dns-blocklists
dns-blocklists copied to clipboard
hagezi
[False Negative]: add 19 phishing domains (ads[.]goolge[.]site, paytrace-app[.]co[.]com, ...)
[!IMPORTANT]
Executive Summary
This report documents 19 domain(s) that have been identified as part of active phishing operations. These domains exhibit characteristics consistent with malicious infrastructure and pose an immediate security risk to internet users.
The following 19 domain(s) have been analyzed and confirmed as participating in phishing campaign(s):
ads.goolge.site
paytrace-app.co.com
scotia-connect.co.com
scotanomect.cc
scotlacomp.cc
sparrowwallef.com
u-tronscan.com
amehuns.cc
stinglebom.cc
hyper-liquid.to
orca-finance.org
changenow-swap.org
changenow-exchange.org
simplswap.org
official-ledgrlive.com
jup-dex.org
shop-bitboxswiss.de
bifboxswiss.de
srvclouds.com
Threat Analysis
Phishing Attack Details
These domains are part of a phishing campaign targeting cryptocurrency companies and cryptocurrency holders/investors. Attackers may use fake login pages, fake Web3 wallet connection prompts, fake cryptocurrency exchange/swap interfaces, or modified/malicious software to steal cryptocurrency seed phrases/keys.
Technical Details
- Cloaked. This means: if a request does not meet certain internal rules of the attacker, the request may be redirected to a non-existent subdomain "www.www.", a legitimate website, or display various HTTP errors such as 403, 404, 502, etc., SSL certificate errors, infinite loading, or a fake Cloudflare (or other service) CAPTCHA, or show content distinguishable from the phishing page.
Detections & Targeted Brands
ads.goolge.sitetargets Google- VirusTotal: 6 detections - https://www.virustotal.com/gui/domain/ads.goolge.site/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=ads.goolge.site
paytrace-app.co.comtargets Alpaca Finance (alpacafinance.org)- VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/paytrace-app.co.com/detection
scotia-connect.co.comtargets Scotiabank (scotiabank.com)- VirusTotal: 14 detections - https://www.virustotal.com/gui/domain/scotia-connect.co.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=scotia-connect.co.com
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=scotia-connect.co.com
scotanomect.cctargets Scotiabank (scotiabank.com)- VirusTotal: 12 detections - https://www.virustotal.com/gui/domain/scotanomect.cc/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=scotanomect.cc
scotlacomp.cctargets Scotiabank (scotiabank.com)- VirusTotal: 12 detections - https://www.virustotal.com/gui/domain/scotlacomp.cc/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=scotlacomp.cc
sparrowwallef.comtargets Sparrow Wallet (sparrowwallet.com)- VirusTotal: 5 detections - https://www.virustotal.com/gui/domain/sparrowwallef.com/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=sparrowwallef.com
u-tronscan.comtargets Tronscan (tronscan.org)- VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/u-tronscan.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=u-tronscan.com
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=u-tronscan.com
amehuns.cctargets Amegy Bank of Texas- VirusTotal: 13 detections - https://www.virustotal.com/gui/domain/amehuns.cc/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=amehuns.cc
