Our research uncovered 24 crypto-doubling scam domains related to the debate, including 14 phishing websites using the word “debate” in their domain, e.g. debatetrump[.]io, tesladebate[.]com, and debate[.]money. 

All the examples exploit the image of Republican presidential nominee Donald Trump, tech entrepreneur and billionaire, Elon Musk, or a blend of both. Criminals likely use these personas to add legitimacy to their crypto investment theme—one political leader, one policy influencer, both conveying the perception of wealth and authority. 

Netcraft observed similar tactics being used in attacks in March, during some of the earlier primary elections. In July, following the assassination attempt of Donald Trump, others were also discovered.  

In the lead up to the US presidential election on November 5, we expect to see these kinds of attacks continue. To help brands and internet users act with greater caution during that time, this article analyzes the different variants from this latest, debate-themed scam. It also includes guidance for organizations at risk from similar impersonation of their brand, intellectual property (IP), and executive personas. 

What is crypto-doubling?

Crypto-doubling scams lure victims into transferring cryptocurrency under the false pretence that their investments will be doubled. The perpetrators of these scams commonly use social engineering tactics via email, social media platforms, and messaging apps to coax victims into visiting a phishing website where the fraudulent transaction then takes place.

Crypto-doubling scams use the following tactics:

• Promises of quick returns, which often emphasize a rapid doubling of the victim’s investment.   
• A sense of urgency to encourage immediate action.
• Fake endorsements that falsely claim support from public figures.
• A lack of transparency that withholds any real detail about the scheme.

Crypto doubling leaves harms victims financially and emotionally and impacts customer/voter trust in the brands and personas being imitated.

Variants

The three crypto-doubling variants identified through our research use similar tactics, but their variances reflect how criminals’ resource and time investment differs scam to scam. Individually and together, they help us understand the mindset behind this kind of malicious activity in greater depth. 

Variant 1: “Elon Musk X Donald Trump Crypto Giveaway”

Fig. 1. Above the fold screenshot from the variant 1 website

In this first example, custom copy (see fig. 2.) and trusted brand logos are used to legitimize the website. The page content is rich, incorporating graphs and diagrams with step-by-step instructions and QR codes linking victims to a payment page.

Although the content itself doesn’t directly reference the debate it does use the domain debatetrump[.]io. 

Off-brand language and grammatical errors—common telltale signs of fake content—still occur across the site, such as, “Donald Trump immersing himself in the world of cryptocurrency to offer a nice gift to cryptoinvestors” or simply “Check instruction”.

Fig. 2.

Fig. 3. 

Fig. 4. (Fig. 2 – 4. Below the fold screenshots from the variant 1 website)

Variant 2: “Huge giveaway during Trump and Kamala Debate”

Fig. 5. Above the fold screenshot from the variant 2 website

Variant 2 utilizes content assets like those in variant 1. However, it calls out the US presidential election debate between Donald Trump and Kamala Harris directly in the text (see fig. 5 and fig. 7). It also uses an image featuring Harris, the Democrat presidential nominee.

The page features Elon Musk’s Tesla logo instead of Trump’s campaign logo, demonstrating how criminals tailor their content to appeal to different audiences, i.e., politically engaged vs cryptocurrency minded.

Unlike variant 1 (and variant 3), variant 2 includes an extra “What’s Happening” section, providing context on the cryptocurrency “giveaway” (see fig. 6).

Fig. 6.

Fig. 7 (Fig. 6 – 7.  Below the fold screenshots from the variant 2 website)

Variant 3: “Biggest Crypto Giveaway”

Fig. 8.

Variant 3 appears to hot swap personas while retaining the same core content, i.e., a new persona is used, while the other webpage assets remain the same. Netcraft has identified many examples using this approach, which is distinguished by its use of the distinctive hexagonal image frame and stock copy. The only variances in these examples are the target personas (different headshots) and in some cases the page colour and/or appearance (see fig. 10). 

In variants both 1 and 2, we observe extra, custom assets (logos, text, diagrams, etc.) being used to provide a theme to the web content. No such efforts are made with variant 3, which utilizes the same assets across the board. 

Fig. 9. (Fig. 8 – 9. Above the fold screenshots from the variant 3 website)

The characteristics of variant 3 are particularly interesting in the context of resource expenditure on the criminals’ behalf. By removing the need for custom text, and by using short, generic copy, threat actors alleviate any need to review their content or adapt it for different scenarios. To summarize, variant 3 demonstrates the speed and efficiency with which threat actors make use of ready-made, easily customizable assets to improve the efficiency of their campaigns, potentially increasing their gains.

Fig. 10. Screenshot demonstrating subtle changes to the variant 3 template.

Characteristics of variant 3

Netcraft logged the following common characteristics from variant 3 in this crypto-doubling scam.

Website headers

The scam uses the same header, which consists of a logo, navigation links to page sections, and a “Participate” call to action (CTA) which links to a page containing wallet addresses for the transaction.

Fig. 11. Screenshots of the different headers used in the variant 3 template

Page sections

Above the fold

Above the fold, the variant 3 template focuses on grabbing attention with bold H1 text (“BIGGEST GIVEAWAY CRYPTO OF $100,000,000”). It also uses:

• A seal icon with a tick and the text “official event”
• Text paragraph explaining the giveaway, including the different acceptable currencies
• The standard “Participate” CTA

Fig. 12. Screenshots of the different above the fold variations

Instructions and information

Directly below the fold, the variant 3 template includes two sections:

• “Instruction for participation”: a step-by-step diagram purporting to show the crypto investment process (note the grammatical error in “Instruction”).
• “Rules & Information”: two text blocks explaining (left) why the giveaway is happening  and (right) the accepted cryptocurrencies and minimum payment amount.

Fig. 13. Side-by-side comparison of the lower page sections from two of the phishing websites

In some examples (fig. 14), a calculator is embedded into the page to illustrate the amount the victim will allegedly receive in return for their investment.

Fig. 14. Screenshot showing variant 3 example with investment calculator

How are these scams being distributed?

Netcraft has observed these scams being distributed via YouTube featured in videos in which Elon Musk discusses the US presidential election debate (see fig. 15). The YouTube channels used include purpose-registered examples and others which have been compromised. Other external analyses report distribution via X, Facebook, Instagram, and Telegram.

Fig. 15. Screenshot from a fake YouTube video featuring 

How to protect your brand

The volume of these crypto-doubling scams, the variations identified, and the different tactics used indicate the scale at which threat actors can target would-be cryptocurrency investors.  

For the brands and personas imitated, this type of scam erodes trust and credibility and may lead to a backlash from victims, as well as surplus legal and customer service costs. The time it takes to recoup these losses can have far-reaching consequences.

Identifying and removing the digital content used to target victims through these campaigns requires speed, accuracy, and scale. Netcraft offers all three. Our Brand Protection services make use of the industry’s largest and most powerful dataset to continuously search the internet for any misuse of your brand name and likeness. Our website takedown times are the fastest and most reliable in the brand protection space, reducing the number of scams attempting to exploit your brand, IP, and customers.

