[OPEN] eXch Anti-Phishing Campaign

[Haunebu]

Does anyone see any of the remaining phishing domains as blocked or is there a warning message when trying to access them?

No difference for me. They seem immune to all of our efforts for some weird reason. Even exch.best got blacklisted which I mentioned in my previous post.

[ovcijisir]

Does anyone see any of the remaining phishing domains as blocked or is there a warning message when trying to access them?

No difference for me. They seem immune to all of our efforts for some weird reason. Even exch.best got blacklisted which I mentioned in my previous post.

Just to confirm this, the domains that remained are showed normally without any warning messages. Could be because of browser, I'm using chrome with no security add-ons.

[Pmalek]

We invite users who have reported the suspended domains (.center, .cc, .live, .cash) to send us an email to support@exch.cx using the object "eXch Bitcointalk Campaign Participant Information - [YOUR_USERNAME]" including your bitcoin address in the email.
We ask you to send us this email from the same email address you used to make the reports.

I tried to email you twice but I am getting " Your message wasn't delivered because the recipient's email provider rejected it" notifications. It's weird because I didn't have these problems when I forwarded the phishing emails to you. Can I PM you to confirm the email address I used to send the phishing reports and my BTC address?

[Haunebu]

Got a reply from Cyprus cybercrime police which I felt was quite bizarre to be honest. The manner in which they keep protecting these obvious scammers is just ludicrous.

I tried to email you twice but I am getting " Your message wasn't delivered because the recipient's email provider rejected it" notifications. It's weird because I didn't have these problems when I forwarded the phishing emails to you.

If you are using proton mail, that could be the issue. Try Gmail.

https://bitcointalk.org/index.php?topic=5535260.msg65214033#msg65214033

[Pmalek]

If you are using proton mail, that could be the issue. Try Gmail.

It's not Proton Mail. It worked fine throughout the campaign. For some reason, that's no longer the case. I can't email them from a different e-mail because their instructions say I need to do it from the same email I used for reporting the phishing domains. Let's see what they reply.

[PleaseDontEmailMe83]

Great idea. Here’s my btc wallet

bc1qdc2qa6pckmml2jrp2320ljnhzzvqp44x8x9c3h

My email is PleaseDontEmailMe83@proton.me

I will CC you on every email I send to registrars

Thanks

[xOrpian]

Great idea. Here’s my btc wallet

bc1qdc2qa6pckmml2jrp2320ljnhzzvqp44x8x9c3h

My email is PleaseDontEmailMe83@proton.me

I will CC you on every email I send to registrars

Thanks

What if registrars tell you not to email them?... (Members who aren't new or are using an appropriate email can ignore).

[eXch Support]

I tried to email you twice but I am getting " Your message wasn't delivered because the recipient's email provider rejected it" notifications. It's weird because I didn't have these problems when I forwarded the phishing emails to you. Can I PM you to confirm the email address I used to send the phishing reports and my BTC address?

Yes, please PM me.

We invite users who have reported the suspended domains (.center, .cc, .live, .cash) to send us an email to support@exch.cx using the object "eXch Bitcointalk Campaign Participant Information - [YOUR_USERNAME]" including your bitcoin address in the email.
We ask you to send us this email from the same email address you used to make the reports.

Hello @eXch support, is it possible for me to provide an alternative address? or do we need to input the address we've mentioned here?

I'll be exchanging afterward if the same address must be mentioned, for privacy reasons. (You can mention my amount here if the community has to be shown the total paid amount by eXch for this Campaign, and I'll gladly confirm)... Or I can mention the same address (I do not use central exchanges right now, and I do not want someone trailing me for the address I've mentioned here).

Edit: I've mentioned two addresses in the email, one here, and a new one. If possible, the new one would be great, but the one mentioned here would be fine, too.

No problem to change the BTC address.

[roosbit]

exch[.]cd looks like Google might have blacklisted or red flagged them. Expecting these guys behind this domain to trash it and jump onto another one. Let's keep an eye on monero and darknet for the updates.

And for these guys to be targeting exch.net , is it possible they are from this forum ? Can't be this random.

[Haunebu]

Netcraft came through big time for me. They successfully blacklisted exch.best, exch.cd and exch.cy(Red warning taking time oddly) while other services like Google safe browsing etc didn't do anything.

exch[.]cd looks like Google might have blacklisted or red flagged them.

Google didn't do shit. Netcraft blacklisted them and marked them as malicious thanks to my reports and probably some others. Also, Netcraft are a cybersecurity company.

[roosbit]

Netcraft came through big time for me. They successfully blacklisted exch.best, exch.cd and exch.cy(Red warning taking time oddly) while other services like Google safe browsing etc didn't do anything.

exch[.]cd looks like Google might have blacklisted or red flagged them.

Google didn't do shit. Netcraft blacklisted them and marked them as malicious thanks to my reports and probably some others.

But this being a Google platform, doesn't this mean Google did something?

Btw who are these Netcraft guys ?


@Haunebu why is this (exch.cy)not showing red on Chrome (Google)

But reported it there too as process is done with a few clicks and less information input from users.

[SamReomo]

I've been the campaign since its start and I've reported all of the domains as required. I've sent an e-mail to support@exch.cx and mentioned that I'm in the campaign. Although, I had reported those not yet suspended domains as well but those are still not down and I'll continue to report those again and hope that those will go down as well as the Bitcointalk community is truly trying to get rid of those phishing domains. I hope they'll also get down very soon! 

