hosts icon indicating copy to clipboard operation
hosts copied to clipboard
verified publisher icon StevenBlack

[False Negative]: add 17 phishing domains (tronlink[.]com[.]co, electrum[.]com[.]vc, ...)

Open ninjacatcher opened this issue 4 months ago • 0 comments

Executive Summary

This report documents 17 domain(s) that have been identified as part of active phishing operations. These domains exhibit characteristics consistent with malicious infrastructure and pose an immediate security risk to internet users.

The following 17 domain(s) have been analyzed and confirmed as participating in phishing campaign(s):

tronlink.com.co
electrum.com.vc
trustsafpal.com
pancakswap.org
coinbase002.xyz
coinbase003.xyz
coinbase001.xyz
coinbase004.xyz
coinbase005.xyz
coinbase006.xyz
coinbase007.xyz
coinbase008.xyz
coinbase009.xyz
coinbase010.xyz
electrubtc.org
rfbuc.com
pancacefinance.com

Threat Analysis

Phishing Attack Details

These domains are part of a phishing campaign targeting сompanies and cryptocurrency holders/investors. The attackers use fake login pages and tampered software to steal seeds/keys.

Technical Details

  • Use Cloudflare (maybe Pro or Business) accounts.
  • Cloaked, if the request does not comply with the rules, redirect to a non-existent subdomain "www.www." (in most cases)

Detections

  • tronlink.com.co - 5 detections - https://www.virustotal.com/gui/domain/tronlink.com.co/detection
  • electrum.com.vc - 2 detections - https://www.virustotal.com/gui/domain/electrum.com.vc/detection
  • trustsafpal.com - 2 detections - https://www.virustotal.com/gui/domain/trustsafpal.com/detection
  • pancakswap.org - 6 detections - https://www.virustotal.com/gui/domain/pancakswap.org/detection
  • coinbase002.xyz - 5 detections - https://www.virustotal.com/gui/domain/coinbase002.xyz/detection
  • coinbase003.xyz - 7 detections - https://www.virustotal.com/gui/domain/coinbase003.xyz/detection
  • coinbase001.xyz - 4 detections - https://www.virustotal.com/gui/domain/coinbase001.xyz/detection
  • coinbase004.xyz - 4 detections - https://www.virustotal.com/gui/domain/coinbase004.xyz/detection
  • coinbase005.xyz - 4 detections - https://www.virustotal.com/gui/domain/coinbase005.xyz/detection
  • coinbase006.xyz - 6 detections - https://www.virustotal.com/gui/domain/coinbase006.xyz/detection
  • coinbase007.xyz - 11 detections - https://www.virustotal.com/gui/domain/coinbase007.xyz/detection
  • coinbase008.xyz - 4 detections - https://www.virustotal.com/gui/domain/coinbase008.xyz/detection
  • coinbase009.xyz - 12 detections - https://www.virustotal.com/gui/domain/coinbase009.xyz/detection
  • coinbase010.xyz - 4 detections - https://www.virustotal.com/gui/domain/coinbase010.xyz/detection
  • electrubtc.org - 0 detections - https://www.virustotal.com/gui/domain/electrubtc.org/detection
  • rfbuc.com - 10 detections - https://www.virustotal.com/gui/domain/rfbuc.com/detection
  • pancacefinance.com - 0 detections - https://www.virustotal.com/gui/domain/pancacefinance.com/detection

Targeted Brands

  • tronlink.com.co - TronLink (tronlink.org)
  • electrum.com.vc - Electrum (electrum.org)
  • trustsafpal.com - Safepal
  • pancakswap.org - PancakeSwap (pancakeswap.finance)
  • coinbase002.xyz - Coinbase (coinbase.com)
  • coinbase003.xyz - Coinbase (coinbase.com)
  • coinbase001.xyz - Coinbase (coinbase.com)
  • coinbase004.xyz - Coinbase (coinbase.com)
  • coinbase005.xyz - Coinbase (coinbase.com)
  • coinbase006.xyz - Coinbase (coinbase.com)
  • coinbase007.xyz - Coinbase (coinbase.com)
  • coinbase008.xyz - Coinbase (coinbase.com)
  • coinbase009.xyz - Coinbase (coinbase.com)
  • coinbase010.xyz - Coinbase (coinbase.com)
  • electrubtc.org - Electrum (electrum.org)
  • rfbuc.com - Randolph-Brooks Federal Credit Union (rbfcu.org)
  • pancacefinance.com - PancakeSwap (pancakeswap.finance)

Temporal Information

  • Date of Identification and Submission: 2025-07-31 18:05 UTC
  • Estimated Campaign Activity Start: Approximately 7-14 days prior to detection

Screenshots

(If screenshots are not displayed, see the scans pages)

Screenshots

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Scans

  • tronlink.com.co - https://urlscan.io/result/0198619a-b475-74de-8a0a-73e556a8c0f5/
  • electrum.com.vc - https://urlscan.io/result/0198619a-b9f8-734a-bb65-ed24dfa1cb4a/
  • trustsafpal.com - https://urlscan.io/result/0198619a-c851-758b-a0da-200486d3669b/
  • pancakswap.org - https://urlscan.io/result/0198619b-bbe0-73a6-9edf-c8a2e4e6865d/
  • coinbase002.xyz - https://urlscan.io/result/0198619b-c08d-758a-866b-939555952100/
  • coinbase003.xyz - https://urlscan.io/result/0198619b-c52d-77aa-ab88-02cc466543f1/
  • coinbase001.xyz - https://urlscan.io/result/0198619c-b3f6-74e8-b9f7-2c8504068a1d/
  • coinbase004.xyz - https://urlscan.io/result/0198619c-b8cb-7287-b2ed-b26569e0baf0/
  • coinbase005.xyz - https://urlscan.io/result/0198619c-bd5f-7402-bf59-4880ec87a3c0/
  • coinbase006.xyz - https://urlscan.io/result/0198619c-c208-7638-a9a4-b1d30d7ce921/
  • coinbase007.xyz - https://urlscan.io/result/0198619d-b042-75af-943b-702f980fbb8e/
  • coinbase008.xyz - https://urlscan.io/result/0198619d-b4c7-7488-945e-85c6cb6df51d/
  • coinbase009.xyz - https://urlscan.io/result/0198619d-b842-73d9-a22d-096dfecc5228/
  • coinbase010.xyz - https://urlscan.io/result/0198619d-bd77-70ae-9155-6b5973d2d14f/
  • electrubtc.org - https://urlscan.io/result/0198619a-beb5-72cf-9931-f5e31c992775/
  • rfbuc.com - https://urlscan.io/result/0198619a-c344-75eb-940c-556f3beb1ac4/
  • pancacefinance.com - https://urlscan.io/result/0198619b-b800-755a-838e-e17e8f18b6c7/

ninjacatcher avatar Jul 31 '25 18:07 ninjacatcher