stinglebom.cctargets U.S. Bank (usbank.com)- VirusTotal: 13 detections - https://www.virustotal.com/gui/domain/stinglebom.cc/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=stinglebom.cc
hyper-liquid.totargets Hyperliquid (hyperliquid.xyz)- VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/hyper-liquid.to/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=hyper-liquid.to
orca-finance.orgtargets Orca Finance- VirusTotal: 5 detections - https://www.virustotal.com/gui/domain/orca-finance.org/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=orca-finance.org
changenow-swap.orgtargets ChangeNOW (changenow.io)- VirusTotal: 4 detections - https://www.virustotal.com/gui/domain/changenow-swap.org/detection
changenow-exchange.orgtargets ChangeNOW (changenow.io)- VirusTotal: 3 detections - https://www.virustotal.com/gui/domain/changenow-exchange.org/detection
simplswap.orgtargets SimpleSwap (simpleswap.io)- VirusTotal: 3 detections - https://www.virustotal.com/gui/domain/simplswap.org/detection
official-ledgrlive.comtargets Ledger Live (ledger.com)- VirusTotal: 18 detections - https://www.virustotal.com/gui/domain/official-ledgrlive.com/detection
jup-dex.orgtargets JupiterSwap (jup.ag)- VirusTotal: 12 detections - https://www.virustotal.com/gui/domain/jup-dex.org/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=jup-dex.org
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=jup-dex.org
shop-bitboxswiss.detargets Bitbox Swiss (bitbox.swiss)- VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/shop-bitboxswiss.de/detection
bifboxswiss.detargets Bitbox Swiss (bitbox.swiss)- VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/bifboxswiss.de/detection
srvclouds.comtargets Sparrow Wallet (sparrowwallet.com)- VirusTotal: 6 detections - https://www.virustotal.com/gui/domain/srvclouds.com/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=srvclouds.com
Diagrams
Phishing Campaign Mindmap Overview
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#f97316', 'primaryTextColor': '#ffffff', 'primaryBorderColor': '#ea580c', 'lineColor': '#fb923c', 'secondaryColor': '#fed7aa', 'tertiaryColor': '#fff7ed'}}}%%
mindmap
root((Phishing Campaign<br/>19 domains))
))TARGETS((
["Scotiabank"]
(scotia-connect.co.com)
(scotanomect.cc)
(scotlacomp.cc)
["Sparrow Wallet"]
(sparrowwallef.com)
(srvclouds.com)
["ChangeNOW"]
(changenow-swap.org)
(changenow-exchange.org)
["Bitbox Swiss"]
(shop-bitboxswiss.de)
(bifboxswiss.de)
["Google"]
(ads.goolge.site)
["Alpaca Finance"]
(paytrace-app.co.com)
["Tronscan"]
(u-tronscan.com)
["Amegy Bank of Texas"]
(amehuns.cc)
["U.S. Bank"]
(stinglebom.cc)
["Hyperliquid"]
(hyper-liquid.to)
["Orca Finance"]
(orca-finance.org)
["SimpleSwap"]
(simplswap.org)
["Ledger Live"]
(official-ledgrlive.com)
["JupiterSwap"]
(jup-dex.org)
))INFRASTRUCTURE((
{{"AS13335 Cloudflare"}}
188.114.96.3
188.114.97.3
{{"AS47583 Hostinger International Limited"}}
92.113.16.253
92.113.23.174
{{"AS400992 ZhouyiSat Communications"}}
193.46.217.224
{{"AS209274 Kraken Network ISP"}}
151.243.109.114
{{"AS214943 Railnet"}}
91.92.243.31
{{"AS46606 Unified Layer"}}
162.215.253.186
{{"AS16509 Amazon.com"}}
52.213.114.86
{{"AS20473 The Constant Company"}}
149.28.87.102
))REGISTRARS((
("NICENIC INTERNATIONAL GROUP CO., LIMITED")
("CSL Computer Service Langenbach GmbH d/b/a joker.com")
("Porkbun LLC")
("Hosting Concepts B.V. d/b/a Registrar.eu")
("Government of Kingdom of Tonga")
("Eranet International Limited")
("HOSTINGER operations, UAB")