To find out what ROI Netcraft can offer your organization, and to see our solutions in action, book a demo now.

• At least two threat groups identified, one of which Netcraft can link to customs tax and postal scams carried out earlier this year. 
• Up to 10,000 potential victims identified visiting this group’s phishing websites between June 19 and August 23. 
• At least 2,000 form submissions, indicating how much personal data has been extracted from victims, including payment information. 
• Evidence suggesting the group is running activity across Europe, including France, Germany, Italy, and Switzerland. 

Introduction 

Earlier this month, RAC issued an alert for UK motorists to beware of threat actors utilizing Quick Response (QR) code stickers luring them to malicious websites. These sites are designed to exfiltrate personal data, including payment information, by impersonating known parking payment providers. Reports of similar scams across Europe and in Canada and the US have also been increasing and gaining public attention. In the US, the FBI has now issued alert number I-011822-PSA, Cybercriminals Tampering with QR Codes to Steal Victim Funds, to raise awareness. We can expect that these attacks will continue to be deployed on a global scale. 

In the UK, phishing activity is peaking. On July 30, Southampton City Council posted on Facebook warning motorists of a wave of malicious QR codes appearing across the city center. Printed on adhesive stickers and affixed to parking meters, the QR codes directed users to phishing websites impersonating the parking payment app brand PayByPhone. Around the same time, several Netcraft staff shared stories of family members being duped by similar scams. In response, Netcraft deployed its research teams to analyze and understand the activity in depth. 

Fig. 1. Southampton City Council’s post on Facebook warning users to avoid scanning the QR codes and explaining the risk. 

Looking at British media reports, these parking QR code scams appeared to peak during the summer holiday period (June to September). Activity concentrated in and around coastal tourism locations such as Blackpool, Brighton, Portsmouth, Southampton, Conwy, and Aberdeen. There are now at least 30 parking apps in the UK, varying by location—an abundance that benefits criminals. By targeting tourist destinations, threat actors can prey on tourists who need to download the parking payment apps and are searching for ways to do so. 

Netcraft was able to identify two threat groups running such scams. This report focuses on an active group impersonating the PayByPhone brand. The other group has been identified using a phishing kit to simulate multiple brands, including RingGo. 

How do Parking QR Code Scams work? 

Mobile payments are now standard in many public and private parking lots across the world. While transactions were once used to involve calling or texting a number, mobile apps have become more commonplace. 

In the UK, the main providers include PayByPhone, RingGo, JustPark, ParkMobile, and MiPermit. Providers display user instructions in parking lots, typically on parking meters. These include a download link or QR code to access the payment app, as well as a unique location code to geolocate the user. This approach not only offers an opportunity for threat actors to target victims on-site, it may also enable them to further target victims with additional location-specific malicious messages. 

Step-by-step process  

Based on the PayByPhone threat group which forms the basis of the research, the following step-by-step process being used to extract victim data was observed: 

1. Threat actor acquires and deploys “boots on the ground” resources to set up the attack. 
2. Malicious QR codes are affixed to parking lot payment machines. 
3. A victim visiting that parking lot scans the malicious QR code and is directed to a mobile phishing website mimicking a legitimate parking lot payment provider. 
4. The phishing website prompts the victim to enter the following details in this order: 
5. Their 6-digit parking lot location code. 
6. Vehicle details, including license plate and vehicle type 
7. Parking duration 
8. Payment card details 
9. The website then displays a fake “Processing” page, simulating a familiar user experience. In some cases, a 3D secure code will be prompted from the victim’s bank/card provider. 
10. The victim is redirected to a “Payment accepted!” page. 
11. The phishing website confirms the victim’s entered details. 
12. The victim is directed to the official PayByPhone website. 

Fig. 2. Screenshots showing the step-by-step process on one of the fake PayByPhone websites. 

Following payment, phishing kit groups send the victim to a failed payment page, prompting them to use an alternative payment card. This extends the volume of credentials and funds the threat actor can exfiltrate. 

Fig. 3. Screenshot of fake failed payment page on one of the malicious websites. 

Tactics 

Netcraft has been able to analyze threat actor activity to understand the strategies underpinning these attacks. 

Timeline of activity 

Fig. 4. Chart showing malicious websites being activated and deactivated between June 17 and September 3. 

In the timeline above: 

• June 19: the scam begins; the first phishing websites appear, but these are taken offline after approximately one week. 
• June 28: the scam reappears online behind a new domain name. 
• July 2: threat actor registers two new domains, which redirect victims back to the initial websites. 
• July 27: websites continuously come online, as others gradually go offline. 
• Early August: more domains are registered every few days, but some only stay online for a short time and before any QR codes are used¹. 
• Mid-August: all known phishing websites go down; threat actor registers new domains showing variations to the format (using phrases like parkbyphone instead of pbp, and others that only refer to QR codes and scanning).  
• They register them in pairs with a .info domain hosting the actual phishing website and a .click equivalent redirecting to the .info version. Likely due to news coverage, these only remain online for a few days at a time and are quickly taken offline by the domain registrar. 
• Late August onwards: the same pattern of registering new domains multiple times per week continues. The threat actor experiments with different top-level domains (TLDs) (.live and .online) to evade detection. Each site remains online for a few days, in contrast to the start of the campaign when sites were live for up to a month. 

Website characteristics 

Numerous phishing websites were created to facilitate these attacks. Since June 17, Netcraft has seen the same scam on 32 distinct domain names. All of these demonstrated the following characteristics: 

• Registered with NameSilo 
• Using .info, .click, .live, .online, and .site TLDs 
• Protected with Cloudflare
  

The QR codes most typically linked directly to .click URLs, which redirected to a live phishing website at a .info or .site URL. This could be a persistence tactic to ensure that if the group’s core sites are taken down, new ones can be set up, and the redirects changed. Such an approach avoids the need to physically replace any QR code stickers, keeping the attack online while controlling costs. 

On-the-ground tactics 

After tracking the threat actor’s activity online throughout August, the Netcraft team then went a step further to gather additional on-the-ground research. 

Fig. 5. Map showing Netcraft-identified parking meters displaying the location of benign (black) and malicious (red) QR codes across Southampton city center. 

Of the 24 parking meters across Southampton City Center, seven are used to display malicious QR codes. Some of these were in prime locations, including opposite Southampton Central train station and near a large grocery store. Other areas in the city center and Portswood (another high foot traffic area) appeared to be clear of QR codes.  

The QR code stickers appear to have been distributed in a single batch—all linking to the same website—following the takedown of several of the threat actor’s websites. This highlights the persistent continuation of the campaign, with the threat actor rotating websites and remaining active despite their operations being disrupted.  

The domain name for the website mentioned above was registered on the afternoon of Sunday, August 25. The first visit was at approximately 07:00 the next morning. Netcraft researchers believe that this was the threat actor’s on-the-ground agent testing the QR code after placing the stickers. These timelines highlight the speed of activity between registering a new domain and placing a corresponding QR code sticker. 

