1. Executive summary
Since the Russian invasion of Ukraine on 24 February, the Infoblox Threat Intelligence Group has observed a marked increase in the number of new Ukraine-related domain names on our recursive DNS resolvers. Much of this activity is part of a global response to the humanitarian crisis happening in Eastern Europe, and some of this activity consists of new efforts led by previously uncoordinated groups. However, cyber criminals have also seized on the opportunity and created many sites to spoof or imitate genuine support efforts. Distinguishing between these two scenarios can be difficult even for the most cautious of individuals.
2. Analysis
Analysis of the DNS traffic over our recursive resolvers since 24 February has shown a dramatic increase in Ukraine-related domains: from 24 to 28 February, over twice as many domains have been seen for the first time than in the week prior to the Russian offensive:
Figure 1. The numbers of newly observed domains containing the term ‘“ukraine’” in 2022
In response, Infoblox has developed multiple analytics and is actively assessing the threat level of newly observed domains. We have found indicators related to activities ranging from malware campaigns to individuals making new efforts to coordinate the delivery of medical supplies to Ukraine. Among the most prevalent threats in this environment are scams to collect cryptocurrency.
One of the developments that hinders analysis is that many efforts, both legitimate and fraudulent, are being established as Decentralized Anonymous Organizations (DAOs). A typical DAO is focused on a specific issue, such as the war in Ukraine, and is a member-owned organization without central leadership. These organizations rely on financial transaction records and rules established in a blockchain. In fact, on 26 February a Twitter account1 identifiable with the Ukrainian government requested cryptocurrency donations, which could have contributed to the flurry of emerging sites offering donations via virtual currency.
In the hours after Russian troops crossed the border with Ukraine, a number of legitimate DAOs were established to protest Russia’s actions and create financial support for Ukraine. Perhaps most notable of these is Ukraine DAO, hosted on ukrainedao[.]love and established by Pussy Riot founder Nadya Tolokonnikova and other activists.2 Due to this DAO’s new registration and use of cryptocurrency, many security vendors have falsely concluded that its hosting domain is malicious. As shown in Figure 2, the website for Ukraine DAO offers two methods for donating to the cause: (1) individuals can donate cryptocurrency directly to the Ethereum wallet ukrainedao[.]eth, and (2) individuals with an on-chain wallet can donate and receive a “love” token that has no monetary value but does have social impact. Although hosted on a newly registered domain and utilizing cryptocurrency, Ukraine DAO is publicly claimed by the founders and recognized in verified Twitter accounts. We have concluded that this domain is not hosting malware or fraudulent content.
Figure 2. The website for the DAO established by Pussy Riot, as of 28 February
In contrast, a number of other DAOs are more suspicious and lack credible ties to established personalities in the region. Figure 3 shows a screen capture from the domain saveukraine[.]xyz. At first glance, the content is similar to that of Ukraine DAO; however, based on several factors, we assess that this website is a cryptocurrency scam:
- The advertised Ethereum address has no transactions
- There is no publicly validated claim of this site
- Established researchers from ESET have concluded the website is fraudulent
- The owners of the site are creating third-party transactions to another recently registered domain, unchain[.]fund, for which they receive fees3
Figure 3. The crypto scam from saveukraine[.]xyz
Comparing Ukraine DAO to saveukraine[.]xyz demonstrates how difficult it can be for the average consumer to distinguish between valid and nefarious activity. In addition to falsely receiving money, cyber criminals can use this interaction to steal personal information and credit cards and to deliver malware. Figures 4 and 5 show other examples of deceptive fundraising sites.
| Figure 4. The crypto scam from adoptaukrainiangirl[.]com | Figure 5. The website of donateeforukraine[.]com on 1 March |
 |
 |
In addition to the dramatic increase in the number of domains created over the weekend, we discovered malicious campaigns that were established in the weeks prior to the attacks. For example, the domains ukraine-appeal[.]com and afghanappeal[.]com were registered earlier in February. Both domains are hosted on the same IP address and, as can be seen in Figures 6 and 7, host remarkably similar content. Like many criminal websites, both domains appear to represent valid relief campaign organizations. However, the actors who created these websites have not taken the time to clean them up from what appear to be previous scams. As shown in Figure 8, the terms and conditions of these two sites include the following statement: “Acceptance of any contribution, gift or grant is at the discretion of the Alone Covid 19. The Alone Covid 19 will not accept any gift unless it can be used or expended consistently with the purpose and mission of the Alone Covid 19”.4 As a result of this and other characteristics, Infoblox has deemed these websites fraudulent.
