Comment
Author: Admin | 2025-04-28
Filenames. Based on those fingerprints, I found 11 additional domains hosting the same exact code, some sharing the same contract wallets in their configurations.In total, I found four addresses acting as control nodes across 14 domains. I also found two domains that had ceased operation but matched all characteristics in historical telemetry and third-party data. Examining the sites, I discovered distinct groupings of domains using similar naming conventions, domain registrars and hosts, suggesting different sub-groups were operating identical scam kits simultaneously. This is similar to what we found when investigating pig butchering fake exchange sites, where dozens of sites were using the same code but with different associated wallet addresses.GroupDomainContract walletsHostingRegistrarTotal Crypto volume of transactions(US $)Allnodesallnodes.vip0x6B79f38233726282c7F88FE670F871eAbd0c746cAlibaba SingaporeAlibaba Cloud177,596.00allnodes.xyx0xd2b14d2fff430a720cf44bbd064f548a585e73deAlibaba CloudAlibaba Cloud174,934.00Trusttrust-oke[.}com0xcf6b558c218a9148cd77c04be4e3d1c1fc9d61a2AmazonAmazon676,869.00trust-btrust-oke[.}comtrust-usdt[.]comtrust-v2[.]comtrust-bnb[.]linkv2-eth[.]comnet-8897[.]comAdaada-defi[.]pics0xeb7b75dd5b4b6ef7bbc6ec079cd329a782fc1efeCloudflare protectedDynadot62,660.00ada-defi[.]beautyada-defi[.]xyzada-coin[.]infoeth-defi[.]oneUnknowntrust-eth[.]comGoogle, then CloudflareGname.cometh-mining[.]xyzGoogle, then CloudflareDynadotAs shown in the table above, two groups of domains had shared contract wallet addresses. And through examining transaction data, I found that both “allnodes” domains, despite having separate contract wallets, routed cryptocurrency to the same destinations.Activity for the scam sites and their contract wallets, some of which appeared to be testing the scripts associated with contract wallets, dated back to February. Most of the actual scam activity associated with the sites occurred in the summer months, as shown below by the volume of cryptocurrency moved through each of the primary contract wallets:Figure 3: The volume of cryptocurrency movement through the primary contract wallets skyrocketed in June and remained relatively high through the summer monthsFurther examining the transaction data for the wallets receiving fraudulent withdrawals, I discovered additional contract wallets sending crypto following the same pattern. They were using the same destination wallets as two of the above groups:0x73b970978cbf19a5e1c727de20ad73db316f3817 and 0xf12a365e53313e59E915f0e8D432a326556dD22C, connected to “Trust” destination wallet;0x3698cc343414c69233fe580cef379f02a91bc421 , connected to an “Ada” group destination wallet.Figure 4: A breakdown of the flow of cryptocurrency from all three threat
Add Comment