In Southampton city center, there are two types of parking meters—red, which represent more dated models, and black, which are newer and display official PayByPhone branding. The threat actor’s QR codes were only found on these new black meters, pasted on top of the official branding to improve impersonation. 

Some meters had been pasted with three QR code stickers (front and both sides), but not all. At the time of visit, one meter on London Road had its front QR code sticker partially ripped off. Together, these observations may suggest either that stickers are being haphazardly removed, missed, or that the individuals responsible for planting them are inconsistent in their approach.  

Fig. 6. Photo of parking meter with QR code partially removed

The main takeaway from the on-the-ground research is that the threat actor has invested strategy and resources to achieve greater impact—making use of high-footfall areas and using tactics that add legitimacy to the scam. It’s clear that the measures being taken on the ground to deter these attacks are not as effective as takedowns online. 

Detection evasion tactics 

We were able to identify the following detection evasion tactics: 

• Bot detection and Traffic Distribution Systems (TDS) being used to evade detection. 
• Websites redirecting to badrobot[.]com based on the browser’s reported User Agent HTTP header.  
• Threat actors appear to have an approved list of User Agents including most recent versions of popular iOS and Android browsers. If the QR codes are scanned from any other device or browser, redirection occurs. 
• Cloudflare protection enabled on some websites using Captcha to gate user access.  
• Websites that detect suspected bot activity redirecting the user to an error page prompting them to rescan the QR code. 

Impact of these attacks 

Some of the most critical intelligence we’ve been able to gather on these attacks concerns their impact on victims. 

What data has been exfiltrated and how? 

As illustrated in the step-by-step flow earlier in this earlier, the threat actor used webforms on their phishing website to capture and store victim data including: 

• License plate 
• Vehicle type 
• Location code 
• Complete payment card details, including security code 

This personally identifiable information (PII) could be used in future phishing attacks, for example, utilizing the threat actor’s knowledge of the victim’s vehicle, including location-based campaigns that utilize the victim’s location codes. 

After each form is submitted, the phishing websites submit victims’ data to the server. This maximizes the amount of information gathered, i.e., even if the victim exits the site before completing the entire process. 

The research suggests that the stolen data is then stored temporarily on the web server before being sent on to the threat actor via a Telegram bot². An admin control panel on the website is used to configure the API keys for these bots and select which to send data to (default bot names are: “main” and “Hulingans”.) 

Fig. 7. Screenshot showing the app admin panel used to configure bot API keys. 

How many victims are there? 

Netcraft’s research identified an approximate number of victims affected by these attacks. 

On one of the threat actor’s websites, an API call to increment a visitor counter. The response displays the number of website visitors to date. By tracking the visitor counter over a few days, it was revealed that: 

• ~13 visitors per hour 
• ~320 visitors visit per day (with an increase at weekends)
  

From June 19 to August 23, 10,000 users accessed this website and another mirror site. Many of these users could be potential victims who have scanned one of the malicious QR codes. 

Fig. 8. Screenshot showing the website increment counter and number of website visitors. 

How much data was stolen? 

Two of the threat actor’s phishing websites featured an exposed debugging API endpoint showing the number of form submissions (i.e., every time a user submitted data through the malicious website forms). On one of these sites, Netcraft was able to identify 1,932 form submissions from mid-June to August 12. On the other, 267 details were collected from July 27 and August 20. This brings the logged total to 2,199. Although the other websites had this endpoint disabled. It can be assumed that across all of the malicious sites, more data was exfiltrated, including victims’ payment details³. 

Threat actor profile 

Netcraft has found indications that the threat actor studied in the research is related to a series of postal and customs tax-themed scams targeting Ireland and Poland. These indicators include: 

• Corresponding redirect behavior (for detection evasion) 
• Web servers running the same software version 
• Use of the same domain registrar 
• Use of Cloudflare with a very similar configuration
  

The step-by-step flow for extracting victim data is also similar. The customs tax scam was observed requesting the following data under the guise of releasing a parcel held at customs or a postal depot: 

• The victim’s phone number 
• Their address and other shipping information 
• Payment details to release the parcel and have it shipped to the victim
  

The following timeline helps demonstrate how the threat actor switched between their campaigns: 

• Three customs tax/postal scam websites first seen in February and March 2024 staying online for around two months. 
• Between May 12 and June 14, nine more domains registered (most inactive), some of which featured customs tax scams for approximately one week maximum. 
• After this point, the customs tax websites lay dormant while the first parking scam websites came online. 
• From July 19, four new domains were registered hosting the same website as before; two went down within a week, but the others remained online for over a month. 
• These websites have been manually disabled by the attacker, although this is likely to be a temporary measure.
  

We believe this shows that when the threat group’s parking scam became disrupted by takedown activity, they reactivated their previous campaign. 

Fig. 9. Screenshot showing a page from the customs tax website. 

Threat actor geography 

Netcraft was not able to find conclusive evidence pinning down the threat actor’s geographical location. However, a comment was found in the source code of one website containing a Romanian expletive: console.log(‘sloboz’). 

Another section of the source code contains comments in Romanian (translation: “Define the validate function to validate the card data validate function / Here you must add the validation code for the card data / You can use the jQuery library or pure Javascript, depending on your needs / Simple validation example”). 

Fig. 10. Screenshot showing Romanian language text in website source code. 

The phishing websites contain internationalization files for English, French, German, Italian, and Romansh (spoken in Switzerland), indicating that this attack is being deployed on a trans-European scale. This backs up news reports from both Switzerland and France where have been found linking to the same phishing websites 

Fig. 11 and 12. Screenshots showing translation files stored in the website. 

Conclusion 

Netcraft’s research into these parking lot QR code attacks highlights the tip of a much bigger iceberg. The insights drawn provide valuable insight into the criminals carrying them out, informing how organizations can best defend themselves. 

The behaviors and characteristics of the threat actor identified through the analysis demonstrates the scale and strategic approach being used. Not only is this one criminal group operating across a continent, but they are also investing to evade detection and achieve continuous operation. Additionally the criminal group is likely responsible for a number of other attacks. This shows how cybercrime groups adapt and evolve their tactics and respond to opportunities that yield greater impact. 

If you want to know more about how we detect, analyze, and take down attacks like these, get in touch with the team or book a demo now. 

Footnotes

¹ We may assume that the prevalence of this topic in the news in August influenced takedown activity. 

² Data exfiltration via Telegram is a common asset stored in phishing kits. Email used to be the most favoured channel, but as email takedown has advanced, threat actors have adapted. Telegram offers threat actors the ability to easily switch between Telegram bots to receive exfiltrated data. It also enables them to relay data to multiple Telegram bots, enabling them to maintain persistence if one bot is disabled.

³ In adhering to the Computer Misuse Act, we’re unable to confirm the exact number of exfiltrated payment details, as this would require directly accessing stolen data via the admin control panel. 

Cloudflare experienced the largest increase of 3.1 million sites (+2.41%) this month, now accounting for 11.6% (0.16pp) of sites seen by Netcraft. OpenResty made the next largest gain of 2.8 million sites (+2.54%).