("Gname.com Pte. Ltd.")
("NameSilo, LLC")
Phishing Campaign Full Overview (v1)
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'primaryTextColor': '#ffffff', 'primaryBorderColor': '#4f46e5', 'lineColor': '#a5b4fc', 'secondaryColor': '#e0e7ff', 'tertiaryColor': '#eef2ff'}}}%%
flowchart LR
subgraph BRANDS["TARGET BRANDS"]
direction TB
B1["Scotiabank"]
B2["Sparrow Wallet"]
B3["ChangeNOW"]
B4["Bitbox Swiss"]
B5["Google"]
B6["Alpaca Finance"]
B7["Tronscan"]
B8["Amegy Bank of Texas"]
B9["U.S. Bank"]
B10["Hyperliquid"]
B11["Orca Finance"]
B12["SimpleSwap"]
B13["Ledger Live"]
B14["JupiterSwap"]
end
subgraph DOMAINS["PHISHING DOMAINS"]
direction TB
D1([ads.goolge.site])
D2([paytrace-app.co.com])
D3([scotia-connect.co.com])
D4([scotanomect.cc])
D5([scotlacomp.cc])
D6([sparrowwallef.com])
D7([u-tronscan.com])
D8([amehuns.cc])
D9([stinglebom.cc])
D10([hyper-liquid.to])
D11([orca-finance.org])
D12([changenow-swap.org])
D13([changenow-exchange.org])
D14([simplswap.org])
D15([official-ledgrlive.com])
D16([jup-dex.org])
D17([shop-bitboxswiss.de])
D18([bifboxswiss.de])
D19([srvclouds.com])
end
subgraph SPACER1[" "]
direction TB
S1[ ]
S2[ ]
end
subgraph HOSTING["HOSTING INFRASTRUCTURE"]
direction TB
subgraph CF["AS13335 Cloudflare"]
IP1{{188.114.96.3}}
IP2{{188.114.97.3}}
end
subgraph NC["AS47583 Hostinger International Limited"]
IP3{{92.113.16.253}}
IP4{{92.113.23.174}}
end
subgraph LN["AS400992 ZhouyiSat Communications"]
IP5{{193.46.217.224}}
end
subgraph HO["AS209274 Kraken Network ISP"]
IP6{{151.243.109.114}}
end
subgraph MR["AS214943 Railnet"]
IP7{{91.92.243.31}}
end
subgraph GC["AS46606 Unified Layer"]
IP8{{162.215.253.186}}
end
subgraph AZ["AS16509 Amazon.com"]
IP9{{52.213.114.86}}
end
subgraph DO["AS20473 The Constant Company"]
IP10{{149.28.87.102}}
end
end
subgraph SPACER2[" "]
direction TB
S3[ ]
S4[ ]
end
subgraph REGISTRARS["REGISTRARS"]
direction TB
R1[("NICENIC INTERNATIONAL GROUP CO., LIMITED")]
R2[("CSL Computer Service Langenbach GmbH d/b/a joker.com")]
R3[("Porkbun LLC")]
R4[("Hosting Concepts B.V. d/b/a Registrar.eu")]
R5[("Government of Kingdom of Tonga")]
R6[("Eranet International Limited")]
R7[("HOSTINGER operations, UAB")]
R8[("Gname.com Pte. Ltd.")]
R9[("NameSilo, LLC")]
end
B5 -.-> D1
B6 -.-> D2
B1 -.-> D3
B1 -.-> D4
B1 -.-> D5
B2 -.-> D6
B7 -.-> D7
B8 -.-> D8
B9 -.-> D9
B10 -.-> D10
B11 -.-> D11
B3 -.-> D12
B3 -.-> D13
B12 -.-> D14
B13 -.-> D15
B14 -.-> D16
B4 -.-> D17
B4 -.-> D18
B2 -.-> D19
D1 --> S1
S1 --> IP1
D2 --> S2
S2 --> IP2
D3 --> IP5
D4 --> IP5
D5 --> IP5
D6 --> IP6
D7 --> IP2
D7 --> IP1
D8 --> IP5
D9 --> IP5
D10 --> IP7
D11 --> IP7
D12 --> IP7
D13 --> IP7
D14 --> IP7
D15 --> IP8
D16 --> IP7
D17 --> IP9
D18 --> IP3
D18 --> IP4
D19 --> IP10
IP1 --> S3
S3 --> R1
IP10 --> S4
S4 --> R1
D1 --- R7
D4 --- R1
D5 --- R1
D6 --- R4
D7 --- R8
D8 --- R1
D9 --- R1
D10 --- R5
D11 --- R3
D12 --- R2
D13 --- R2
D14 --- R2
D15 --- R6
D16 --- R3
D19 --- R9
classDef brandStyle fill:#dc2626,stroke:#991b1b,stroke-width:2px,color:#fff
classDef domainStyle fill:#7c3aed,stroke:#5b21b6,stroke-width:2px,color:#fff
classDef ipStyle fill:#0891b2,stroke:#0e7490,stroke-width:2px,color:#fff
classDef registrarStyle fill:#d97706,stroke:#b45309,stroke-width:2px,color:#fff
classDef invisible fill:none,stroke:none,color:transparent
classDef invisibleSubgraph fill:none,stroke:none
class B1,B2,B3,B4,B5,B6,B7,B8,B9,B10,B11,B12,B13,B14 brandStyle
