Attackers Exploit Middle East Crisis to Solicit Fraudulent Cryptocurrency Donations for Children

Attackers attempt to solicit fraudulent donations via cryptocurrency transfers under the guise of collecting donations for children in Palestine.
November 16, 2023

Threat actors are known to capitalize on geopolitical events to manipulate victims into sending money under the guise of charitable donations, and the ongoing events in Gaza and Israel are no exception.

In a recent charity attack detected by Abnormal, cybercriminals attempted to solicit fraudulent donations by playing on sympathy for children in Palestine. The attackers encouraged recipients to donate funds to the provided cryptocurrency wallet addresses, claiming the money would go to providing basic needs, including water, medical care, and Internet access.

According to our research, the campaign targeted 212 individuals at 88 organizations.

Breaking Down the Cryptocurrency Donation Attack

The email states that an unidentified group (presumably from “help-palestine[.]com”, the sender’s display name) is “launching a campaign to provide vital support” to families in Palestine and invites the target to donate to the cause.

Crypto Donation Attack Email

After asking for contributions ranging from $100 to $5,000, the attacker explains that donations can be made using cryptocurrency and provides wallet addresses for Bitcoin, Litecoin, and Ethereum—three of the most popular digital currencies.

To further increase legitimacy and create one final opportunity to manipulate the recipients, three links to recent news articles discussing the impact of the conflict on children in the region are included at the bottom of the email.

What Makes This Attack Notable

This attack is a perfect example of cybercriminals attempting to exploit the powerful emotional response triggered by humanitarian crises. During natural disasters, national tragedies, or global emergencies, people's need to act and desire to contribute to relief efforts are heightened—making them more susceptible to deception.

Cyberattackers often take advantage of this vulnerability by weaving compelling narratives with requests for donations that appeal to recipients' sympathy. This manipulation is quintessential social engineering, as it preys on the target's goodwill and altruistic tendencies.

The threat actors in this attack deliberately included emotionally charged wording throughout—for example, “children in Palestine face unimaginable challenges daily”, “a lifeline for these children caught in the crossfire”, and “the children in Palestine are dying”. They also used inclusive language, such as “we have the power to make a difference” and “let’s come together,” a linguistic strategy that aims to establish a shared identity between the speaker and the reader and foster a sense of partnership.

From a technical standpoint, the attackers took multiple steps to hide their actual email address. First, they spoofed the sender email address (erode@gwcindia[.]in), which is a valid address for Goodwill Wealth Management, an India-based stock brokerage. Then, to add legitimacy, they changed the display name to “help-palestine[.]com” which is a domain that doesn’t exist. The real address for the attackers, theconollyfoundation@gmail[.]com, is hidden in the reply-to field, which recipients wouldn’t see unless they viewed the expanded email header.

Why This Attack is Difficult to Detect

Older, legacy email security tools like secure email gateways (SEGs) struggle to accurately identify this email as an attack for multiple reasons.

The first is due to the use of social engineering. Social engineering attacks often involve manipulation and deception, exploiting human psychology rather than relying solely on technical vulnerabilities. SEGs have limitations in analyzing and understanding the subtleties of language and human behavior, making it difficult to distinguish between genuine and nefarious intent.

Additionally, the email contains no payloads and lacks obvious misspellings or grammatical errors. Because this attack is entirely text-based and has no clear indicators of compromise such as a phishing link or harmful attachment, it would almost certainly bypass a SEG.

Modern, AI-native email security solutions, on the other hand, utilize the latest machine learning capabilities to correctly identify this email as an attack. Because an AI-powered email security platform is trained to identify social engineering tactics, it recognizes that this email is attempting to leverage emotional manipulation to convince the target to bypass rational thinking and quickly transfer funds. It can also detect and flag the mismatch between the sender’s email and the reply-to address, as this is a common attack tactic.

Preventing Fraudulent Donation Attacks with Behavioral AI

Threat actors will always capitalize on any opportunity to launch attacks that can exploit world events. And with generative AI tools making it easier than ever to create convincing, error-free malicious emails, enterprises can’t rely on legacy email security systems or their employees to consistently recognize these threats.

As such, the only way to prevent a successful attack is by investing in an AI-native cloud email security solution that ensures emails like these never reach end-user inboxes.

To see how Abnormal can help your organization block modern threats, reduce spend, and prevent emerging attacks, schedule a demo.

Schedule a Demo
Attackers Exploit Middle East Crisis to Solicit Fraudulent Cryptocurrency Donations for Children

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
Integrates Insights Reporting 09 08 22

Related Posts

B 2024 Cybersecurity Predictions
As AI becomes more prevalent in the new year, discover how our experts believe the world will change—for both good and bad.
Read More
B 11 27 23 ATO Stats
Account takeover allows threat actors to steal sign-in credentials and access an organization's network. Read some eye-popping stats about ATO cost and frequency.
Read More
B Unmasking Vendor Fraud
Learn about the techniques, tools, and technologies we use to train the models that form the backbone of our vendor fraud detection.
Read More
Get the latest insights from the 2023 ISC2 Cybersecurity Workforce Study, including which skills are most sought-after, how careers have changed, and how AI is affecting the industry.
Read More
B Good Bad Ugly Future of AI
Hear about positive and malicious use cases of AI and how to protect against novel threats in this recap from Chapter 3 of our Convergence of AI + Cybersecurity series.
Read More
B Cryptocurrency Donations Attack
Attackers attempt to solicit fraudulent donations via cryptocurrency transfers under the guise of collecting donations for children in Palestine.
Read More