Apache suffered the largest loss of 2.4 million sites (-1.19%) this month, with its market share now standing at 18.0% (-0.40pp). Google experienced the next largest loss, down by 1.7 million sites (-2.84%).

Vendor news

• The open-source nginx project moved its repository from Mercurial to GitHub and will now accept contributions via GitHub pull requests and issues. It also moved its community forum to GitHub discussions. It will continue to accept contributions via its mailing lists until the end of the year.
• LiteSpeed 6.3.1 was released on August 27th, adding support for disabling its caching engine at the request level.
• Apache Tomcat versions 9.0.94, 10.1.29 and 11.0.0-M25 were released on September 10th, containing various bug fixes.

For more information see Active Sites.

• A 3.95x increase in websites with AI-generated text observed between March and August 2024, with a 5.2x increase over a 30-day period starting July 6, and a 2.75x increase in July alone—a trend which we expect to continue over the coming months 
• A correlation between the July spike in activity and one specific threat actor 
• Thousands of malicious websites across the 100+ attack types we support 
• AI text is being used to generate text in phishing emails as well as copy on fake online shopping websites, unlicensed pharmacies, and investment platforms 
• How AI is improving search engine optimization (SEO) rankings for malicious content 

July 2024 saw a surge in large language models (LLMs) being used to generate content for phishing websites and fake shops. Netcraft was routinely identifying thousands of websites each week using AI-generated content. However, in that month alone we saw a 2.75x increase (165 per day on the week centered January 1 vs 450 domains per day on the week centered July 31) with no influencing changes to detection. This spike can be attributed to one specific threat actor setting up fake shops, whose extensive use of LLMs to rewrite product descriptions contributed to a 30% uplift in the month’s activity.  

These numbers offer insight into the exponential volume and speed with which fraudulent online content could grow in the coming year; if more threat actors adopt the same GenAI-driven tactics, we can expect to see more of these spikes in activity and a greater upward trend overall. 

Fig 1. Screenshot showing indicators of LLM use in product descriptions by the July threat actor 

This and the broader growth in activity between March and August appears to indicate a mass universal scaling up of GenAI being used as a content creation tool for fraudulent websites, with a notable spike showing in the realm of online stores. This has led to an abundance of malicious websites, attracting victims not only because of the sheer volume of content, but also because of how convincing that content has become. 

Cybercrime groups, like other businesses, can create more content in less time using GenAI tools. Over the last 6 months, we’ve identified threat actors using these technologies across a range of attacks, from innovating advance fee-fraud to spamming out the crypto space. In total, our observations show LLM-generated text being used across a variety of the 100+ attack types we cover, with tens of thousands of sites showing these indicators. 

Fig 2. Graph showing the increase in observed websites using LLM-generated text between March and August 2024 

In this article, we explore just the tip of the iceberg: clear-cut cases of websites using AI-generated text. There are many more, with conclusive evidence pointing to the large-scale use of LLMs in more subtle attacks. The security implication of these findings is that organizations must stay vigilant; website text written in professional English is no longer a strong indicator of its legitimacy. With GenAI making it easier to trick humans, technical measures like blocking and taking down content are becoming increasingly critical for defending individuals and brands. 

The following examples—extracted from Netcraft first-party research—will help you understand how threat actors are using GenAI tools and shine a light on their motivations.  

“As an AI language model, I can make scam emails more believable” 

Threat actors in the most traditional forms of cybercrime—like phishing and advance fee fraud emails—are enhancing their craft with GenAI. In one particular campaign, we identified spam feeds containing cloud phishing emails falsely claiming to link to a file download for the user’s family photos: 

Fig 3. 

Fig 4. 

pCloud phishing email (Fig 3) leading to a traditional phishing URL on my[.]pcloud[.]ltd (Fig 4) 

In this campaign, running since at least the start of June 2024, the prospect of cherished memories being lost to file deletion is used as a lure to a traditional phishing URL. The potential indicator of LLM usage here is “Certainly! Here are 50 more phrases for a family photo:” We might theorize that threat actors, using ChatGPT to generate the email body text, mistakenly included the introduction line in their randomizer. This case suggests a combination of both GenAI and traditional techniques. 

We’ve seen signs of threat actors’ prompts being leaked in responses, providing insight into how they are now employing LLMs. In our Conversational Scam Intelligence service—which uses proprietary AI personas to interact with criminals in real-time—our team has observed scammers using LLMs to rewrite emails in professional English to make them more convincing. As you can see from the screenshot below in fig 5, what appears to be the LLM’s response to a prompt to rewrite the threat actor’s original text has been accidentally included in the email body. We reported these insights on X (formerly Twitter) and LinkedIn back in April, building on previous uses of GenAI to produce deepfakes in the same space.  

Fig 5. A threat actor attempts to make their email appear more legitimate using an LLM. 

“Certainly! Here are two sites that steal your money (and one another’s content)” 

Credibility is key for fake investment platforms, which promise high returns with low risk. In reality, their guarantees are meaningless, with funds being stolen from the user as soon as they’re deposited. The supposed “investment” only exists as a conceptual number that the threat actor can tweak to convince their victim to invest more money. 

Fake investment platforms are particularly well positioned for LLM enhancement, because the templates we’ve typically seen for these scams are often generic and poorly written, lacking credibility. With the help of GenAI, threat actors can now tailor their text more closely to the brand they are imitating and invent compelling claims at scale. By using an LLM to generate text that has a professional tone, cadence, and grammar, the website instantly becomes more professional, mimicking legitimate marketing content. That is, if they remember to remove any artifacts the LLM leaves behind… 

Fig 6. Evidence of an LLM being used to generate “six key strengths” for the fictional organization “Cleveland Invest”  

There’s no honor among thieves of course. Just as criminals are happy to siphon credentials from other phishing sites, we’ve observed that when they see a convincing LLM-generated template, they may replicate the content almost verbatim. To evade detection and correct errors in the original template, some threat actors appear to be using LLMs to rewrite existing LLM-drafted text. Notice in fig 7 below how words from the example above in fig 6 are replaced with context-sensitive synonyms. 

Fig 7. “Britannic Finance” has used an LLM to rewrite the text which appears on “Cleveland Invest”’s website 

“As of my last knowledge update, counterfeit goods have great SEO” 

As well as removing indicators which point towards fraud, LLMs can be used to generate text tailored for search engine optimization (SEO). This can boost a website or webpage’s search engine rankings, thus directing more potential victims to the content. We’ve seen both fake shops and fake pharmacies using LLM-generated text for SEO. 

This is demonstrated by the fake pharmacy in fig 8 below, which purports to be selling prescription drugs without licensing, regulation, or regard for safety. The product descriptions leak instructions indicating that an LLM was asked to write according to SEO principles (see “This outline should give you a good starting point…”). 

Fig 8. An LLM-generated product description for anesthetic drug “Ketaset”, which has been LLM-optimized for search engines 

Fake shops—store fronts which capture payment details in the promise of cheap goods, while delivering counterfeits or nothing at all—use the same technique to add keywords and bulk out text on the page. We saw thousands of websites like this crop up in July, responsible for 30% of that month’s jump in LLM-generated website text. 

