Phishing sites collect data posing as the “Freedom of Russia” Legion in Ukraine. Here’s how it works
Article
15 October 2024, 18:34

Phishing sites collect data posing as the “Freedom of Russia” Legion in Ukraine. Here’s how it works

Art: Mila Grabowski / Mediazona

Russian courts routinely hand down sentences in cases related to the “Freedom of Russia” Legion—a unit of the Ukrainian Armed Forces comprised of Russian nationals. Most defendants are charged under under the article on “participation in a terrorist organisation,” facing a minimum of 10 years in a penal colony. Security forces’ press releases suggest that many of those convicted exchanged only brief correspondence with Legion representatives before being swiftly detained. Web developer Artem Tamoyan may have uncovered how Russian special services achieve such strikingly consistent results: phishing sites masquerading as the Legion’s official pages, harvesting data from unsuspecting users.

In March 2023, Russia’s Supreme Court designated the “Freedom of Russia” Legion—a volunteer unit of Russian citizens fighting within the Ukrainian Armed Forces—as a terrorist organisation.

This ruling means that even exchanging messages with Legion representatives can be prosecuted under the severe Part 2 of Article 205.5 of the Russian Criminal Code (participation in a terrorist organisation—punishable by 10 to 20 years in prison). Those searching online for information about the unit have become easy prey for Russian security services. The total number of such criminal cases is hard to estimate, but arrest reports surface regularly, with courts unfailingly imposing harsh sentences regardless of the defendant’s age or trial location.

On October 9, Moscow’s 2nd Western District Military Court sentenced 50-year-old opposition activist Yevgeny Mischenko to 12 years in a penal colony. Mischenko conceded he “tried to contact this organisation”, but insisted his “participation” in the Legion’s activities was limited to chats. The court did not attempt to establish who exactly communicated with Mishchenko on the Ukrainian unit’s behalf.

Just a week before Mischenko’s sentencing, St. Petersburg residents Fedor Konovalov and Ivan Radchenko each received 11-year penal colony terms for posting leaflets supporting the “Freedom of Russia” on the instructions of someone claiming to be a Security Service of Ukraine officer.

Two days prior, 35-year-old Ivan Kolosov, a Moscow Cossack Cadet Corps graduate and paramedic, was sentenced to 9 years in a penal colony.

That same day, a St. Petersburg court jailed auto mechanic Yaroslav Rechkalov for 10 years. Rechkalov had sent a video to a user nicknamed “Kaluga” (a city in Russia), in which he recited a rather naive script on camera: “I swear allegiance to the Legion, I will serve faithfully and truly, I want to fight on the side of Ukraine.”

Security forces’ press releases concerning “Freedom of Russia” Legion cases frequently refer to “internet messenger” exchanges. Rechkalov, investigators claim, “contacted a participant of the specified terrorist organisation via an internet messenger.” A 39-year-old Khabarovsk resident, whose name was withheld, “on his own initiative, via an internet messenger, entered into correspondence with an agency of the Ukrainian special services.”

This vague wording makes it nearly impossible to discern whether the accused communicated with a genuine Legion representative or merely an impersonator.

Verifying the authenticity of such contacts is, in fact, quite straightforward. The Legion has just one active website, listed on its Wikipedia page. The site’s “Contacts” section features a single official Telegram bot for membership inquiries. If the site URL or bot username differs from the original by even one character, it’s fake.

For instance, the case file of 16-year-old schoolboy Arseny Turbin, sentenced to 5 years for posting leaflets allegedly at the Legion’s behest, references correspondence with @Legionrf_bot—an account not listed as an official contact on the unit’s actual website.

Honeypots

Links to these fraudulent bots are found on sites mirroring the Legion’s authentic website. Netherlands-based web developer Artem Tamoyan took note of this in August.

The clone sites meticulously replicate the real site’s design and content, with barely discernible differences in the URL, often by just a character or two. Though ostensibly phishing sites, they seek no financial details; their sole apparent purpose is amassing data on individuals attempting to reach the Legion. Hence, Tamoyan favors the term “honeypot.”