| Figure 6. The website of ukraine-appeal[.]com on 28 February | Figure 7. The website of afghanappeal[.]com on 28 February |
 |
 |
Figure 8. Terms and conditions for Alone Covid-19
Infoblox researchers have manually analyzed dozens of newly observed domains related to Ukraine. As we provide the content to the DNS firewalls used by our customers, we want to ensure that we both protect them from malicious actors and do not interfere with genuine relief efforts solely on the basis of a domain’s age or the appearance of a website.
In addition to donation websites like those we described above, the invasion has inspired grassroots efforts to gather support, protest the invasion, and provide relief to the people of Ukraine. New websites have been created to gather medications and supplies, organize volunteers for militias, and spread information about local protests. Some of these websites incorporate spreadsheets or links to Google Forms, which are often associated with malicious behavior. The example in Figure 9 shows one of many new, legitimate websites we have encountered—this one for organizing protest marches. We are making every effort to distinguish between opportunistic bad actors and new citizen-led organizations.
Figure 9. A protest march organization’s website, standwithukraine[.]live
3. Prevention and mitigation
Individuals and organizations wishing to support humanitarian causes in Ukraine or to be part of local efforts to end the war should use a great deal of caution when interacting with websites related to such efforts. We recommend that everyone think twice before clicking on links to sites, and verify the legitimacy of these organizations. Some of these sites could serve as fraudulent fronts for intelligence operations or cyber crime operations, posing potential spyware risk to end-point devices and harvesting of personally identifiable information (PII). Before providing personal or financial information to these kinds of websites, check with an established source that identifies the organization and its hosting domain.
4. Indicators of compromise
Infoblox will provide indicators related to the war in Ukraine both in the table below and in a downloadable list that also includes a brief note about each indicator. We have discovered these indicators in one or more of our proprietary data sources and the list is not intended to be comprehensive in the sense of incorporating indicators from other public sources. Our indicators are broken out into those that are malicious and those that we have validated not to contain malware or fraudulent content at the time of evaluation.
| Indicator | Description | Notes |
| https://cdn[.]discordapp[.]com /attachments /946667303825735721/948011944776986715 /Izcei[.]jpg | malware | Malspam used Ukraine support-themed message to deliver downloader attachments that retrieved the AgentTesla binary from this file hosting location. |
| 4464u4jhw4[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| 487jw34e[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| a3k67[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| hf39q48[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| pritto4523463[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| pritto456123[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| pritto4563[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| q34yfhh897[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| xsolo[.]live | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| xsolo[.]shop | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| xsolo[.]store | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| xsolo[.]us | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| 3ywg4544y3[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| 789o8lm[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| bertshbt32[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| danhramvaiqua[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| muonroimasaovancon[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| w3eg544456u[.]xyz | malware | Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
| ukraineforever[.]com | phishing | domain parked in 2018 and reregistered in Feb 2022. The page has changed twice in the last few days; the twitter acccount is new and has one tweet. requesting relief funds. |
| ukraine-human-rights[.]org | phishing | Website contains Russian propaganda content; sibling website: https://de[.]ukraine-human-rights[.]org/ |
| ukraineforever[.]com | phishing | Domain parked in 2018 and reregistered in Feb 2022. The page has changed twice in the last few days; the twitter acccount is new and has one tweet. |
| protectukraine[.]org | phishing | BTC Scam |
