Down the Domain Research Rabbit Hole

Let's face it, being anonymous is hard if you're managing a large volume of scams. You have to be able to hide your tracks really well and assume no one is going to take the time to go far enough down the rabbit hole to find anything useful.

Turns out, I'm on vacation this week, and what better way to spend it then heading down a rabbit hole.

Pivoting from the 12 domains and the email addresses mentioned in the last post, it looks like there are several similar domains using the same name server.  That brings the full list to:

  • bin-core[.]com
  • bit-camp[.]com
  • bit-cron[.]com
  • bit-ext[.]com
  • bit-green[.]com
  • bit-investor[.]com
  • bit-thor[.]com
  • camp-bit[.]com
  • camp-token[.]com
  • chain-bit[.]com
  • coin-bin[.]com
  • cron-bit[.]com
  • crypto-floor[.]com
  • ext-bit[.]com
  • first-token[.]com
  • flow-bit[.]com
  • link-token[.]com
  • market-token[.]com
  • more-bit[.]com
  • set-bit[.]com
  • temp-bit[.]com
  • token-club[.]com
  • token-next[.]com
  • token-smart[.]com
  • vrytex[.]com
  • wall-bit[.]com
If these domains weren't so similar I might dismiss them for having been associated with the previous sites via the name server, but that pattern with the hyphen is just too compelling to be a coincidence.

The one outlier is vrytex[.]com, and that one is also registered with ovidiilapin2872@list.ru.




Vrytex[.]com has been associated with some trading scams and only been registered since January 8th 2022.  Perhaps at one point they were attempting to create a legitimate crypto exchange, but given the association with all the above sites my guess is that it was always meant to be some kind of fly by night scam exchange.

There's a fairly recent reddit post on vrytex[.]com here:
https://www.reddit.com/r/Scams/comments/s1nvo3/vrytex_global_is_a_crypto_scam/

It seems if you sign up your account appears to be credited with BTC, but you have to deposit more money before you can withdraw.  However, you never really own the BTC.  At best this is a centralized cryptocurrency exchange.  Not your keys, not your crypto. With an honest centralized cryptocurrency exchange, you might not have your keys but you trust the exchange is keeping an accurate ledger and is holding crypto on your behalf that you can withdraw at any time.

With a dishonest or scam centralized exchange, you can't actually withdraw anything, and if you deposit the centralized exchange might make it seem like you have funds in your account, but really you'll never be able to withdraw them.  You're just giving them your money.

If anyone knows anything about the wallets associated with this exchange it might be time to pivot over to some block chain analysis to see if we can learn more about how they operate.


Comments

Post a Comment

Popular posts from this blog

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there
Read more

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more