Fig 9.

Fig 10. 

(Fig 9 and 10) Despite its convincing product pages, this Anti Social Social Club fake store mistakenly includes text regarding the LLM’s last knowledge update. 

“This content may violate our usage policies” 

Threat actors are becoming more effective at using GenAI tools in a highly automated fashion. This enables them to deploy attacks at scale in domains where they don’t speak the target language and thus overlook LLM-produced errors in the content. By example, we’ve come across numerous websites where page content itself warns against the very fraud it’s enabling. 

Similar to how some crypto phishing sites have been seen to warn against phishing, the fake pharmacy cited below in fig 11 includes warnings against buying drugs online in its own product descriptions. 

Fig 11. “Shop Medicine’s” LLM-generated product description for Xanax warns against using fake pharmacies. 

How we’re responding 

It’s no surprise that threat actors are beginning to utilize GenAI to both create efficiencies and improve the effectiveness of their malicious activities. Netcraft has been observing this trend for some time and developing suitable countermeasures in response. Netcraft’s platform flags attacks with indicators of LLM-generated content quickly and accurately, ensuring customers get visibility of the tactics being used against them.  

For more than a decade, Netcraft has been leveraging AI and machine learning to build end-to-end automations that detect and disrupt criminal activity at any scale. Clearly, as GenAI unlocks new levels of criminal potential, organizations will require partners who can identify threats and deploy countermeasures without human intervention.  

We’ve also made sure that threat actors aren’t the only ones gaining an advantage with GenAI. Our Conversational Scam Intelligence uses AI-piloted private messaging to help you identify internally and externally compromised bank accounts, flag fraudulent payments, and deploy countermeasures to take down criminal infrastructure. If you want to know more about how we’re targeting threat actors’ increasing use of emerging technologies like AI, request a demo now.

Cloudflare experienced the largest gain of 2.7 million sites (+2.14%) this month, and now accounts for 11.5% (+0.20pp) of sites seen by Netcraft. Google made the next largest gain of 1.2 million sites (+2.11%).

OpenResty experienced the largest loss of 12.1 million sites (-10.02%) this month, reducing its market share to 9.84% (-1.13pp). nginx suffered the next largest loss, down by 5.6 million sites (-2.45%).

Vendor news

• nginx 1.27.1 was released on August 14th, containing security and bug fixes.
• Amazon announced the general availability of the new EC2 G6e instance family on August 15th, which uses NVIDIA L40S Tensor Core GPUs and is designed for machine learning and spatial computing.
• Amazon also announced the general availability of its new AWS Region in Malaysia on August 21st.

For more information see Active Sites.

Much like companies in the legitimate economy, criminals also specialize: focusing on their core strengths and using third-party Software-as-a-Service platforms and tools to outsource the rest of the business or criminal infrastructure needed. These Crime-as-a-Service providers continue to evolve, from bulletproof hosting to Phishing-as-a-Service (PhaaS). 

New threat intelligence from Netcraft has uncovered the connections in the underlying financial infrastructure supporting fraud networks around the globe. This includes  insights exposing centralized Mule-as-a-Service (MaaS) providers being used by seemingly unconnected threat actors around the globe to launder their scam proceeds through money mule bank accounts.

Examining the connections between the underlying cyber and financial infrastructure reveals a rich and interconnected network of mule accounts held at local and global banks, phone numbers, crypto addresses, payment app accounts, and email addresses being used to commit fraud. These connections not only give a mechanism to aid in identifying threat actors, but also new opportunities to disrupt crime groups involved in pig butchering, romance scams, and widespread, complex cyber-enabled fraud.

Netcraft’s Conversational Scam Intelligence (CSI) platform brings together Netcraft’s unique threat intelligence and generative AI to engage with threat actors in long-form peer-to-peer conversations at scale. These private conversations can last over a year and span hundreds of messages. Interactions with threat actors also serve as foundational data, used by Netcraft researchers to connect seemingly disparate scams to expose criminal actors around the globe.

Building a MaaS army

Netcraft researchers recently explored the Darcula Phishing-as-a-Service network, and insight suggests that similar providers exist for money mule accounts at banks globally, from the smallest credit unions to the largest banking giants. Definitive evidence has been limited about the inner workings of criminal mule account networks, including the existence of underlying “as a service” groups. Among the earliest and most accessible forms of public evidence are mule recruitment campaigns on social media platforms, which Netcraft researchers have monitored for some time. These campaigns offer the promise of making some fast cash, with little to no effort. 

Figure 1 – Social Media ads recruiting potential mules for criminal exploits. 

Mapping connections in fraud networks

Using the data gathered from real-life scams conducted by Netcraft’s generative AI personas, Netcraft’s research team has mapped the connections in the data linking scams with the ultimate money transfer mechanisms used to cash out. In the following examples we’ve mapped different elements of criminal infrastructure (email addresses, mule account numbers, crypto wallet addresses, phone numbers) uncovered by Netcraft. 

These nodes are aligned to the conversation where they were shared. For example, a text message conversation containing a phone number would connect a conversation node to a phone number node.

You’re too kind

As a simple example, Netcraft classified this inbound, unsolicited email as Advance Fee Fraud:

Figure 2 – This email, identified through Netcraft’s threat intelligence, was used to initiate an AI-powered dialogue with the scammer. To protect the integrity of the data, the email has been slightly altered and identifiable information redacted. 

Figure 3 – The email conversation in figure 2 is depicted by “” in the bottom right of the infrastructure network shown here. The conversation exposed the simple but connected infrastructure network visualized above.

This simple example consists of 17 messages from the threat actor and 10 replies from Netcraft over the course of approximately one month. In that time we were able to expose the following infrastructure and fraud network connection points: 

• Initial email address as well as a secondary email address being used to accept payments via PayPal
• The payment address was previously mentioned in a separate conversation impersonating a delivery company, allowing Netcraft to connect the two conversations
• This other conversation had already uncovered a Bitcoin wallet which has transacted over 2,000 times on the Bitcoin network, receiving a total of 12 BTC (~$805,000 at the time of writing) 
• Connected to this address in a separate conversation was another US-based bank account and another email address
• Both of these had been seen in a conversation connecting the Bitcoin wallet, to a Wells Fargo account and a JPMorgan Chase account

This simple example demonstrates how Netcraft can effectively map the infrastructure powering threat actor campaigns, providing a much deeper picture of the underlying criminal operation.

You’ve got mail

Figure 4 – Multiple conversations can be tied to the same threat actor based on their shared reliance on a single piece of infrastructure (in this case a phone number).

In other cases like the one above, seemingly disconnected conversations can be attributed to the same threat actor (an individual or a wider group). See the following analysis that links these conversations:

• In this cluster, 14 email addresses identified in Netcraft threat intelligence were targeting a Spanish bank. Conversations requested victims call the same phone number, allowing Netcraft to conclude that these emails, despite their varying email addresses, were all the work of one threat actor.
• In a separate conversation, the scammer used the same phone number as used in this campaign. That conversation unearthed three bank accounts, one of which Netcraft had seen before in a previous conversation.
• That previous conversation, in turn, referenced another bank account which Netcraft  had previously seen in a conversation associated with a Scottish bank.

