising goals.
Some channels in this network request donations for a variety of reasons related to their broader operations while some channels directly request donations for their own operations. Others promote wallet addresses in support of these active operations groups. Please reach out to our team for citations or more details on this subject, or if you have any questions.
While most channels include posts that fall under this category, some channels are less oriented towards supporting on-the-ground operations and the production of equipment. One example from a Pro-Russia English language channel demonstrates efforts put towards ideological support.
Several channels were also seen promoting wallet addresses or content for the hacking collective Killnet. Killnet operates numerous channels, including a separate channel for donations. The image below (right) shows a Killnet affiliated channel, though it is not the primary channel examined in this report. Operating numerous channels appears to be common across some of the larger groups in this network.
A Pro-Russian forces channel encouraging donations to a channel affiliated with Killnet. Source: Telegram
As mentioned in the introduction, most open-source reporting on Russian Telegram channels supporting Russia’s invasion of Ukraine focus on materiel procurement and total funds flowing to analyzed groups. There has been little, if any, discussion of how these channels promote and crowdfund for each other. Network analysis can help highlight which groups promote each other, and, in some cases, which channels may be funding each other directly.
The graph below shows the basic structure of the network formed by the channels identified. Each connecting line (edge) represents at least one instance of the source channel node (circles) sharing either a BTC or ETH wallet. Most wallets are shared through channel “forwards” which are posts shared from external channels. Owner labels were included for channels that made reference to their personal ownership of the wallet they were sharing. Channel node size correlates to the channel subscriber numbers included above.
Despite its size relative to other channels, the US Treasury-sanctioned Task Force Rusich channel appears to be the most active channel in terms of promoting a wide variety of wallets outside of its own ownership. Of the ten connections this channel has to others, it appears to have only promoted only two of its own BTC wallets. Due to our limited view of the entire Telegram channel ecosystem, it is highly likely there are additional connections between nodes that are not yet visible to us.
Wallets shared by Task Force Rusich. Source: CertiK
Mapping the interactions between channels' BTC and ETH wallets can provide greater insight on how these groups interact with each other. If we further examine how the network's BTC and ETH wallets are moving funds between each other, we can better highlight the nature of the relationships behind the system of wallet promotions.
The network graph below highlights the major channel ETH wallets we identified in this channel sample. Wallet addresses in parentheses without a channel label are wallets affiliated with wallet applications, decentralized exchanges (DEX), and large and small CEXs.
This network graph shows transactions between ETH wallet addresses found in the wallet promotion network graph. Green edges indicate outbound flows, while blue indicates inbound flows. Node size is correlated with total inbound/outbound connections per node.
There are several points of interest in the transaction activity between identified Ethereum wallets.
Wallet 0x184BD receives donations from the largest number of wallets in the network. This wallet is located here on the wallet promotion graph:
Location of Signalman channel on wallet promotion graph. Source: CertiK
For comparison, this wallet is located here on the transaction flow graph:
Wallet 0x184BD location on the ETH transaction activity graph. 0x184BD is highlighted in red, while contract 0xF7151 is highlighted in orange. Source: CertiK
Despite the large number of addresses that are sending funds to this address, we were unable to identify an owner as the channel this wallet was sourced from is locked by the admins.
Attempting to follow the shared 0x184BD address to its original source shows the source channel to be inaccessible. Source: Telegram
Two notable outflow patterns show this wallet sending funds to a wallet owned by WhiteBIT, a Ukrainian cryptocurrency exchange, and contract 0xF7151. It is unclear exactly what role this contract plays in this instance.
Six wallets are owned by a major CEX and serve as transit points for some transaction outflows for many of the ETH wallets in our core network.
Major CEX wallets engaging known Russian wallets and a Ukrainian CEX. All wallets marked in red belong to one CEX, and Kuna Exchange wallets are marked in orange. Source: CertiK
These wallets also send funds to the Ukrainian Kuna exchange to move funds to wallet 0x184BD. These Kuna wallets and their assets were likely frozen based on recent reporting by CoinDesk.
These CEX wallets include:
These addresses appear to have been used to forward funds to 0xc7eC5, 0x47393, and 0x184BD shown in the image above.
Wallet 0xc7eC5 belongs to an individual named Anatoly Shariy who runs a Youtube channel focused on the war and international affairs. It is unclear exactly what his relationship is to other groups identified in this report.
Wallet 0x47393 has the largest number of external connections and belongs to Rybar, one of the largest pro-Russia channels that was not originally identified in our core network.
The Rybar wallet (0x47393) is one of the most shared wallets in our network. Source: CertiK
The Rybar wallet also happens to be one of the largest recipient wallets of transactions coming from exchanges.