class D1,D2,D3,D4,D5,D6,D7,D8,D9,D10,D11,D12,D13,D14,D15,D16,D17,D18,D19 domainStyle
class IP1,IP2,IP3,IP4,IP5,IP6,IP7,IP8,IP9,IP10 ipStyle
class R1,R2,R3,R4,R5,R6,R7,R8,R9 registrarStyle
class S1,S2,S3,S4 invisible
class SPACER1,SPACER2 invisibleSubgraph
linkStyle 19,20,21,22,42,43,44,45 stroke:none
Phishing Campaign Registrars Pie Chart
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'pieStrokeColor': '#1e1b4b', 'pieStrokeWidth': '2px', 'pieSectionTextColor': '#ffffff', 'pieLegendTextColor': '#1e1b4b', 'pieOuterStrokeColor': '#312e81'}}}%%
pie showData
title Domain Registrars Distribution
"NICENIC INTERNATIONAL GROUP CO., LIMITED" : 4
"CSL Computer Service Langenbach GmbH d/b/a joker.com" : 3
"Porkbun LLC" : 2
"Hosting Concepts B.V. d/b/a Registrar.eu" : 1
"Government of Kingdom of Tonga" : 1
"Eranet International Limited" : 1
"HOSTINGER operations, UAB" : 1
"Gname.com Pte. Ltd." : 1
"NameSilo, LLC" : 1
Phishing Campaign ASN Hosting Pie Chart
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'pieStrokeColor': '#1e1b4b', 'pieStrokeWidth': '2px', 'pieSectionTextColor': '#ffffff', 'pieLegendTextColor': '#1e1b4b', 'pieOuterStrokeColor': '#312e81'}}}%%
pie showData
title ASN Hosting Distribution
"AS214943 Railnet" : 6
"AS400992 ZhouyiSat Communications" : 5
"AS13335 Cloudflare" : 3
"AS209274 Kraken Network ISP" : 1
"AS46606 Unified Layer" : 1
"AS16509 Amazon.com" : 1
"AS47583 Hostinger International Limited" : 1
"AS20473 The Constant Company" : 1
Screenshots
(Screenshots for some scans may not display or may not contain complete or correct content for various reasons, which can be seen on the specific scan page)
Screenshots
Scans
ads.goolge.site- https://urlscan.io/result/019b3772-c601-75c9-be68-0fe7e1b1e7be/paytrace-app.co.com- https://urlscan.io/result/019b3772-ecac-771a-8924-2a7e4ec62c0b/scotia-connect.co.com- https://urlscan.io/result/019b3773-f17c-715f-8177-e851b7e82987/scotanomect.cc- https://urlscan.io/result/019b3774-2fa8-75f3-af36-33cb66e8b306/scotlacomp.cc- https://urlscan.io/result/019b3774-74a9-73c0-b86c-f3c60c5227a5/sparrowwallef.com- https://urlscan.io/result/019b3774-a890-7736-8e4e-2ad8cae0f15b/u-tronscan.com- https://urlscan.io/result/019b3775-9adf-7564-b8f0-1f9cf793fdb2/amehuns.cc- https://urlscan.io/result/019b3775-c4df-74e7-84cf-53ddaf40340b/stinglebom.cc- https://urlscan.io/result/019b3775-e859-74df-91fe-9d297aa07514/hyper-liquid.to- https://urlscan.io/result/019b3776-0d04-773e-9543-2de232a8e636/orca-finance.org- https://urlscan.io/result/019b3777-65f4-74ed-8056-6b85d18b7415/changenow-swap.org- https://urlscan.io/result/019b3777-bef9-7631-85fb-07817a537478/changenow-exchange.org- https://urlscan.io/result/019b3777-d524-77c8-b028-f659d0e19a25/simplswap.org- https://urlscan.io/result/019b3778-c43e-753e-b25e-ab7f55eeb19f/official-ledgrlive.com- https://urlscan.io/result/019b3778-f413-758f-b6ac-f4b6d3745729/jup-dex.org- https://urlscan.io/result/019b3776-fb59-7255-a1bc-3abbc2877bc0/shop-bitboxswiss.de- https://urlscan.io/result/019b3772-7742-720f-9531-79761ba98fe1/bifboxswiss.de- https://urlscan.io/result/019b3772-9997-7579-a10f-abf73799b3de/srvclouds.com- https://urlscan.io/result/019b3772-ffcd-710a-8135-0e4fa3cee035/
Report Metadata ID: 5d236b9fd35ae6b8add | Timestamp: 19.12.2025 17:17:33 UTC | Domains: 19 | (Total) Detections: VT: 131 | Spamhaus: 7 | APVA: 8 | Attack Vector: Phishing