| ukrainecharity[.]net | phishing | Ukraine relief scams |
| donateukraine[.]com | phishing | ukraine-appeal[.]com was registered on 02/13 soliciting donations. Claims to work with a number of legitimate charities but doesn’t link to any. Payment through Stripe. 3-month cert from Let’s Encrypt. Contact address listed is a work-share space in London with no contact names. Same IP 157.245.35.51 hosts afghanappeal[.]com (registered on 02/06) with identical logo. Neither sites link to or from other websites. |
| ukraine-appeal[.]com | phishing | Recently registered domain focusing on gathering funds for “on the ground disbursement.” No apparent propaganda and the payment processing system is Stripe, so they aren’t collecting financial information. The site does ask for PII (name), though, and have a form for a newsletter, which means giving over an email address. |
| assistukraine[.]org | phishing | newly registered. hosted on same IP with several variants of domain name as well as other suspicious crypto related domains. address on website not found. looks like a BTC scam. |
| app-en[.]com | phishing | Reported by security researchers for donation scam activity related to the Russian invasion of Ukraine. https://twitter.com/JCyberSec_/status/1498239774116753409 |
| donateukraine[.]sbs | phishing | https://twitter.com/JCyberSec_/status/1498239774116753409 |
| helpukraine[.]su | phishing | Site purports to be collecting donations for the Armed Forces of Ukraine, but the donation button currently leads to a missing page and the domain was registered via a Russian registrar. |
| helpukraine[.]charity | phishing | Found on same IP space as other scam domains using Ukraine support-themed messages. Website states they were founded in 2014, but business indexes show a 2022 establishment date. https://www.paqle.dk/p/help-ukraine/6913551. Bitcoin addresses owned by this entity show minimal transaction. https://www.blockchain.com/btc/address/1JxmpptfbZmxd5Apk135NJfXHdzmR7F9wi |
| saveukraine-website[.]margosolution[.]com | phishing | using cpcalendars[.]saveukraine[.]website in its ssl certificate. saveukraine[.]website was confirmed a fraudulent site using fake Ukraine support content. |
| standwitukraine[.]com | phishing | Found on same IP space as other scam domains using Ukraine support-themed messages. Nxdomain now |
| donateeforukraine[.]com | phishing | In early March 2022, this domain was pointing to a shady website claiming to collect funds to support Ukrainian people during the crisis escalation against Russia. However, no information was provided about the organization behind this project and where the money were actually going to. |
| support4ukraine[.]info | phishing | Domain used in support of a Ukrainian conflict-related scam operation. |
| donate-ukraine[.]org | phishing | Created on February 26th, in early March 2022 this domain pointed to a phishy donation website aimed at supporting people of Ukraine during the crisis escalation. No information was provided about the organization behind this project and no information was provided about how the money are going to be spent |
| fundukraine[.]org | phishing | In early March 2022, this domain was pointing to a phishy donation website for helping people in Ukraine. There was no information about either the owning organization or the destination of the donations |
| helpukrainestopputin[.]org | phishing | In early March 2022, this site was pointing to a phishy site aimed at collecting donations via an Indiegogo campaign to support people facing war in Ukraine. No information was provided about both the organization behind the project and how the collected money were going to be spent |
| istandwithukrainepin[.]com | phishing | Created on February 26th, in early March 2022 this domain pointed to a phishy e-store for ukraine-branded material. The store doesn’t provide any indication about the organization behind that project |
| ukrainedevs[.]com | suspicious | Newly registered domain purportedly recruiting Ukranian software developers. |
| pakukrainecentre[.]com | suspicious | Website serving content related to trade and investment between Pakistan and Ukraine. But its hosted in China. Many URL on the domain have recently detected as Phishing, Spam or Malicious and Site is currently not accessible. |
| ictvukraine[.]tv | suspicious | Suspicious domain as it is routed through Russian IP space before delivering the content. Some signs point to authenticity. ICTV is a popular Ukrainian TV station. Domain registration matches content that service started in March 2020 purportedly by StarlightMedia. This Ukranian company owns several media outlets including ICTV. |
| ukrainecrisis[.]org | suspicious | Domain registered 7 days ago. Nothing clearly malicious; hosting news with no apparent propaganda. |
