Numerous websites have been encouraging people to donate to Ukraine, to their official government, via this website. (Note: ctrl+f "en" to find the English switcher.)
Is this website legit (ie, controlled by the official government of Ukraine?)?
Why are the url components in English?! How can someone see this and not think it's a scam?
If it is a scam, then where do you really donate? And how do you verify it without speaking the language?
It's legit and has been in use for at least 23 years.
A quick check with the Wayback Machine shows that the first record of bank.gov.ua being used by the National Bank of Ukraine goes back to January 1999. I find it very hard to imagine that anybody would spend 23 years preparing a scam (or that a scam website with an easily recognisable address would keep operating for 23 years).
I don't see why using English would be a marker of a scam. English is nowadays the de facto worldwide lingua franca and as such is fairly well suited for a website meant to be discoverable for both domestic and international users.
The site ukraine.ua has, for a long time, been run by the Ukrainian government, has been registered in 2012 according to whois, and is owned by the Ukrainian patent office, uatm.ua:
domain: ukraine.ua
dom-public: NO
license: 65490
mnt-by: ua.tm
nserver: crystal.ns.cloudflare.com
nserver: sam.ns.cloudflare.com
status: ok
created: 2012-09-28 12:19:12+03
modified: 2021-10-28 12:23:01+03
expires: 2022-09-28 12:19:12+03
source: UAEPP
% Registrar:
% ==========
registrar: ua.tm
organization: Ukrainian Trademarks Ltd
organization-loc: ТОВ "Українські торговельні марки"
url: http://uatm.ua
city: Kyiv
country: UA
abuse-email: [email protected]
abuse-phone: +380444864381
abuse-postal: Ukraine 03087 Kyiv 18-A Erevanskaya Str., kv. 17
abuse-postal-loc: Україна 03087 Київ вул. Єреванська, буд. 18-А, кв. 17
On that website, there's a prominent link "do not look away from the war" that links to war.ukraine.ua, which again has a link "Donate to Ukraine" to war.ukraine.ua/donate , which again mentions, in its text, bank.gov.ua.
The same site has instructions for how to contact Ukraine embassies for voluntary military services. Which means that, from time to time, individuals will turn up at embassies mentioning the web site, which means Ukraine will at least be aware of the site.
The site also says, in the bottom row:
This is the official website of Ukraine. The information is verified by the Ministry of Foreign Affairs of Ukraine
While this is not a 100% proof, in order to be fake, the scammer would need to have gotten control of the domain back in October 2021, with the Ukrainian government unaware, unwilling, or unable to get it back since then. This scenario sounds quite inconceivable to me. So I believe that ukraine.ua is, in fact, run by the Ukrainian government, and, by extension, the link to bank.gov.ua is legit.
*.gov.ua can be fairly conclusively considered under the control of Ukraine's government, and it appears to be their standard to use English subdomains.
https://twitter.com/DefenceU, the verified Twitter account of Ukraine's Ministry of Defense, uses https://mil.gov.ua/ as its profile link.
Zelensky's, https://twitter.com/ZelenskyyUa, similarly uses https://president.gov.ua/.
While Twitter's verification processes aren't perfect, these accounts have been in existence throughout the current conflict and been regularly cited by major news organizations (WaPo, NYT); if they were fakes, we'd know by now.
The website is probably legit, as .gov.* subdomains are usually only obtainable by various government office, i.e. a private person cannot register one easily without impersonating a government official. Moreover, "bank" is a relatively straightforward name for a bank domain, and you mentioned many websites were directing people there, so if it were a scam, it likely would have already been noticed and taken down.
There are actually two pieces to this.
First, is the domain name bank.gov.ua owned by the Ukraine central bank? Definitely yes, as detailed by other answers.
Second, when you enter that domain name in a browser, does it (always) connect to the (or a) website of the Ukraine central bank? Probably, but maybe not.
The Internet itself doesn't actually use domain names, they are layered on top. To connect to a website identified by a domain name, or a page identified by a URL that contains (after the scheme) a domain name, your browser does two steps:
'resolve' (map) the domain name to one or more IP (Internet Protocol) address(es) using DNS (Domain Name System). The goal of DNS is to always give you the correct address(es) -- the one(s) intended by the owner of the domain name. Or at least an(some) correct address(es) -- some domains, especially but not only high-traffic ones, run multiple systems in different locations with different addresses, and they usually set up their DNS to attempt to give each requester the 'best' address for them, based on metrics like estimated distance, latency, or capacity, so different requesters get different addresses but all are correct.