In this case, the cluster allows us to conclude that nine mule accounts and 19 email addresses are in use by the same threat actor to defraud the customers of at least two separate financial institutions. 

One ring-ring to rule them all 

While some infrastructure is spread out with small clusters, this region shows scammer infrastructure that is quite densely connected. Seen here are dozens of bank accounts, emails and phone numbers, likely all being used by the same group of scammers:

Figure 5 – A subsection of a wide network of highly connected scammer infrastructure.

Figure 6 – An even larger network of interconnected scammer infrastructure.

Mapping relationships between scammer infrastructure can uncover weak points in scam campaigns. In figure 6 we see how dozens of investment scam emails and conversations hinge on a single UK-based phone number.

Figure 7 – An investment scam campaign reliant on a single phone number exposing a single point weakness in this threat actor’s infrastructure, which when taken down could cause significant disruption for the criminal.

In this group, we see a bank account referenced by at least 23 different email addresses being used for fraud. This bank account was first seen four months ago and was last seen as recently as four hours before the time of writing. Clusters of this form could indicate a fraud operation which is heavily dependent on a single payment account.

Figure 8 – 23 emails across 23 conversations engaged in by the Conversational Scam Intelligence system that all point back to the same bank account.

Zooming out, we can observe that the two bank accounts we have just analyzed have been referenced in the same conversation:

Figure 9 – The two highly-connected bank accounts in the above images are connected by a conversation which references both.

Inspecting that conversation further gives more clues as to the origin of this operation. The following cluster suggests that distinct fraud groups share the same mule accounts:

Figure 10 – This network shows seemingly disconnected operations that appear to be sharing mule accounts, indicating that the mules are operated by Mule-as-a-Service providers.

At the top of this section of the network, multiple pieces of information indicate that the fraudsters are operating from Benin, including the use of +229 phone numbers.

However, at the bottom we see a network of related infrastructure that revolves around Spain-based phone numbers, like a +34 Xfera Moviles mobile number, or a different +34 Vozelia Telecom fixed number.

The unifying factor between these seemingly distinct operations is a single Italian mule bank account.

Given that these operations appear independently in two countries separated by thousands of miles, their use of a shared bank account suggests that they are not ultimately in control of the mule.Instead, they are making use of centralized Mule-as-a-Service providers in charge of receiving and sending on defrauded funds.

So, what’s next? 

Losses to investment scams, romance fraud, and pig butchering reached $4.6 billion in the United States – a 38% increase in 2023. These scams are very often conducted in private peer-to-peer conversations and the ability to stop the scam often comes too late. 

Studying the connections between threat actors and centralized Mule-as-a-Service providers provide a unique opportunity to both understand and ultimately deeply disrupt criminal payment networks powering scams, pig butchering, cyber-enabled fraud, and more.

By identifying and disrupting weaknesses in financial infrastructure, like those shown here, security leaders are now able to proactively find and interrupt mule account activity, block payments to known mule accounts outside their institution, stop payments to criminal crypto wallets, and deploy countermeasures against the greatest points of vulnerability, thus crippling criminal infrastructure and protecting their clients.

For almost three decades, the Netcraft team has been developing and using innovative, proprietary solutions to expose,disrupt, and eradicate criminal activity. Netcraft’s Conversational Scam Intelligence, recently announced at RSA ‘24, now provides the data and insight needed to expose, map, and disrupt these scams at any scale. 

Connect with Netcraft’s expert team  to see how we can help you. Request more information on Conversational Scam Intelligence here.

Cloudflare experienced the largest gain of 2.7 million sites (+2.18%) this month, and now accounts for 11.3% (0.21pp) of sites seen by Netcraft. OpenResty made the next largest gain of 2.2 million sites (+1.88%).

nginx experienced the largest loss of 6.5 million sites (-2.78%) this month, reducing its market share to 20.7% (-0.65pp). Apache suffered the next largest loss, down by 3.4 million sites (-1.60%).

Vendor news

• Apache 2.4.62 was released on July 17th, containing fixes for two security vulnerabilities.
• freenginx 1.27.2 was released on July 9th, adding support for rate limiting error logs.
• OpenResty versions 1.21.4.4 and 1.25.3.2 were released on July 21st, fixing a security issue in its fork of LuaJIT that could cause severe performance degradation under certain circumstances.
• Cloudflare added a new one-click button for its customers to block AI scrapers and crawlers.

For more information see Active Sites.

These sites form part of a sophisticated, multi-step attack. The attack utilizes lure sites to hook victims, phishing sites to capture details, and a Traffic Distribution System (TDS) used to mask the relationships between attack infrastructure. With advanced deception techniques, like the ability to capture 2-factor authentication codes, this campaign highlights several of the most innovative capabilities of modern multi-channel phishing threats. 

As phishing attacks become more complex than ever, recent advancements in generative AI further enhance these attacks by enabling threat actors to rapidly automate the creation of unique content that convincingly impersonates a wide variety of targets. The use of gen AI is also evident in other forms of cybercrime, such as donation scams and Advance Fee Fraud. 

Interestingly, many of these AI-generated lure sites do not link to a phishing website, which appears deliberate. These are likely not designed for victims but instead suggest an attempt to flood the Web with similar content, making it harder to find the malicious needles in an AI-generated haystack. Without gen-AI, this new deception technique would be impossible for criminals, even criminal groups, to deploy at scale. For those combatting these threats, utilizing AI, ML, and automated techniques to detect and monitor threats is paramount in identifying and disrupting these nefarious techniques at any scale. 

Anatomy of the attack 

The attack starts with the victim visiting an AI-generated lure site. Lure sites hook unsuspecting victims into a scam and encourage them to complete an action, such as visiting another site, downloading a file, or sending an email. Commonly, lures are shared through various channels like email, SMS, social media, and SEO hacking. One widespread method used by this threat actor is distributing these links in the comment section of legitimate websites. 

hxxp[://]forum[.]technikboard[.]net/index[.]php?page=UserBlogEntry&entryID=8 

These lure sites are hosted on Gitbook, a documentation platform that targets software developers and offers a free tier requiring only an email address to sign up. Supported by vast amounts of content to increase credibility, the lure sites entice the victim by claiming to offer advice and tutorials for products from a wide range of brands in the crypto industry. 

Example of an AI-generated lure site on hxxps[://]helpstrezorhardwrewallet[.]gitbook[.]io/us 

Most sites contain a call-to-action link, which directs the user to a redirect URL on one of many [.]com domains. These URLs contain a Universally Unique Identifier (UUID) in the path to track which brand or lure site the victim visited. All these domains appear to be purpose-registered with Key Systems and hosted by Amazon. 