| adoptioninukraine[.]com | suspicious | Registered in 2011 and unrelated to the current conflict. The phone number is linked to two Facebook pages (one taken down) that list other websites claiming to be a Columbian-Ukranian adoption service; however, this website is Russian-hosted. |
| bat-ukraine[.]com | suspicious | currently parked and tied to malware IPs |
| helpukraine[.]org | suspicious | Expired domain that shows static image at base page with a support message for Ukraine, limited content on website and appears to be mostly unused. |
| helpukraine[.]biz | suspicious | New website with newly registered domain that has not been configured. This could potentially be used later for malicious purposes. |
| web4ukraine[.]org | suspicious | URL redirector service, splash page shows message against Russian invasion of Ukraine before redirect action. According to the creator, the intent of this service is to slow down Russian web traffic and spread awareness about the Ukranian conflict. https://english.radio.cz/700-czech-webmasters-support-call-counter-russian-propaganda-8743231. Creator of service has been criticized for his/her intent for usage, as it can be used as a medium to deliver malware and punish innocent users. https://www.reddit.com/r/javascript/comments/t242c0/we_are_letting_people_in_russia_know_that_we_dont/ |
| amazingukraine[.]tours | parked | This domain attracted some attention in late February – early March 2022 due to the name linked to the Ukraine-Russia crisis escalation. Created during the crisis, it was parked for potential future usage in early March 2022 |
| fightlikeukraine[.]com | parked | This domain attracted some attention in late February – early March 2022 due to the name linked to the Ukraine-Russia crisis escalation. Created during the crisis, it was parked for potential future usage in early March 2022 |
| aid2ukraine[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| aid2ukraine[.]org | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| aid4ukraine[.]org | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| amazingukraine[.]tours | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| cookforukraine[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| defend-ukraine[.]org | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| defendukraine[.]world | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| freedomforukraine[.]org | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| freeukraine[.]art | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| freeukraine[.]live | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| freeukraine[.]news | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| freeukraine[.]today | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| freeukraine[.]world | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| freeukraine[.]xyz | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| gloryofukraine[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| goukraine[.]tours | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| helpukraine[.]today | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| helpukrainebuild[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| helpukrainepeopletoday[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| helpukrainerebuild[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| heroofukraine[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| heroofukraine[.]org | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| istandswithukraine[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| istandwithukraine[.]live | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| istandwithukraine[.]news | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| istandwithukraine[.]today | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| lettersukraine[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| letterukraine[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| letukrainein[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| liberateukraine[.]com | parked | This is a parked domain created in relation to the Russian invasion of Ukraine |
| best-ukraine-support[.]com | legitimate | Legitimate website serving Japanese-speaking users. |
| firstukrainebc[.]com | legitimate | Legitimate website managed by an American-Ukranian baptist chuch in Minnesota. |
| education-ukraine[.]net | legitimate | Legitimate website promoting Ukrain’s education system. |
| ukraine-arabia[.]ae | legitimate | Legitimate website promoting Ukrainian commerce content. Website has not been updated since 2017. |
| ukraine-bride[.]com | legitimate | Legitimate website advertising Russian-Ukrainian mail order bride. |
