Self-funding Extremism: How Task Force Rusich Leveraged Malware to Steal and Mine Cryptocurrency

Key takeaways

• Extremist teams are more and more self-funding by cybercrime. Task Force Rusich, a violent extremist faction related to the Wagner Group, seems to have generated tens of millions of {dollars} in cryptocurrency by addresses linked to each public donation campaigns and malware-enabled theft.
• A public Rusich donation handle recognized by TRM was embedded straight in a malware pressure, making a definitive on-chain hyperlink between extremist fundraising and prison infrastructure.
• No less than USD 6 million in on-chain quantity is tied to malware-embedded addresses and surrounding networks.
• The malware possible supported twin income streams. As well as to clipboard hijacking, pockets exercise and code references counsel doable covert cryptocurrency mining, pointing to a hybrid theft-and-mining funding mannequin.
• The marketing campaign stays lively. Sustained inflows over a number of years point out this isn’t a historic operation, however an ongoing income stream.
• Blockchain transparency enabled publicity. Regardless of makes an attempt to monetize anonymously, handle reuse and change clustering allowed for community mapping and monetary quantification by TRM analysts.

{{horizontal-line}}

Wagner Group’s evolving monetary playbook

For years, TRM Labs has tracked the Wagner Group’s monetary infrastructure, documenting its use of cryptocurrency to help operations linked to battle zones, sanctions evasion, and extremist exercise. Prior TRM analysis has proven how Wagner-affiliated entities have leveraged digital assets for fundraising, logistics, and cross-border worth switch.

New intelligence now reveals an extra layer of that playbook.

Wagner’s paramilitary group, Task Force Rusich, is a far-right sabotage and assault reconnaissance group that operates as a specialised subunit throughout the Wagner Group. Established in 2014 by Alexey Milchakov and Yan Petrovsky, Rusich has fought alongside Wagner in Ukraine, Syria, and different battle zones. It seems to have partially self-funded its actions for years by cryptocurrency-focused malware. This marketing campaign stays lively right this moment. This marketing campaign combines:

• Clipboard hijacking (crypto handle substitute),
• Theft of sufferer funds,
• And potential covert cryptocurrency mining.

On-chain proof straight hyperlinks the malware infrastructure to wallets publicly related to the group and has recognized over USD 6 million in quantity related to addresses embedded within the malware.

As well as to clipboard hijacking, evaluation signifies the malware can also help supplementary income era by cryptocurrency mining. The code references XMRig, an open-source software generally used to mine Monero (XMR), and a number of Rusich-linked addresses have acquired funds from mining swimming pools. Whereas direct cryptojacking exercise was not conclusively noticed in each pattern, the convergence of stolen funds, mining pool payouts, and embedded mining performance suggests the malware could have served a twin goal: each theft and covert computational exploitation.

If confirmed, this might replicate a hybrid funding mannequin combining opportunistic sufferer theft, potential passive mining income, and broader extremist fundraising infrastructure.

The malware: Clipboard hijacking and embedded wallets

The malware, first noticed round 2021–2022, incorporates clipboard hijacking performance generally referred to as “clipper” malware.

When sending cryptocurrency, customers usually copy and paste the recipient’s pockets handle as a result of the strings are lengthy and should be entered precisely. Clipper malware exploits this habits by monitoring the clipboard and silently changing the copied handle with one managed by the attacker, inflicting funds to be despatched to the fallacious vacation spot. This function, nonetheless, allowed TRM analysts to establish addresses hardcoded within the malware recordsdata, which have been then linked to addresses linked to Task Force Rusich. The identical malware additionally references infrastructure in step with cryptocurrency mining exercise, together with indications of Monero-related performance.

Direct attribution: Donation handle overlap

The strongest hyperlink between the malware exercise and Taskforce Rusich is a transparent operational overlap. A cryptocurrency donation handle publicly shared by Taskforce Rusich on Telegram was recognized among the many pockets addresses embedded within the malware, straight connecting the group’s public-facing fundraising infrastructure with wallets used to obtain stolen funds. This reuse of economic infrastructure represents a major operational safety failure and materially strengthens attribution confidence by tying the malware-enabled theft exercise to the group’s identified help community.