The Rybar wallet (0x47393) receives numerous inflows from CEX owned wallets. Source: CertiK
The Terricon Project, an organization with known connections to the sanctioned Russian Imperial Movement and the Nordic Resistance Movement was disconnected from our core wallet promotion network and is only shown promoting its own wallets.
Terricon shared wallets. Source: CertiK
The Ethereum transaction network shows Terricon’s ETH wallet as having received funds from CEX wallets 0xDFd52, 0x21a31, and 0xC098B. The exact source of those funds is not known.
Terricon receives funds through multiple CEX wallets, in addition to sending funds to Bitzlato and a separate CEX deposit wallet. Source: CertiK
Funds deposited to the Terricon Project wallet were eventually transferred to wallet 0x58b6f and a wallet owned by Bitzlato (0xf1B4d). Bitzlato is a Russian run cryptocurrency exchange headquartered in Hong Kong. Anatoly Legkodymov, a senior executive, was recently charged by the Justice Department for processing approximately $700 million in illicit funds, a large portions of which was generated through ransomware payments. However, it is unclear if the Terricon Project was directly involved in helping wash these ransomware payments.
The NotVet channel is connected to the core transaction network through the Rybar channel (0x473) and is seen receiving funds through at least two intermediary donation addresses before being forwarded to four deposit addresses owned by WhiteBIT, another Ukrainian crypto exchange.
NotVet channel receives donations with 0x16169 and 0xA779b, both of which also donate to the Rybar channel. It is unclear who owns these wallets. Source: CertiK
The Killnet hacking collective is seen receiving funds from a wallet (0x56E) used to transit funds to other addresses identified in our core network.
The Killnet wallet is seen receiving funds from a CEX wallet (0x56E). Source: CertiK
Killnet appears to send funds received through its main Ethereum wallet to three outbound wallet addresses:
None of these wallets have seen new activity this year. They are likely wallets that were used to obscure the transfer of funds across other wallets. In addition to operating multiple Telegram channels to solicit donations, Killnet also promotes the campaigns of other Pro-Russian hacking groups, including Anonymous Russia.
Killnet Telegram forwards a message from Anonymous Russia, who at the time was planning a ransomware campaign against Spotify. Source: CertiK
After mapping transaction flows between channel ETH wallets, we wanted to see if similar patterns existed between shared BTC wallets. When viewed as a network graph we can see some of the BTC wallets from this sample are either directly connected or connected through an intermediary wallet. The center of each hub-and-spoke represents one of the BTC wallets from this sample of channels. Wallets with confirmed connections are outlined inside of the white box below.
BTC wallets with verified connections to other wallets in the sample. Source: CertiK
The largest hub-and-spoke formation contains five core addresses that connect to the other tertiary hub-and-spoke formations. Connections that are “hub-to-hub” can indicate direct connections between known wallets, whereas “hub-spoke-hub” connections indicate connections between known wallets through intermediary wallets.
Five wallets comprise the center of the largest hub and spoke formation in the network. Source: CertiK
Of the five wallets making up the core of the largest wheel, two are connected to the Bellum channel, one of which one is owned by Bellum (1GKSaSf). CEX wallet (1NDyJtN) received funds from the Rus T. and NVP channels, while also having sent funds to 3PrwBcB. The 3PrwBcB wallet is a net receiver address with wallet bc1qm34 having transferred 200 BTC and 1NDyJtN sending 14.48 BTC. Wallet 3PrwBcB was originally promoted by a group called Project Polaris soliciting donations to an unknown ultra-conservative Ukrainian individual. Based on Telegram channels and the wallets that are soliciting donations for this individual, it is probable that they are a pro-Russia Ukrainian, though confirming this would require identifying who this person is.
3PrwBcB is also connected to a tertiary hub and spoke formation through an intermediary wallet:
Intermediary wallet bc1qq9 connecting Polaris Project (3PrwBcB) to ISZ bc1qy99 as net receivers. Source: CertiK
Intermediary wallet’s (bc1qq9) owner is unknown, but it has transacted approximately $3,942,915,351 likely indicating the wallet belongs to a CEX. This address has received funds from a verified wallet belonging to the ChangeNOW cryptocurrency exchange. ChangeNOW describes itself as a non-custodial cryptocurrency exchange solution that does not require users to sign up to use the platform nor does it impose trading limits. The company is registered in the Republic of Seychelles. This wallet (bc1qq9) is also responsible for moving funds to 3PrwBcB and to the center of the adjacent hub which is a BTC wallet we identified as belonging to the Russian government supported English language propaganda channel ISZ.
