Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/legionlibertyarmy.png?resize=750%2C420&ssl=1\")
<\/p>\nThe real website of the Ukrainian paramilitary group \u201cFreedom of Russia\u201d legion. The text has been machine-translated from Russian.<\/p>\n<\/div>\n
Researchers at the security firm Silent Push<\/strong> mapped a network of several dozen phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups, as well as Ukrainian government intelligence sites.<\/p>\n The website legiohliberty[.]army<\/strong> features a carbon copy of the homepage for the Freedom of Russia Legion<\/a> (a.k.a. \u201cFree Russia Legion\u201d), a three-year-old Ukraine-based paramilitary unit made up of Russian citizens who oppose Vladimir Putin and his invasion of Ukraine.<\/p>\n The phony version of that website copies the legitimate site \u2014 legionliberty[.]army \u2014 <\/strong>providing an interactive Google Form<\/strong> where interested applicants can share their contact and personal details. The form asks visitors to provide their name, gender, age, email address and\/or Telegram handle, country, citizenship, experience in the armed forces; political views; motivations for joining; and any bad habits.<\/p>\n \u201cParticipation in such anti-war actions is considered illegal in the Russian Federation, and participating citizens are regularly charged and arrested,\u201d Silent Push wrote in a report released today. \u201cAll observed campaigns had similar traits and shared a common objective: collecting personal information from site-visiting victims. Our team believes it is likely that this campaign is the work of either Russian Intelligence Services or a threat actor with similarly aligned motives.\u201d<\/p>\n Silent Push\u2019s Zach Edwards<\/strong> said the fake Legion Liberty site shared multiple connections with rusvolcorps[.]net<\/strong>. That domain mimics the recruitment page for a Ukrainian far-right paramilitary group called the Russian Volunteer Corps<\/a> (rusvolcorps[.]com), and uses a similar Google Forms page to collect information from would-be members.<\/p>\n Other domains Silent Push connected to the phishing scheme include: ciagov[.]icu<\/strong>, which mirrors the content on the official website of the U.S. Central Intelligence Agency<\/strong>; and hochuzhitlife[.]com<\/strong>, which spoofs the Ministry of Defense of Ukraine & General Directorate of Intelligence<\/strong> (whose actual domain is hochuzhit[.]com<\/strong>).<\/p>\n According to Edwards, there are no signs that these phishing sites are being advertised via email. Rather, it appears those responsible are promoting them by manipulating the search engine results shown when someone searches for one of these anti-Putin organizations.<\/p>\n In August 2024, security researcher Artem Tamoian<\/strong> posted on Twitter\/X<\/a> about how he received startlingly different results when he searched for \u201cFreedom of Russia legion\u201d in Russia\u2019s largest domestic search engine Yandex<\/strong> versus Google.com. The top result returned by Google was the legion\u2019s actual website, while the first result on Yandex was a phishing page targeting the group.<\/p>\n \u201cI think at least some of them are surely promoted via search,\u201d Tamoian said of the phishing domains. \u201cMy first thread on that accuses Yandex, but apart from Yandex those websites are consistently ranked above legitimate in DuckDuckGo and Bing. Initially, I didn\u2019t realize the scale of it. They keep appearing to this day.\u201d<\/span><\/p>\n Tamoian, a native Russian who left the country in 2019, is the founder of the cyber investigation platform malfors.com<\/a>. He recently discovered two other sites impersonating the Ukrainian paramilitary groups \u2014 legionliberty[.]world<\/strong> and rusvolcorps[.]ru<\/strong> \u2014 and reported both to Cloudflare. When Cloudflare responded by blocking the sites with a phishing warning, the real Internet address of these sites was exposed<\/a> as belonging to a known \u201cbulletproof hosting\u201d network called Stark Industries Solutions Ltd<\/strong>.<\/p>\n Stark Industries Solutions appeared two weeks before Russia invaded Ukraine in February 2022, materializing out of nowhere with hundreds of thousands of Internet addresses in its stable \u2014 many of them originally assigned to Russian government organizations. In May 2024, KrebsOnSecurity published a deep dive on Stark<\/a>, which has repeatedly been used to host infrastructure for distributed denial-of-service (DDoS) attacks, phishing, malware and disinformation campaigns from Russian intelligence agencies and pro-Kremlin hacker groups.<\/p>\n In March 2023, Russia\u2019s Supreme Court designated the Freedom of Russia legion as a terrorist organization, meaning that Russians caught communicating with the group could face between 10 and 20 years in prison.<\/p>\n Tamoian said those searching online for information about these paramilitary groups have become easy prey for Russian security services.<\/p>\n \u201cI started looking into those phishing websites, because I kept stumbling upon news that someone gets arrested for trying to join [the] Ukrainian Army or for trying to help them,\u201d Tamoian told KrebsOnSecurity. \u201cI have also seen reports [of] FSB contacting people impersonating Ukrainian officers, as well as using fake Telegram bots, so I thought fake websites might be an option as well.\u201d<\/p>\n Search results showing news articles about people in Russia being sentenced to lengthy prison terms for attempting to aid Ukrainian paramilitary groups.<\/p>\n<\/div>\n Tamoian said reports surface regularly in Russia<\/a> about people being arrested for trying carry out an action requested by a \u201cUkrainian recruiter,\u201d with the courts unfailingly imposing harsh sentences regardless of the defendant\u2019s age.<\/p>\n \u201cThis keeps happening regularly, but usually there are no details about how exactly the person gets caught,\u201d he said. \u201cAll cases related to state treason [and] terrorism are classified, so there are barely any details.\u201d<\/p>\n Tamoian said while he has no direct evidence linking any of the reported arrests and convictions to these phishing sites, he is certain the sites are part of a larger campaign by the Russian government.<\/p>\n \u201cConsidering that they keep them alive and keep spawning more, I assume it might be an efficient thing,\u201d he said. \u201cThey are on top of DuckDuckGo and Yandex, so it unfortunately works.\u201d<\/p>\n Further reading: Silent Push report, Russian Intelligence Targeting its Citizens and Informants<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/recruit-form.png?resize=749%2C775&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/03\/legion-arrests.png?resize=612%2C802&ssl=1\")
<\/p>\n