Middle East Crisis: Opportunistic Fraud and Emerging Suspicious Activity
Executive Summary
Thus far during the Middle East crisis, Netcraft has observed opportunistic online activity in two strands: confirmed government‑impersonation fraud and evacuation‑themed sites that are not confirmed malicious but show risk markers such as urgency-first wording, unverified operator claims and Telegram/WhatsApp contacts. Domain choices such as dubai‑evac.com and getoutofdubai.com appear crafted to capture crisis‑driven searches amid travel disruption. We will continue monitoring the situation.
Situation Overview
Geopolitical crises rarely remain confined to the physical world. They quickly extend into the digital ecosystem, where threat actors exploit confusion, urgency, and rapidly changing information to launch fraudulent campaigns. Early signs of this pattern are already emerging in relation to the current Middle East conflict.
Netcraft has identified initial indicators of opportunistic activity tied to the crisis, including government-impersonation phishing emails and newly registered websites offering evacuation or emergency travel services.
While some of this activity has been confirmed as malicious and other elements remain under investigation, the broader pattern is clear: threat actors are attempting to capitalize on uncertainty and crisis-driven demand for information and assistance.
AE Government Impersonation Email
On 2026‑03‑04 we observed a shotgun‑style email run impersonating UAE authorities, sent under the display name “AE GOV” with the subject “Official Government Alert: National Security Update.”
Figure 1. Fraudulent email impersonating AE Gov.
The email impersonates the UAE Ministry of Interior. Their logo is used, and the footer reinforces the impersonation with “This is an official government communication. © 2026 Ministry of Interior.”
The message presents itself as an official national notification, instructing “citizens and residents” to complete a mandatory emergency registration form to qualify for “government support, compensation, or insurance coverage.” It leverages crisis‑related framing (“emergency protocols activated,” “current situation”) and asserts that support is contingent on completing the form.
Distribution notes (observed):
Shotgun send: reported via multiple spam feeds and forwarded abuse reports; appears to be indiscriminate targeting.
Timing/scale: primarily 2026‑03‑04; hundreds of messages observed.
Dispatch channel: emails are sent via a Korean newsletter service (directsend.co.kr); messages include service boilerplate and unsubscribe text in Korean at the bottom.
Dubai Customs Impersonation Website
Figure 2a.
Figure 2b.
Figure 2a. and 2b. Content on dubaicuctoms[.]com.
The domain dubaicuctoms[.]com (registered on 2026-03-03) is an active impersonation of the legitimate Dubai Customs (dubaicustoms.gov.ae). It uses the official logo to present a fabricated parcel‑tracking portal.
The messaging on the site mirrors common postal‑themed phishing kits but adapted to reference the Middle East crisis and associated border‑control disruptions. The site claims that a shipment has been placed “on hold due to regional instability and updated security protocols.” Users are prompted to provide personal details to “reactivate” clearance, followed by a request for card data to pay an AED 20 “Clearance Activation Fee.”
Evacuation-themed websites
During the Middle East crisis, widespread airspace closures, flight suspensions, and airport shutdowns across the UAE, Qatar, and neighbouring states created significant disruption for travellers. Against this backdrop, several newly registered websites have appeared offering “evacuation,” “emergency extraction,” or “private exit” services from Dubai and the wider Gulf region.
While the sites vary in presentation, the examples we examined share a number of recurring characteristics:
Purpose-registered domain names intentionally chosen to capture crisis‑related search behaviour, including terms directly associated with evacuation scenarios or location specificity (e.g., dubai-evac[.]com, getoutofdubai[.]com, evakuierungshilfedubai[.]com (German for “evacuation help Dubai”)).
Urgency‑focused, crisis‑adjacent wording (e.g., “Evacuate Dubai Safely Now”, “Urgent flights available out of Dubai“) positioning evacuation as time‑sensitive;
Offers of rapid and guaranteed movement out of affected areas (e.g. “Seats even on sold-out flights”).
Focus on discretion and confidentiality, often framed as a premium or protective service.
Limited or absent operator details, with no verifiable company name, licensing information, or physical presence. Several sites alternatively do claim to be run by known organizations, however we found no external evidence to support the association.
Directing the visitor to non‑standard contact channels such as Telegram or WhatsApp.
Requests for payment in BTC.
These indicators alone do not confirm malicious intent, and Netcraft is not able to confirm these sites as fraudulent without further investigation. However, the combination of anonymity, crisis‑themed urgency, unverifiable claims, and payment methods that are difficult to trace aligns with patterns commonly seen in opportunistic activity during periods of disruption.
Examples
Example 1. dubai-evac[.]com
Example 2. evocouae[.]com (machine translated from Russian)
Examples 3 and 4. evacuationprivate-uae[.]com
Example 5. getoutofdubai[.]com
Conclusion
The activity observed so far illustrates a familiar dynamic: attackers move quickly when global events create confusion, urgency, and new search behavior. In this case, the combination of crisis-themed phishing, government impersonation, and evacuation-related domains suggests threat actors are actively probing for ways to exploit the situation.
Even when individual sites or campaigns cannot yet be definitively classified as malicious, the patterns surrounding them – recent registrations, unverifiable operators, urgent messaging, and unconventional payment requests – are consistent with opportunistic fraud activity that often emerges during periods of disruption.
Netcraft will continue monitoring these developments as the situation evolves. For organizations, the key takeaway is that geopolitical crises frequently create new digital attack surfaces. Maintaining visibility into emerging infrastructure and threat narratives helps security teams identify and disrupt fraud campaigns before they can scale and impact victims.