Intermediary wallet possibly affiliated with ChangeNow is seen depositing funds to the ISZ channel, and Project Polaris wallet (3PrwBcB). Source: CertiK
Wallet bc1qm34 moves much larger sums than most wallets. Given this wallet’s large transaction volume, and that it contains over $1 billion in BTC, we determined that it belongs to a CEX. Chainabuse has 60 reports levied against this wallet, many of which appear to be spam. However, multiple comments accuse this wallet of being affiliated with criminal or state-backed activity:
One user claims the wallet is affiliated with a ransomware campaign but does not provide specifics.
User reports bc1qm34 as being used in ransomware attacks. Source: Chainabuse
One report claims that the wallet belongs to pro-Russian actors.
Report claiming address bc1qm34 is associated with the Russian Armed Forces. Source: Chainabuse
Another actor claimed to have previously worked for the owners of this wallet, and that the owners fund terrorism in Russia and Eastern Europe.
User reports they were previously employed by the owners of wallet bc1qm34. Source: Chainabuse
Another claimed that this wallet had previously sent funds to the Ukrainian government.
User reports this wallet sent BTC to the official BTC wallet of the Ukrainian government. Source: Chainabuse
We double checked against this claim and did confirm that bc1qm34 donated 1.48 BTC to the Binance wallet (bc1ql0v) which was publicly denoted by the Ukrainian government as an official cryptocurrency donation wallet.
Wallet bc1qm34 also engaged particularly large transaction volume with three other known wallets in our sample, located here on the larger network graph:
Wallet bc1qm34 is a net distributor of funds to three known wallets in our network. Source: CertiK
These wallets are net receivers from bc1qm34 and include a wallet owned by Killnet (bc1qtyj), a second ISZ wallet (bc1q99y), and one belonging to the Roman channel (bc1qrym), an alleged crowdfunder for the Russian special forces. Wallet bc1qm34 transferred 48.25 BTC, 2.34 BTC, and 6,573 BTC to these channels respectively.
Known wallets receiving large sums of BTC from wallet bc1qm34. Source: CertiK
Wallet bc1qm34 was not just a net distributor of funds as they also received funds from two other known nodes in the network, highlighted in the white box below:
Channels that send funds to bc1qm34. Source: CertiK
The central nodes in these hubs include another wallet owned by Bellum (bc1q763) and a wallet owned by the Crew R. (1Hgpita) channel. The Crew R. channel notably did not promote any ETH wallets at the time we analyzed this channel.
Channels that send funds to bc1qm34. Source: CertiK
Wallet bc1qm34 is a net distributor of funds (approximately 7.76 BTC) to a tertiary structure comprising multiple, smaller, hub-and-spoke structures. The smaller set of hub-and-spoke structures are comprised of known wallets. These are highlighted in the white box below:
Tertiary hub and spoke structures connected through inbound transactions from bc1qm34 to a Task Force Rusich wallet (bc1qhvh). Source: CertiK
The entry node wallet connected to bc1qm34 belongs to the sanctioned militia Task Force Rusich (bc1qhvh). The Rusich wallet (bc1qhvh) has received a total of 12.76 BTC from bc1qm34 over the course of their interactions and has sent small amounts of BTC to 12 wallets in this hub-and-spoke. Notably, the Rusich wallet is connected to the three remaining hub-and-spoke structures through intermediary wallet bc1q7cy, which has sent approximately two BTC total to the Rusich owned wallet. This wallet has been reported to be a CEX wallet.
The Rusich wallet bc1qhvh received approximately 2 BTC from a CEX wallet (bc1q7cy). This wallet is also seen transferring funds to the wallet owned by Ria K: 37CVUFF. Source: CertiK
CEX wallet bc1q7cy has also been used to move nearly 20 BTC to a wallet (37CVUFF) promoted by the R. Katysha channel. This wallet (37CVUFF) was sourced from a Youtube channel run by Stanislav Doudnik. Doudnik is a private investigator and blogger working out of the United States. Most recently known for live streaming the events of January 6 at the U.S. Capitol in Russian, Doudnik is also “a member of an international group of detectives that includes Russians who openly boast of their work for the FSB,” according to McClatchyDC. It is unclear who owns the second unknown wallet (bc1qkr4) that received 13.6 BTC from the Doudnik wallet.
Wallet bc1q7cy has been reported to Chainabuse 29 times. One user reported bc1q7cy as being affiliated with a Dark Web market with the user claiming to have forwarded the information to the FBI. One notable report was a copy paste of one of the reports found associated with CEX wallet bc1qm34, where the author claimed to have been previously employed by the owners of this wallet and that the owners of this wallet are funding terrorism in Russia and Eastern Europe.