Reading yet another report of a “Freedom of Russia” involvement conviction, the developer grasped that questionnaires for would-be Legion recruits offer security services a hassle-free means to inflate their “terrorism” case-closed rates.

“It’s an ideal setup for Russian special services to generate criminal cases. People, perhaps earnestly, complete these forms, submit their details, and an FSB officer ends up with a ready-made dossier and an open-and-shut criminal case”, he explains.

While “Freedom of Russia” Telegram searches prioritize the Legion’s official channel, thanks to its massive number of subscribers, search engines’ results were littered with honeypot sites indistinguishable from the unit’s genuine webpage.

Some speculated the Legion itself created the mirrors to evade official site blocks and remain accessible to Russian users without VPNs. However, the Legion’s press service confirmed to Tamoyan this was not so.

“My personal view is that those prepared to bear arms and resist the Putin regime merit respect. Even if it’s merely an intent, not necessarily acted upon. So I figured it’d make sense to hamper FSB efforts to jail these people,” he recounts.

As phishing is universally illegal, including in Russia, Tamoyan began reporting the copycat Legion sites to providers and registrars.

“I simply inform the registrar: ‘Look, this domain fronts a site posing as the original, but it’s actually a phishing site, which is readily verified. Check Wikipedia or official social media accounts linking to the real site.’ It’s a clear-cut procedure—the site’s phishing nature is indisputable. Providers thus almost immediately block the offender for ToS breaches,” he explains.

Tamoyan identified around two dozen fake Legion sites in total—virtually all were promptly blocked by providers or registrars upon notification.

The Security Services Connection

While definitively proving Russian security services’ involvement in these honeypot sites is impossible, several facts point compellingly to this conclusion.

Before Tamoyan highlighted the issue, Google and Yandex, Russia’s top search engine, results contrasted starkly—honeypots dominated Yandex’s top slots. The clone sites lacked any reference history and only appeared in Yandex search listings.

This implies Yandex staff likely boosted them manually—a suspicion the developer maintains after extensive discussions with colleagues and ex-Yandex employees.

Tamoyan tested this hypothesis on another site, contact with which risks criminal prosecution for Russians—the Ukrainian “I Want to Live” project encouraging surrender. Unlike the blocked “Freedom of Russia” Legion site, “I Want to Live” had mirrors still accessible in Russia, yet Yandex ranked a clone site first. It diverged from the original solely in the “Contact Us” button link.

Tamoyan noted the rapid emergence of new honeypots upon the blocking of earlier ones.

“It could be an individual or a group, but someone is actively pursuing this; these sites’ uptime is thoroughly maintained. I lodge a complaint, the site’s blocked, but they register a new domain, and again. The Russian intelligence services are the only ones with a vested interest in this”, he concludes.

Tamoyan stumbled upon further circumstantial evidence of security service ties to the honeypots almost by chance. He directed some blocking requests to CloudFlare’s admin team. One response indicated the fake “Freedom of Russia” Legion sites’ hosting provider was Stark Industries, a company linked to pro-Russian hacker groups.

“Much is already known about these people. Even specific names tied directly to Russian government agencies, likely GRU or FSB, are known,” Tamoyan notes.

Tamoyan still tracks the honeypots, but more “passively” now, having achieved his chief aim—dislodging fake sites from search engine top positions.

“I think the impact has been quite significant. Firstly, my tweets helped the story gain major attention; broad coverage probably prompted greater caution. Secondly, FSB operatives have lost their top search rankings—hopefully hampering their efforts. Of course, it’s worth remembering that an FSB agent can always slide into DMs with provocations, so staying alert is key. Failing that, there may be no safeguarding people,” Tamoyan concludes.

Edited by: Dmitry Tkachev

Support Mediazona now!

Your donations directly help us continue our work

Load more