However, that goal is not always achieved. DNS was originally designed without security (see the wikipedia page above) and it quickly became easy for malefactors to interfere with it in ways that resulted in your system resolving the given, correct name to a wrong address. DNSSEC was designed to fix that, when correctly implemented at both ends i.e. by both the authoritative server(s) for the name owner and by the resolver used by a requester. A decade ago that implementation was quite rare; today it is becoming common, but still far from complete or universal.
First, although ua and gov.ua are properly DNSSEC-signed, bank.gov.ua is not; see https://dnsviz.net/d/bank.gov.ua/dnssec/ -- it's a bit subtle if you're not familiar with the technical details, but the blobs (reasource records/types) outlined in turquoise are secured while the ones outlined in black are not. And if you mouseover the NSEC3 record in gov.ua, the (direct) parent of the desired zone, it says "... proving nonexistence of bank.gov.ua/DS", and an existing and valid DS (Designated Signer) record would be a precondition (not the only one) to securing the child zone.
Second, most user systems today (including browsers) don't routinely use DNSSEC even when it is available. Often they simply use the OS resolver, which often in turn delegates to a 'recursive' resolver typically supplied by your ISP. The ISP typically doesn't want to provide validation because from the point of view of many many customers it just causes unexplained failures of things that should work and they complain to the ISP, while only maybe once in a million cases it correctly blocks an attack. You can probably find a third-party resolver that does validate (when available, see above) but that leaves the 'last mile' from the resolver to your system vulnerable. Although some browsers now have an option to use DNS-over-HTTPS which not only protects the last mile, but the resolvers that support it are likely to be security-minded and do validation.
connect to the address (or one of them) obtained in step 1. Again the goal of the Internet is that whenever you connect to an address -- more specifically send packets to it -- they should arrive at the correct place, normally the (unique) system assigned that address, but again the goal isn't always achieved. Internet Protocol was designed to work (and still does) even when parts of the network fail, and to accomplish this it automatically routes packets on a highly dynamic basis. As a result of this design, it is not hard for systems in the 'backbone', anywhere in the world, to 'steal' traffic to certain addresses that actually belonged somewhere else -- see BGP hijacking. In the last few years people have begun working on fixing this attack, but it requires fixing or replacing a huge number of systems all across the world, which is a slow process.
There are frequently also risks on the local part of your network connection, especially if it is shared with anyone, like a business or organization, a school or hotel, or the WiFi at places like an airport or coffee shop. Frequently someone connected to the same local network as you can interfere with your DNS, intercept/reroute your IP traffic, or both. The exact risks depend on a lot of technical details that belong on security.SX and/or networkengineering.SX.
Thus even if your browser gets the correct address from DNS, when it connects to that address it might get a wrong system, not one actually operated by the domain-name owner.
One defense against this is to use HTTPS, which (in addition to other benefits not relevant here) authenticates the server that you actually reached by checking it has a certificate (and matching private key) identifying it as having the name of the server you wanted to reach. See e.g. security.SX's canonical on this. Your browser will only trust certificates issued (directly or indirectly) by certain Certificate Authorities (CAs), most of which are semi-familiar names like Digicert (now including former Symantec and Verisign), Sectigo (formerly Comodo), GoDaddy, and LetsEncrypt, although there are many others, and the CAs that browsers trust are (supposedly) required to follow procedures and rules that ensure they only issue a certificate for a given domain name to the actual owner of that name (in this case the Ukraine central bank). Thus if the CA did its job correctly and without mistake, and the webserver which obtained the certificate didn't have its privatekey compromised, any HTTPS connection that succeeds (authenticates) should be to the correct website.
But again there are failure modes. The most obvious is that a trusted CA could issue a fraudulent cert for a given name -- either intentionally, for example because it is controlled by a government hostile to the site (is there any government hostile to Ukraine?), or because it makes a mistake or is itself deceived. There have been some cases of this, not many compared to most of the ways people are scammed and money stolen, but some.
Plus you might fail to use HTTPS at all. Even today some browsers default to HTTP (the original, insecure version) if you just enter a domain name, and more will use it if you type http: as many people have been conditioned for years to do. The bank.gov.ua server -- more exactly the server I currently reach from my network location at address 45.60.74.68 -- does redirect HTTP to HTTPS, but that's only if you reach it; if someone intercepts your HTTP connection attempt, they can just reply as if they were the site you wanted and you can't tell the difference. And bank.gov.ua does NOT use HSTS which would guarantee that any subsequent connection from the same browser does use HTTPS (unless manually cleared or reset).
This part seems unaddressed in other answers, so I'll throw in my two cents.
Why are the url components in English?! How can someone see this and not think it's a scam?
