This study addresses event-driven malicious cyber activities—particularly phishing, fraud, and malware distribution leveraging real-world crises (e.g., armed conflicts) as lures—by systematically characterizing their behavioral patterns and social engineering tactics. Method: We propose an interpretable unsupervised clustering framework that jointly models website structure, semantic content, and temporal behavioral features to enable fine-grained classification and pattern discovery among conflict-related malicious sites. Contribution/Results: Experiments identify distinct attack clusters—including donation scams, fake news propagation, and humanitarian aid impersonation—revealing how adversaries exploit event-specific psychological triggers (e.g., heightened trust, information scarcity, emotional urgency) for precise manipulation. The approach yields empirically grounded insights for early detection of event-themed threats, adaptive defense design, and construction of interpretable, context-aware threat intelligence—establishing both methodological rigor and practical applicability in crisis-driven cybersecurity.

Cybercrimes such as online scams and fraud have become prevalent. Cybercriminals often abuse various global or regional events as themes of their fraudulent activities to breach user trust and attain a higher attack success rate. These attacks attempt to manipulate and deceive innocent people into interacting with meticulously crafted websites with malicious payloads, phishing, or fraudulent transactions. To deepen our understanding of the problem, this paper investigates how to characterize event-themed malicious website-based campaigns, with a case study on war-themed websites. We find that attackers tailor their attacks by exploiting the unique aspects of events, as evidenced by activities such as fundraising, providing aid, collecting essential supplies, or seeking updated news. We use explainable unsupervised clustering methods to draw further insights, which could guide the design of effective early defenses against various event-themed malicious web campaigns.