hosts icon indicating copy to clipboard operation
hosts copied to clipboard
verified publisher icon StevenBlack

[False Negative]: add 8 phishing domains (blswap[.]org, v2-velodrorne[.]net, ...)

Open ninjacatcher opened this issue 5 months ago • 0 comments

Executive Summary

This report documents 8 domain(s) that have been identified as part of active phishing operations. These domains exhibit characteristics consistent with malicious infrastructure and pose an immediate security risk to internet users.

The following 8 domain(s) have been analyzed and confirmed as participating in phishing campaign(s):

blswap.org
v2-velodrorne.net
ve1odrome.net
v2-thorswap.xyz
app.thorrswap.finance
thor-swap-thorswap.com
biswap.app-2v.com
velodrome.velo-main.net

Threat Analysis

Phishing Attack Details

These domains are part of a phishing campaign targeting сompanies and cryptocurrency holders/investors. The attackers use fake login pages and tampered software to steal seeds/keys.

Technical Details

  • Use Cloudflare (maybe Pro or Business) accounts.
  • Cloaked, if the request does not comply with the rules, redirect to a non-existent subdomain "www.www." (in most cases)

Detections

  • blswap.org - 1 detections - https://www.virustotal.com/gui/domain/blswap.org/detection
  • v2-velodrorne.net - 2 detections - https://www.virustotal.com/gui/domain/v2-velodrorne.net/detection
  • ve1odrome.net - 9 detections - https://www.virustotal.com/gui/domain/ve1odrome.net/detection
  • v2-thorswap.xyz - 3 detections - https://www.virustotal.com/gui/domain/v2-thorswap.xyz/detection
  • app.thorrswap.finance - 13 detections - https://www.virustotal.com/gui/domain/app.thorrswap.finance/detection
  • thor-swap-thorswap.com - 2 detections - https://www.virustotal.com/gui/domain/thor-swap-thorswap.com/detection
  • biswap.app-2v.com - 0 detections - https://www.virustotal.com/gui/domain/biswap.app-2v.com/detection
  • velodrome.velo-main.net - 0 detections - https://www.virustotal.com/gui/domain/velodrome.velo-main.net/detection

Targeted Brands

  • blswap.org - Biswap (biswap.org)
  • v2-velodrorne.net - Velodrome Finance (velodrome.finance)
  • ve1odrome.net - Velodrome Finance (velodrome.finance)
  • v2-thorswap.xyz - ThorSwap (thorswap.finance)
  • app.thorrswap.finance - ThorSwap (thorswap.finance)
  • thor-swap-thorswap.com - ThorSwap (thorswap.finance)
  • biswap.app-2v.com - Biswap (biswap.org)
  • velodrome.velo-main.net - Velodrome Finance (velodrome.finance)

Temporal Information

  • Date of Identification and Submission: 2025-07-21 04:55 UTC
  • Estimated Campaign Activity Start: Approximately 7-14 days prior to detection

Screenshots

(If screenshots are not displayed, see the scans pages)

Screenshots

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Scans

  • blswap.org - https://urlscan.io/result/01982b4e-09fd-76ab-b8ab-6559731f22b0/
  • v2-velodrorne.net - https://urlscan.io/result/01982b4e-0e93-7160-a899-2dee244a635a/
  • ve1odrome.net - https://urlscan.io/result/01982b4e-13ea-72e9-8006-887b3729af08/
  • v2-thorswap.xyz - https://urlscan.io/result/01982b4e-18a4-7752-915c-f05e0e11d2ca/
  • app.thorrswap.finance - https://urlscan.io/result/01982b4e-1d63-7461-b9cd-28eec7e187ef/
  • thor-swap-thorswap.com - https://urlscan.io/result/01982b4f-0c4b-741d-a896-79b65504d38b/
  • biswap.app-2v.com - https://urlscan.io/result/01982b4e-09fd-76ab-b8ab-6559731f22b0/
  • velodrome.velo-main.net - https://urlscan.io/result/01982b4e-0e93-7160-a899-2dee244a635a/

ninjacatcher avatar Jul 21 '25 04:07 ninjacatcher