Such reuse of infrastructure is a major operational safety failure and materially strengthens attribution confidence.

Following the funds: Trade consolidation

On-chain tracing reveals that stolen funds from a number of sufferer wallets have been finally consolidated into shared change deposit infrastructure.

Specifically, we recognized flows into TradeOgre deposit addresses, with a number of Rusich-linked wallets depositing into the identical change endpoint.

TradeOgre was a cryptocurrency change that operated with restricted transparency and minimal compliance controls, which made it a well-liked place for criminals to cover cash. Canadian authorities seized TradeOgre in late 2025.

This means:

• Management of a shared change account,
• Or shut coordination inside a broader monetary community.

‍

Wagner’s enduring monetary infrastructure

Wagner Group stays a major risk actor with international operational attain, and its affiliated models, together with Task Force Rusich, warrant continued scrutiny. Understanding how these networks finance and maintain exercise is important to assessing their operational resilience.

On-chain evaluation allows investigators to join disparate components throughout fundraising campaigns, malware infrastructure, and change exercise, revealing relationships that might in any other case stay fragmented. By tracing hardcoded pockets addresses and associated transaction flows, TRM was in a position to hyperlink cyber-enabled theft exercise straight to Rusich-associated infrastructure.

Notably, this malware-linked income stream stays lively. The persistence of those inflows underscores how extremist monetary infrastructure can proceed working beneath the floor — and how blockchain evaluation is important to bringing these connections to gentle.

{{horizontal-line}}

Incessantly requested questions (FAQs)

1. What’s Task Force Rusich?

Task Force Rusich is a far-right paramilitary group related to the Wagner Group, a Russian non-public army group. Based in 2014 by Alexey Milchakov and Yan Petrovsky, the group has operated in a number of battle zones, together with Ukraine and Syria.

Rusich has additionally used on-line channels to solicit cryptocurrency donations. TRM evaluation means that some wallets utilized in these campaigns overlap with addresses embedded in malware.

2. What’s clipper malware?

Clipper malware is a sort of malicious software program designed to steal cryptocurrency transactions.

It screens a sufferer’s clipboard for copied pockets addresses and silently replaces them with an attacker-controlled handle. If the sufferer sends the transaction with out noticing the change, the funds are redirected to the attacker.

3. What’s cryptojacking?

Cryptojacking is the unauthorized use of a tool’s computing energy to mine cryptocurrency. Attackers set up malware that secretly runs mining software program, permitting them to generate cryptocurrency utilizing victims’ {hardware} sources.

Code references within the Rusich-linked malware counsel the potential use of XMRig, a software generally used to mine Monero (XMR).

4. How can malware generate cryptocurrency income?

Malware can generate cryptocurrency income in a number of methods, together with:

• Clipboard hijacking to redirect funds
• Cryptojacking to mine cryptocurrency utilizing victims’ gadgets
• Credential theft that allows attackers to entry digital wallets

In some campaigns, attackers mix a number of strategies to create a number of income streams concurrently.

5. Why do extremist teams use cryptocurrency?

Cryptocurrency permits teams to increase funds globally and switch worth with out counting on conventional monetary intermediaries.

On the identical time, blockchain transactions are recorded on public ledgers. This transparency permits investigators to hint monetary exercise and establish networks concerned in illicit exercise.

6. How does blockchain evaluation assist investigators hint illicit exercise?

Blockchain evaluation examines transaction histories and relationships between pockets addresses. Investigators can establish patterns akin to handle reuse, change deposits, and shared infrastructure.

These insights assist join separate actions — akin to malware operations, fundraising campaigns, and change withdrawals — right into a broader monetary community.

7. What function do cryptocurrency exchanges play in laundering funds?

Cryptocurrency exchanges typically function factors the place illicit funds are consolidated, traded, or transformed into fiat foreign money.

Investigators can hint deposits into change infrastructure and, in some circumstances, work with compliant exchanges to establish account holders and disrupt illicit monetary networks.