| guideinukraine[.]com[.]ua | legitimate | Legitimate website promoting Ukraine travel content. |
| sesam2021ukraine[.]com | legitimate | Legitimate website created for the 2021 Small European Architectural Student Meeting event. |
| ukraine-mainz[.]de | legitimate | Website for a Ukranian saturday school in Mainz, Germany. |
| ukraine-all[.]com | legitimate | Created: July 23, 2019, looks like a currency exchange rate website. does not appear malicious |
| ukraine-today[.]com[.]ua | legitimate | Legitimate website providing news content related to Ukraine. |
| mol-ukraine[.]com[.]ua | legitimate | Legitimate Ukranian website serving content related to commercial vehicles. |
| ukraine-memoire[.]fr | legitimate | Legitimate website serving content related to Ukranian history. |
| beinukraine[.]com | legitimate | Website is currently unsupported and shows no malicious content. |
| budukraine[.]com | legitimate | Legitimate website serving content related to housing and real estate in Ukraine. |
| postmarkukraine[.]com | legitimate | Ukranian online ecommerce website. |
| paulowniaukraine[.]com | legitimate | Legitimate website serving content related to Paulownia trees. |
| designersunitedforukraine[.]org | legitimate | Legitimate website supporting Ukranian designers. |
| kievukraine[.]info | legitimate | Currently unsupported website that previously served Ukranian travel guide content. |
| ukrainecitytours[.]com | legitimate | Legitimate website promoting tourism in Ukraine. |
| hundehoffnung-ukraine[.]de | legitimate | Legitimate animal activist website attempting to help stranded street dogs |
| ukraine-stuttgart[.]de | legitimate | Legitimate website serving content about relations between Ukraine and the city of Stuttgart in Germany. |
| ukrainedemocracy[.]org | legitimate | Legitimate website promoting democracy in Ukraine. |
| ukraineguide[.]com[.]ua | legitimate | Legitimate tour guide website. |
| supportukraine[.]co | legitimate | newly registered. Legit links for donation. |
| enjoy-ukraine[.]com | legitimate | Legitimate travel advice website |
| nursingmidwiferycouncilukraine[.]org | legitimate | Legit website about Ukrainian healthcare professionals |
| ukraine-wife[.]net | legitimate | Legit dating website. |
| opendoorukraine[.]nl | legitimate | Legitimate website offers a platform to assist struggling communities in Ukraine. |
| ukrainerelief[.]org | legitimate | Legitimate website offering relief and support to Ukraine. |
| voicesfromukraine[.]org | legitimate | Legitimate website offering authentic payment options to support Ukraine. |
| brideukraine[.]net | legitimate | Legitimate Ukranian mail order bride website. |
| heartsofhopeukraine[.]com | legitimate | Legitimate website offering assistance to orphans that have aged out of the Ukranian orphanage system. |
| studyinukraineuniversities[.]com | legitimate | Legitimate website promoting universities in Ukraine. |
| ukraine-vs-russia[.]com | legitimate | Website serves polling and vote system related to Ukraine and Russia. |
| ukraine-woman[.]net | legitimate | Ukraninan dating website. |
| viasat-ukraine[.]com | legitimate | Ukranian satellite TV provider. |
| bisukraine[.]com | legitimate | Ukranian business insurance and risk management service provider. |
| ukrainebridestours-usa[.]com | legitimate | Ukranian mail order bride website. |
| ukraine-hilfe-berlin[.]de | legitimate | Non-profit organization providing humanitarian assistance to Ukranian civilians. |
| ukrainelove[.]nl | legitimate | Legitimate dating website. |
| ukrainedao[.]love | legitimate | Legitimate website accepts cryptocurrency payments to support civilians impacted by Russian invasion of Ukraine. |
| unitedpeacekeepersforukraine[.]com | legitimate | Community funded effort to help Ukraine defend against Russian invaders. https://www.reddit.com/r/ukraine/comments/t1bhxu/im_willing_to_help_american_vets_with_combat/ |
| helpukraine[.]center | legitimate | Legitimate website offering humanitarian aid to Ukranians. https://odessa-journal.com/if-you-want-to-help-every-box-should-have-a-large-label-help-ukraine/ |
| volunteerforukraine[.]org | legitimate | Community funded effort to help Ukraine defend against Russian invaders. https://www.reddit.com/r/ukraine/comments/t1bhxu/im_willing_to_help_american_vets_with_combat/ |
| skyukraine[.]com | legitimate | long established; Sky Ukraine is an independent Ukrainian Arabic-language news newspaper, concerned with Ukrainian affairs and Arab-Ukranian relations |
| allforukraine[.]com | legitimate | In early march 2022, this domain was pointing to a web-based bulletin board aimed at letting Ukraine people requesting help to communicate with people willing to provide help |
