Cybersecurity firm F6 has identified a new investment scam impersonating the Russian state-funded “Defenders of the Fatherland” foundation, targeting citizens ahead of Victory Day (May 9). Fraudsters created fake websites offering fraudulent “social programs” with promises of up to 30 million RUB in returns for investments in Russian companies1. The campaign leverages patriotic sentiment and employs sophisticated social engineering tactics, including fake testimonials and cloned websites.
Scam Mechanics and Tactics
The attackers operate by directing victims to fraudulent websites mimicking the legitimate veteran-svo.ru domain. These sites request personal data (name, phone number) under the guise of investment opportunities. After initial contact, victims receive calls from impersonators posing as fund managers2. In some cases, victims are instructed to download fake brokerage applications containing malware designed to drain bank accounts. A secondary tactic involves requesting passport scans for “verification,” potentially enabling identity theft.
F6 analysts, including Evgeny Egorov, note this is the first recorded use of the “Defenders of the Fatherland” brand in investment scams. Similar schemes previously exploited defense industry themes, such as the fake “Military-Industrial Complex Fund” campaign in 20243. The timing aligns with increased financial activity around Victory Day, when citizens may be more receptive to patriotic appeals.
Technical Indicators and Response
F6 reported the fraudulent domains to Russia’s National Computer Incident Response Center (NKTsKI), leading to their takedown. However, the group is expected to register new domains. The scam shares characteristics with other Russian-language investscams:
| Tactic | Implementation |
|---|---|
| Website Cloning | Copies of legitimate fund pages with modified contact forms |
| Malware Distribution | Fake Android/iOS apps masquerading as investment platforms |
| Social Engineering | Scripted calls referencing recent military events |
“This campaign reflects a broader trend of scams exploiting trust in state-affiliated organizations. The use of Victory Day themes increases its psychological effectiveness.”
— F6 Threat Intelligence Team4
Broader Threat Landscape
Investment scams (investscam) remain a persistent threat in Russia, often leveraging cryptocurrency projects or stock offers. Recent NKTsKI data shows a 40% increase in such schemes since 20235. Parallel campaigns include:
- Fake veteran benefit offers via Telegram channels
- Phishing emails impersonating HR platforms to harvest employee data
- Spoofed FSB documents used to extract sensitive information
Mitigation Strategies
Organizations should alert employees and customers to these tactics. Key recommendations include:
- Verify URLs against the official veteran-svo.ru domain before submitting data
- Implement email filtering for investment-related communications
- Monitor for suspicious app downloads matching described signatures
The “Defenders of the Fatherland” fund has issued warnings about impersonators and directs inquiries to their verified social media channels. Financial institutions should scrutinize transactions referencing patriotic investment opportunities during May.
Conclusion
This campaign demonstrates how threat actors adapt social engineering tactics to current events. The combination of brand impersonation, seasonal timing, and multi-channel delivery makes it particularly effective. While the immediate domains have been disrupted, organizations should prepare for similar scams exploiting other state-affiliated entities.
References
- “F6 warns of investment scams ahead of May 9,” Habr, 2025-04-29.
- “Scammers launch fake fund campaigns before Victory Day,” CNews, 2025-04-29.
- “Fraudsters use Defenders of the Fatherland brand in scams,” Russian Gazette, 2025-04-29.
- “F6 identifies new financial fraud scheme,” RBC, 2025-04-29.
- “Official statement on impersonation attempts,” Defenders of the Fatherland Fund, 2025-04-28.