Formatted extract from hxxps[://]helps-trezorhardwrewallet[.]gitbook[.]io/us 

These redirect URLs use advanced Traffic Distribution Systems (TDSes), which can choose the redirect destination based on various factors. For example, if the TDS thinks the visitor is a victim, it will redirect them to a phishing site. When the TDS detects that the visitor is a security researcher, it will instead redirect them to the target brand’s legitimate site, attempting to cloak the existence of the phishing attack. 

Visiting hxxps[://]shotheatsgnovel[.]com/1479dd91-86b0-4518-9970-ca644964c5e7 from an IP address the TDS classified as a security researcher (left) and an IP address classified as a victim (right) 

The end phishing sites in this campaign aim to obtain one of two sets of credentials: the victim’s login details for the cryptocurrency platform or the seed recovery phrase for the victim’s wallet. If required by the platform, these phishing sites can even exfiltrate the victim’s 2-factor authentication codes, undermining the protection from this trusted layer of security. 

Left hxxps[://]trazeorwalllet[.]azurewebsites[.]net/, right hxxps[://]bitmartesnc[.]azurewebsites[.]net/.

With either set of credentials, the threat actor can steal all the victim’s funds or sell the credentials on an underground marketplace for another criminal to do so. The pseudo-anonymous nature of cryptocurrency payments offers the threat actor a high degree of anonymity, making it highly desirable for cybercriminals. Even after accounts are drained, they are still valuable to criminals since they have already passed Know Your Customer (KYC) requirements and could be used to launder money.  

This campaign’s lure and phishing sites are hosted on Microsoft Azure’s App Service platform (azurewebsites[.]net). As seen in previous attacks, such as the Phishception attack we uncovered targeting SendGrid, cloud services like Azure are attractive to fraudsters for their free tiers and credits. 

Hedging their bets – Creating moving targets with phishing infrastructure 

Since Netcraft researchers first discovered these attacks, we have performed countermeasures against them by first blocking these sites for users of Netcraft’s Apps and Extensions and then initiating takedowns against the sites of Netcraft customers using Netcraft’s Takedown platform. In response to those countermeasures, this criminal group has continued to evolve campaign strategies.  

During this period, the threat actor tweaked and experimented with parts of their attack chain, likely to hedge their bets and keep their infrastructure available. One example is shifting traffic to phishing sites using much less sophisticated lures hosted on Webflow (webflow.io). These lures use a simple screenshot of the target brand’s homepage, redirecting to the TDS when clicking on the image. Many of these screenshots only include the page above the fold of the browser, meaning potential victims cannot scroll down. Some sites also include AI-generated text at the bottom of the webpage, which is likely to assist with SEO hacking.  

hxxps[://]metamaskeaxtenssion[.]webflow[.]io/ 

We also observed the threat actor replacing some of their [.]com TDS URLs with a legitimate link shortener platform, Geo Targetly (gtly.io). Doing this allows them to use many of the same functions as their traditional TDS, but with less work required to create new URLs. Reducing the complexity allows criminals to quickly create new URLs when many of the campaign’s [.]com domains were taken down.

Formatted extract from hxxps[://]help-metamask-walletextension[.]gitbook[.]io/us 

hxxps[://]help-metamask-walletextension[.]gitbook[.]io/us linking to hxxps://metamaskunb[.]azurewebsites[.]net/ via Geo Targetly 

AI-generated lures raise the bar 

Traditionally, one of the hardest parts of setting up a scam website is creating content that looks believable to potential victims. Due to the required manual effort, this is difficult for criminals to accomplish at scale, and poor-quality content has often been a key indicator of phishing infrastructure. 

However, the recent surge in powerful and free-to-use LLMs through platforms such as ChatGPT has unlocked this final piece of the puzzle for fraudsters. Netcraft continues to monitor this space, and this threat actor appears to be an early adopter using these tools at a large scale. 

Many lures use LLM-generated text to enable the threat actor to create unique content for thousands of pages that span a wide range of target brands. Creating this content is simple and cheap to automate and is faster and better than a human could achieve for even a fraction of the volume. 

We also see examples where LLM-generated content has produced erroneous artifacts that pollute the output of the final text. These don’t appear to have been caught by the threat actor, which suggests high levels of automation to generate these lures. One LLM output even included a warning about the risks of phishing attacks! 

hxxps[://]metamaskwalletiis[.]webflow[.]io/ warning users about phishing attacks 

hxxps[://]mettemaskcchromextensionfs[.]gitbook[.]io/us, including the LLM warning about knowledge updates 

As mentioned previously, many of these lure sites do not link to a phishing site – suggesting that the threat actor is attempting to flood the internet with content to make it more difficult to sort through and identify malicious needles in an LLM-generated haystack.  

Crypto attacks on the rise 

This attack follows a recent trend of threats observed by Netcraft; from crypto drainers, IPFS, pig butchering, and fake investment platforms to the Trump 2024 election campaign and YouTube channel hijacking, threats targeting the crypto industry range widely. The crypto industry is very enticing for threat actors due to lower traceability. Most recently, Netcraft researchers observed over $45 million in cryptocurrency payments transferred to scammers hidden in peer-to-peer messaging platform scams. 

How Netcraft can help 

Netcraft provides cybercrime detection, disruption, and takedown services to organizations worldwide, including 16 of the top 50 global banks and many of the largest cryptocurrency exchanges in the world. While disrupting more than 100 unique attack types, Netcraft teams and systems constantly monitor unique and innovative attacks like these crypto phishing campaigns. 

Netcraft’s brand protection platform operates 24/7 to discover phishing, fraud, scams, and other cyber-attacks through best-in-class automation, AI, machine learning, and human insight. Our disruption and takedown service ensures malicious content is blocked and removed quickly and efficiently – typically within hours.   If you’d like to learn more about how Netcraft can help, book a demo on the Netcraft website.

At Netcraft, we’ve been disrupting cryptocurrency-based scams for over 10 years, including more than 15,000 IPFS phishing takedowns since 2016. As we closely monitor evolving threats and criminal innovation, modern technologies like Web3 APIs have made crypto scams easier and more accessible than ever before.

Cryptocurrencies remain a particular target for criminals due to their decentralized nature; no central arbiter of transactions means that victims have no way to reverse mistakes, nor any avenue to redress any losses incurred.

In this blog post, we’ll cover crypto drainers, a type of payment diversion fraud that takes advantage of Web3 APIs to trick victims into giving away their cryptocurrency coins and tokens. Just two clicks on a copycat website to ‘claim a free token’ could irreversibly transfer all their crypto assets to criminals.

Crypto drainers and Web3 wallet APIs

Web3 wallet APIs are designed to allow websites to interact with users’ cryptocurrency wallets, and function as a bridge between applications and the blockchain. They can only run in a Web3-enabled browser (such as Brave), or with a browser extension like MetaMask. The wallet APIs allow sites to request the user sign a specific message, or to send some cryptocurrency to a specific address.

In a standard crypto draining scam, a cybercriminal will claim to be offering free cryptocurrency tokens to the user, most commonly in the form of minting new coins. This is used to trick the victim into connecting their wallet to a malicious website, which can then obtain the victim’s cryptocurrency address.