[examplens]

Obviously, Namecheap will not respond to our reports through the email form. Let's change that too.

I created a page where all the information about the two domains darknetbible[.]info and monero[.]forex is presented. Now we can publicly invite them to solve these cases.

https://NamecheapScamExpose.info

It is OK for anyone to share this through a future email report or social media

few things:
If anyone has additional information that would be useful to add, please contact me or leave it here. For example, I can add multiple ticked IDs that were sent but ignored.
I added xchange.me to the whole thing because they are also directly involved in the phishing scam. And I think it gives more evidence of scam intent.
If there is something I have overlooked or some obvious mistakes, I am willing to correct them.

[Haunebu]

@Haunebu why is this (exch.cy)not showing red on Chrome (Google)

Netcraft mentioned that they are in the process of blocking it and are trying to ensure Google safe browsing marks it as malicious. They made Google take notice pretty quickly when it came to exch.best and exch.cd, but this one is taking more time.

Obviously, Namecheap will not respond to our reports through the email form. Let's change that too.

I created a page where all the information about the two domains darknetbible[.]info and monero[.]forex is presented. Now we can publicly invite them to solve these cases.

https://NamecheapScamExpose.info

It is OK for anyone to share this through a future email report or social media

Excellent initiative, but I don't think Namecheap morons will change their stance. I will forward this link to Netcraft though who could blacklist both sites through Google safe browsing.

[xOrpian]

Obviously, Namecheap will not respond to our reports through the email form. Let's change that too.

I created a page where all the information about the two domains darknetbible[.]info and monero[.]forex is presented. Now we can publicly invite them to solve these cases.

https://NamecheapScamExpose.info

It is OK for anyone to share this through a future email report or social media

For 'darknetbible' it's great, but for '.forex' domin they can easily dodge the question (like I mentioned it's a grey zone, but great initiative nonetheless, and the page looks clear and easy to understand too) - surely you've put a lot of work into this!

[ovcijisir]

Obviously, Namecheap will not respond to our reports through the email form. Let's change that too.

I created a page where all the information about the two domains darknetbible[.]info and monero[.]forex is presented. Now we can publicly invite them to solve these cases.

https://NamecheapScamExpose.info

It is OK for anyone to share this through a future email report or social media

few things:
If anyone has additional information that would be useful to add, please contact me or leave it here. For example, I can add multiple ticked IDs that were sent but ignored.
I added xchange.me to the whole thing because they are also directly involved in the phishing scam. And I think it gives more evidence of scam intent.
If there is something I have overlooked or some obvious mistakes, I am willing to correct them.

Good job Examplens! Those guys from namecheap obviously blocked e-mails that exposed darknetbible and monero forex sites. On my second batch of reports both reports received returning e-mail that receiver didn't got my e-mails.

Hope that your web page will generate enough pressure to close those scammers down.

Edit. We can tag Namecheap on Twitter when we retweet status from your webpage.
Their Twitter account is https://x.com/NameCheap

Edit2. Their Facebook account is https://www.facebook.com/Namecheap/

[joker_josue]

Obviously, Namecheap will not respond to our reports through the email form. Let's change that too.

I created a page where all the information about the two domains darknetbible[.]info and monero[.]forex is presented. Now we can publicly invite them to solve these cases.

https://NamecheapScamExpose.info

It is OK for anyone to share this through a future email report or social media

Thank you for compiling this information, it may help in sending alerts to other instances.

But, as I said, the approach has to be different.
Someone by chance I already find references spread on the net to these two referenced domains?

[examplens]

I made an update on this site.

Added screenshots as evidence that darknetbible[.]info is a copy of the legitimate DNM Bible onion site.
Furthermore, eXch received a private message that included a blackmail threat. (published with their permission)

https://NamecheapScamExpose.info

We also have a lousy reply update from Namecheap on X: https://x.com/Namecheap/status/1911823724866658619

I would also recommend Reddit as a potential contact: https://www.reddit.com/r/NameCheap/

[Haunebu]

I would also recommend Reddit as a potential contact: https://www.reddit.com/r/NameCheap/

Nah. Tried that myself already and it's another dead end.

https://www.reddit.com/r/NameCheap/comments/1jh5yrf/namecheap_protecting_phishing_domains/

Namecheap is adamant about protecting these 2 sites which is why it will take something big(Authorities intervening) for them to suspend them. Best case scenario right now seems to be getting them blacklisted which itself is proving to be a tough job.

[joker_josue]

We also have a lousy reply update from Namecheap on X: https://x.com/Namecheap/status/1911823724866658619

Indeed from our point of view it seems like a bad answer, but in reality it is not.
If the domains were a copy of the original site, like the others that have already been shut down, it would be easy for them to take the site down. But as they are generic sites, the issue is not copying the domain, but rather its content. And in the content field, the hosting company is responsible.

I think your website is amazing and has very good evidence. It may be useful for us to continue on this path. But unfortunately, I have some doubts that they will do anything, just with the evidence we are giving.

In my opinion, we have to first force the hosting company to shut down the site. Wait for this crook, put the site back online on another server, and repeat the process. Go on collecting this information, and then maybe you can get to the domain. Problem? It may be difficult to do this, it depends on the server where the site is.

Anyway, this task will not be easy for these two domains.