| ate-solidarite-ukraine[.]org | legitimate | In early March 2022, this domain was pointing to a french-based association aimed at supporting Ukraine with donations and charity offers |
| chechenswithukraine[.]org | legitimate | In early March 2022, this domain was pointing to a website exposing a manifesto pro-Ukraine addressing Chechen community. Among the many resources, it inludes a few convincing links to donation websites |
| code4ukraine[.]com | legitimate | In early March 2022, this domain was pointing to a google form aimed at collecting software projects made by students of a few american universities and aimed at helping people facing war in Ukraine |
| freeconsultancyforukraine[.]com | legitimate | In early March 2022, this domain was pointing to a website offering free consultancy for people impacted by the war in Ukraine. The site was still under development but the content was legitimate |
| h4ukraine[.]com | legitimate | In early March 2022, this domain was pointing to an aggregator for humanitarian aid information and donations for people facing war in Ukraine. The site was incomplete but the referenced resources were legit and consistent |
| helpsaveukraine[.]com | legitimate | In early March 2022, this domain was pointing to an aggregator for humanitarian aid information and donations for people facing war in Ukraine |
| helpukraine[.]center | legitimate | In early March 2022, this domain was pointing to a website for humanitarian and medical support to people facing war in Ukraine |
| investorsforafreeukraine[.]org | legitimate | In early March 2022, this domain was pointing to a website aimed at gathering fundraiser contacts, charities and donation links in support of Ukraine |
| loveukrainetoken[.]com | legitimate | In early March 2022, this domain was pointing to a website of an organization based in Romania and aimed at helping refugees leaving an Ukraine in war |
| 2022ukrainewar[.]com | legitimate | Legitimate, unfinished website serving a timeline of the events in Ukraine |
| 4lifeukraine[.]com | legitimate | Legitimate shopping website in Ukraine |
| 911ukraine[.]com | legitimate | Redirects to a legitimate gofundme page for Ukraine relief. |
| abrykos-ukraine[.]site | legitimate | Legitimate Ukraine websites selling apple seeds. |
| act4ukraine[.]org | legitimate | Legitimate website gathering volunteers for Ukraine. |
| aidingforukraine[.]com | legitimate | In early March 2022, this domain was pointing to a newly-created blog. Due to the name, this domain attracted some attention during the Russia-Ukraine crisis escalation. |
| amaukraine[.]com | legitimate | Legitimate website of the Ameircan Music Academy in Ukraine |
| atshirtforukraine[.]net | legitimate | Legitimate website selling Tshirts for the Ukraine war effort |
| businessforukraine[.]com | legitimate | Redirects to .business-for-ukraine[.]se Swedish website calling for contributions to the Red Cross. |
| businessforukraine[.]org | legitimate | Redirects to .business-for-ukraine[.]se Swedish website calling for contributions to the Red Cross. |
| casmaraukraine[.]com | legitimate | Legitimate website selling makeup |
| coffe-ukraine[.]online | legitimate | Legitimate website about coffee choices in Ukraine |
| coinwayukraine[.]com | legitimate | Legitimate recruiting website in Ukraine |
| cooperhunter-ukraine[.]com | legitimate | Legitimate home repairs website in Ukraine |
| creativesforukraine[.]com | legitimate | Legitimate website calling for art creations on the Ukraine war |
| cyber-ukraine[.]com | legitimate | Legitimate website coordinating hacking efforts to help Ukraine |
| czechhomesforukraine[.]com | legitimate | Legitimate CZ website organising relief efforts for Ukraine. |
| defendukraine[.]org | legitimate | Legitimate Ukraine donation links |
| dev-ukraine[.]link | legitimate | Resume of a Ukraine developer |
| dispatchukraine[.]com | legitimate | Legitimate Ukraine news website |
| doesukrainestillexist[.]com | legitimate | Legitimate Ukraine donation links |
| donate2ukraine[.]com | legitimate | Legitimate Ukraine donation links |
| donateforukraine[.]org | legitimate | Legitimate Ukraine donation links |
| donatetoukraine[.]com | legitimate | Legitimate Ukraine donation links |
| doveforukraine[.]com | legitimate | Legitimate Ukraine donation links |
| driveforukraine[.]com | legitimate | Legitimate personal blog regarding invasion of Ukraine |
| education-en-ukraine[.]com | legitimate | Legitimate website offering education access in Ukraine. |
Endnotes
- https://twitter[.]com/Ukraine/status/1497594592438497282
- https://decrypt[.]co/93787/pussy-riot-trippy-labs-pleasrdao-launch-ukraine-dao
- https://twitter.com/fr0s7_/status/1497243320988442624
- https://urlscan.io/result/f5e6d05c-b020-4375-9eb4-fd54f11804c6/content/