Figure 1 – Cryptocurrency drainer at nonextpepe[.]com.

Once connected, the criminal can request signatures or transactions for this wallet. It’s important to note that connecting a wallet alone does not allow the site to steal its contents. However, once connected, the drainer will typically lure the victim into ‘claiming their token’ by requesting a transaction. If approved, this will transfer the victim’s entire balance into a wallet controlled by the criminal, effectively ‘draining’ the victim’s wallet.

Figure 2 Drainer-generated transaction for the whole wallet’s balance

The criminals behind these drainer scams count on victims being sufficiently excited or distracted by the promise of free cryptocurrency tokens that they do not realize that by approving the transaction, they’re losing everything in their wallet. In the example below, the Ethereum balance is sent to smart contract 0x676CA33022fB1a41c6cFE47Eac2E896F398e5783, which forwards everything received to the wallet 0x9f335dfa31bfb56dfa153efd4092c96ca22fd789 (and provides nothing in return). The destination address alone has received over 25ETH, totaling over $40,000 based on exchange rate at time of transfer.

Figure 3 Draining snippet for nonextpepe[.]com

Cryptocurrency copycats

Crypto drainers will often mimic legitimate cryptocurrency projects, using familiar tokens, names, and branding to trick victims into approving malicious transactions. In this example, Lista is a real cryptocurrency project, https://lista.org/, with its decentralized stablecoin lisUSD pegged to the USD. Netcraft analysts have identified a crypto drainer site, claim-lista[.]org which has copied the entire Lista site.

Figure 4 Lista’s legitimate site (top) with the copycat site (claim-lista[.]org) below.

The malicious site claims that a ‘limited time airdrop’ event is currently available (an airdrop is typically an event in which new coins or tokens can be claimed for free to garner publicity). Clicking the Claim Allocation button displays a transaction request for the victim to confirm. If they do this, their entire balance is sent to a wallet and – unsurprisingly – no coin or token is provided in return.

Examining the malicious site’s source code displays markers left from a website copying tool, which reveals that the site is a direct duplication of the real cryptocurrency project.

Figure 5 Source code of malicious site with markers from a website copying tool

Website copying tools allow the criminals behind these crypto drainer campaigns to quickly spoof legitimate cryptocurrency projects at scale, requiring only small modifications (and minimal technical skills) to insert the malicious draining payload.

IPFS gateways

IPFS stands for InterPlanetary File System (IPFS); it is a decentralized storage and delivery network . Unlike the conventional web, where most content is hosted on centralized servers, IPFS embodies the Web 3.0 ethos and is based on peer-to-peer (P2P) networking, without requiring third parties or centralized authorities. This means that it’s harder to take down malicious content on the network, making IPFS ideal for cybercriminals when running phishing attack campaigns.

While IPFS URLs aren’t directly accessible in most popular browsers, they are accessible through various IPFS gateways such as ipfs.io. Netcraft analysts have already detected criminals using IPFS gateways for crypto drainers. As IPFS is now widely used across legitimate Web3 platforms, victims may be less suspicious of the seemingly random-looking URLs. For example, we identified a crypto drainer hosted on IPFS imitating the akash.network project, which describes itself as a “decentralized computer marketplace”.

Figure 6 Crypto currency drainer clone of akash.network.

The IPFS-hosted content in this attack does not contain the malicious JavaScript payload used to perform the draining. Instead, this is hosted on “npm-js[.]top”, which is spoofing the popular JavaScript package manager “npmjs.com”. The script is heavily obfuscated, making it harder to identify it as a crypto drainer scam and extract useful information (such as the destination address).

Figure 7 Malicious obfuscated drainer script hidden under npm-js[.]top.

The following crypto drainer, distributed via IPFS gateways masquerading as the Pandora Labs ERC-404 token, also uses a malicious script in cdn-bunny[.]com, a domain registered specifically to appear like the content delivery network (CDN) bunny.net.

Figure 8 Crypto drainer on IPFS with a malicious script in cdn-bunny[.]com.

Malicious cryptocurrency drainer domains

Another crypto drainer imitating ListaDAO is available on IPFS at with the hash “bafybeia2pskjjyxn2nyv5djpdqusz4myivoyd42mwji2e6oj7qfybcyz7a”. The malicious JavaScript snippet is under “cdn-npm[.]xyz”, another domain that spoofs npmjs.com. The following domains were all registered in close succession, suggesting that the domains were purpose registered as part of a recent drainer campaign:

• npm-js[.]top (registered on May 12th 2024)
• cdn-bunny[.]com (registered on May 26th 2024)
• cdn-npm[.]xyz (registered on June 2nd 2024)

These domains are likely used to hide the malicious payload from security professionals, while centralizing configuration of the crypto drainer. This allows the criminal to later change the destination wallet address (which would not be possible had this configuration been stored solely in IPFS).

The CDN look-alikes may be indicative of attacks across the software supply chain more generally, potentially allowing criminals to hide malicious code in legitimate sites while evading detection.

Disrupting new attack at scale

Netcraft provides cybercrime detection, disruption, and takedown services to organizations worldwide, including 17 of the top 50 global banks and many of the largest cryptocurrency exchanges in the world. While currently disrupting more than 100 unique attack types, Netcraft teams and systems are constantly monitoring unique and innovative attacks, like crypto drainer scams, to protect the world from cybercrime.

Netcraft’s unique visibility across web-based financial fraud allows us to provide comprehensive intelligence feeds with payment details sourced from criminal activity across various cryptocurrencies as well as bank accounts around the world. This includes proprietary intelligence gathered with our new Conversational Scam Intelligence service which proactively extracts crypto wallets, mule accounts, and other forms of actionable intelligence from peer-to-peer messaging scams.

Netcraft first detected and acted on a malicious IPFS hash as far back as 2016 and we continue to detect, block, and mitigate malicious content hashes on the IPFS network every day. At the time of writing, we’ve completed over 15,000 IPFS gateway phishing takedowns.

To find out more about how Netcraft can help, book a demo with our expert team.

OpenResty experienced the largest gain of 4.6 million sites (+4.01%) this month, and now accounts for 10.8% (+0.38pp) of sites seen by Netcraft. Cloudflare made the next largest gain of 3.2 million sites (+2.66%).

Apache experienced the largest loss of 4.8 million sites (-2.23%) this month, reducing its market share to 19.3% (-0.51pp). LiteSpeed suffered the next largest loss, down by 1.1 million sites (-2.24%).

Vendor news

• njs 0.8.5 was released on June 25th, primarily containing bug fixes. Earlier this month its source code was moved to GitHub.
• freenginx 1.27.1 was released on June 4th. New features include support for limiting the number of headers in a HTTP request, and support for additional authentication mechanisms in its mail proxying module.
• LiteSpeed 6.3 was released on June 26th, containing new features, improvements, and bug fixes. The new features are mainly security-related.
• Apache Tomcat versions 9.0.90, 10.1.25, and 11.0.0-M21 were released.
• Amazon announced its plan to launch a new AWS region in Taipei, Taiwan by early 2025.

For more information see Active Sites.