Copy and paste report also seen in the Chainabuse reports for CEX wallet (bc1qm34). Source: Chainabuse
CEX wallet bc1q7cy connects to the remaining three wheels of the tertiary structure through another wallet identified as belonging to the Roman channel (bc1qjrw). The Roman wallet is a net receiving wallet with two intermediary wallets connecting it to other known wallets in our sample. The first intermediary wallet (bc1qpex) connects Roman to the Terricon Project (bc1qdcq), a receiver of funds:
Roman wallet (bc1qjrw) and Terricon Project wallet (bc1qdcq) are both receivers of funds from wallet bc1qpe. Source: CertiK
This intermediary wallet (bc1qpex) has seen little transaction activity, not breaching more than $1000. It remains unclear whether this connection is a strong indicator of anything other than a potential donor donating to both channels.
Roman and Signalman wallets both receive funds from intermediary wallet bc1q40p. Source: CertiK
A similar pattern emerges where the Roman wallet connects to a wallet owned by Signalman (3FxRxaL). Both the Signalman wallet and the Roman wallet have received funds from intermediary wallet bc1q40p. This wallet also has transacted very few times and only for around $124.
The ETH wallet transaction network graph also highlights one critical finding for this channel sample. Our initial sample of wallets, though promoted across numerous channels in the wallet promotion network, do not seem to conduct any transactions directly between each other. We conducted additional analysis of on-chain data looking for direct transactions between ETH wallets present in our wallet promotion network and confirmed this to be the case for this sample. The transaction network graph also makes clear that most connections between the ETH wallets go through non-custodial wallets held by a wide variety of exchanges, while fewer are routed through custodial wallets with unidentified owners. It is unclear if the non-custodial wallets are also used to off-ramp funds, but at the very least they are facilitating the transfer of funds to other nodes in the network.
The basic trend across BTC wallets somewhat mirrors what we saw with ETH wallets. Multiple exchanges are more than likely being used to move funds to the donation addresses highlighted in this report. None of the BTC wallets sampled appear to be interacting directly, but visible connections suggest large sums are primarily distributed through unidentified exchange addresses, in addition to CEX wallet bc1qm34 and bc1q7cy. While not of much significance, it appears that there are individuals on both sides of the Russia/Ukraine conflict who confuse these wallets as being owned by the opposing side, or they are using Chainabuse to further their own narratives.
The most critical finding from both transaction network graphs is that many known CEX hot wallets have been receiving and distributing funds to both Ukraine and Russia aligned wallets. CEXs have long had to battle the abuse of their platforms by bad actors, so this should not come as a surprise to those familiar with the crypto space. According to a recent CoinDesk report, CEXs have made headway in freezing the assets of some of these groups, likely to include some of the wallets examined in this sample. However, the same report quotes representatives of some of these channels as saying they have already found workarounds to these efforts.
Analyzing wallet promotions and interactions tells us two very important things about how these groups act. First, as we see regularly across Web3 related scams, thefts, hacks, or money laundering incidents, funds are accumulated by individual wallets and then washed through a series of intermediary wallets, including CEX-owned hot wallets. This is done to obscure on-chain activity, making it more difficult to track. It is more than likely that some of these funds are off-ramped through large CEXs or even small exchanges with few or no AML/KYC requirements based on the promotion of such services found in the channels' content and transactions.
Second, even though we don’t see direct transactional interactions between wallets inside of the channel network, we do see the heavy promotion of other channels' wallets. There are multiple likely reasons for this, though the ease with which a channel can “forward” posts from other channels makes sharing addresses easy. The lack of direct interaction could indicate that the finances of each channel aren’t mixed across groups. However, this requires a much deeper dive into transaction activity between intermediary wallets and other channels not included in this sample.
Despite these observations, it is also clear that this group of channels is coordinated, at the very least, in promoting donations and funding to the most kinetic groups in the sample. This is evidenced by the promotion of many wallets by Task Force Rusich, Killnet, and the wallet we identified as belonging to the Rybar (0x47393) channel. As Rybar was not included in our original sample, it is highly likely additional connection would arise from a deeper analysis of this channel and its on-chain relationships. This is likely a primary objective of the English Language Propaganda channels as well as evidenced by their BTC transaction activities.
After the exclusion of Russia from the global financial system, pro-Russian groups have had to turn to other methods of financing the war effort. Cryptocurrency has been one such avenue. The public nature of transactions on the Ethereum and Bitcoin networks makes these flows trackable, which can aid in identifying the source and destination of funds, along with the groups and individuals involved.
Cryptocurrency is an invaluable tool for people the world over. However, this includes those with motivations that run counter to the wishes of Western governments that have the power to cut states and groups off from legacy financial systems. As the nature of the global financial system changes and expands, it is important for investigators to keep pace with those who are adopting new technologies to advance their aims.