The Phishing Pages That Could Get You Killed

When fake recruitment forms aren't just about stealing your credentials — they're about helping a regime arrest its own citizens.

Most phishing campaigns aim for your password, your bank account, or your inbox. But a recent investigation reveals something far more chilling: phishing sites designed not to steal money or access, but to lure Russians seeking to oppose their government — and feed that information directly into the hands of the state.

This isn't theoretical. It’s happening right now.

Paramilitary Phishing for the Kremlin

Researchers at Silent Push uncovered a network of phishing domains mimicking the recruitment pages of Ukrainian paramilitary groups — including the Freedom of Russia Legion and the Russian Volunteer Corps, two groups made up of Russian citizens fighting against Moscow’s war in Ukraine.

These fake websites mirror legitimate domains nearly perfectly. One example:

• Real: legionliberty[.]army

• Fake: legiohliberty[.]army

That single letter swap leads to a page that asks visitors to fill out a Google Form. The form collects everything you'd expect in a military application: name, age, citizenship, Telegram handle, political beliefs, motivations, and any prior military experience. It even asks about “bad habits.”

But these aren’t recruitment forms. They’re traps.

From Search Engine to Secret Police

The phishing sites weren’t distributed through traditional means like email or messaging apps. Instead, researchers believe attackers manipulated search engine results to promote the fake sites — particularly within Russia.

In one documented case, a search on Yandex, Russia’s dominant search engine, returned a phishing site as the top result when users searched for the Freedom of Russia Legion. In contrast, Google showed the real site first.

But Yandex wasn’t alone. DuckDuckGo and Bing were also found to consistently rank phishing pages higher than the legitimate ones. And this matters. A Russian dissident using a domestic browser or a privacy-centric search engine may never even reach the real site before landing in a trap.

On Google, the legitimate site won out.

This means a Russian user searching how to join the Legion might never see the real site, and could unknowingly hand over their info directly to the FSB’s lap.

A Consequence Worse Than Identity Theft

This campaign doesn’t just risk account compromise. According to public reports, communicating with the Freedom of Russia Legion is a criminal offense in the Russian Federation. In March 2023, the group was officially designated a terrorist organization by the Russian Supreme Court.

That means filling out a phishing form could easily result in:

• State surveillance

• Interrogation

• Arrest under terrorism laws

• A prison sentence of up to 20 years

Security researcher Artem Tamoian, who now lives outside of Russia, began investigating the phishing infrastructure after seeing stories about Russians being arrested for attempting to aid Ukraine. He suspected — and now has strong evidence — that these phishing domains are one of the ways dissidents are being identified.

For background on how phishing has been evolving into state-aligned surveillance infrastructure, see our coverage on:
👉 Russian-linked actors using device code phishing
👉 Russian phishing attacks targeting WhatsApp accounts

Infrastructure Tied to State-Backed Operators

Silent Push connected the domains to Stark Industries Solutions Ltd, a hosting provider that materialized in early 2022 — just before Russia’s full-scale invasion of Ukraine. The company quickly acquired a massive block of IP space, much of it previously assigned to Russian government agencies.

Stark has since been implicated in:

• Hosting malware and DDoS infrastructure

• Supporting Russian intelligence operations

• Providing “bulletproof” services to disinformation campaigns

Multiple domains from the phishing network resolve to Stark-controlled infrastructure, including:

• rusvolcorps[.]net (spoofing the Russian Volunteer Corps)

• hochuzhitlife[.]com (spoofing Ukraine’s Ministry of Defense)

• ciagov[.]icu (spoofing the U.S. CIA)

Each one uses simple but convincing design to trick visitors into thinking they're accessing official websites.

Implications for the Security Community

This campaign is a reminder that phishing isn’t always about money, and attribution isn’t always about malware. It’s a modern surveillance tool — and in authoritarian regimes, it can be as deadly as any exploit.

For defenders, it highlights several urgent truths:

• Search result integrity matters just as much as email filtering.

• SEO abuse is an under-policed vector for influence ops and traps.

• Open-source tools like Google Forms can be weaponized in geopolitical operations.

• Hosting infrastructure often lags behind threat attribution, especially when it’s "bulletproof."

What the Arrests Tell Us

While there’s no confirmed public case linking one of these phishing sites to a specific arrest, Tamoian notes that many Russians have been charged in recent years for attempting to help Ukrainian forces. The charges often cite online communication with Ukrainian recruiters — but don’t specify how that contact was made.

Given the volume of arrests and the growing network of fake recruitment sites, the connection feels less hypothetical and more operational.

“These cases are always classified,” Tamoian told KrebsOnSecurity. “But when you keep seeing arrests tied to online contact with Ukrainian forces — and you see these phishing sites keep showing up at the top of search engines — you start to connect the dots.”

Why This Matters

The security industry talks a lot about protecting identities, data, and networks. But this campaign shows what happens when phishing is used to target belief systems — and when threat actors exploit infrastructure to silence opposition.

It’s not just a Russian problem. It’s a reminder that in conflict zones — physical or digital — security tooling can be weaponized just as easily as misinformation.

And as long as search engines index the web without proper vetting of manipulative behavior, these pages will keep rising to the top.

The full Silent Push report: https://www.silentpush.com/blog/russian-intelligence-phishing/

The Krebs Writeup: https://krebsonsecurity.com/2025/03/when-getting-phished-puts-you-in-mortal-danger/

Stay tuned to Vulnu for deeper investigations into infrastructure abuse, digital repression, and the weaponization of open-source platforms by nation-states.