[OPEN] eXch Anti-Phishing Campaign

[xOrpian]

We also have a lousy reply update from Namecheap on X: https://x.com/Namecheap/status/1911823724866658619

Indeed from our point of view it seems like a bad answer, but in reality it is not.
If the domains were a copy of the original site, like the others that have already been shut down, it would be easy for them to take the site down. But as they are generic sites, the issue is not copying the domain, but rather its content. And in the content field, the hosting company is responsible.

I think your website is amazing and has very good evidence. It may be useful for us to continue on this path. But unfortunately, I have some doubts that they will do anything, just with the evidence we are giving.

In my opinion, we have to first force the hosting company to shut down the site. Wait for this crook, put the site back online on another server, and repeat the process. Go on collecting this information, and then maybe you can get to the domain. Problem? It may be difficult to do this, it depends on the server where the site is.

Anyway, this task will not be easy for these two domains.

From the looks of it, he'll defintely uploading the same content of the phishing website elsewhere, I don't think he's going to keep on re-creating website again and again, if we can get some data of the website (I mean website files) - Some form of way to verify the same content has been uploaded to another website, and examplens mention proof of that his website (Then it can be used for future websites, and you won't have to send back and forth emails to registrars, and hosts, a place where everything's perfectly mentioned is great for this cause.

When I saw examlens website and skimmed through the PM 'eXch Support' got from the person, it's clear he's interested in creating a job out of selling his domain names, what comes to my mind is -- What stops him from re-repeating this whole process again, and then selling the domains back-and-forth... pretty easy 15$ domain for 0.025 BTC...

From the looks of it, he also seems to be the kind of person who will likely tell you, 'But you said that, trying to twist words, him lying here early is reason enough for me to believe that'.

[examplens]

Indeed from our point of view it seems like a bad answer, but in reality it is not.

I instructed them to check everything that was presented on the website. They promised to check, but there is still no update.

If the domains were a copy of the original site, like the others that have already been shut down, it would be easy for them to take the site down. But as they are generic sites, the issue is not copying the domain, but rather its content. And in the content field, the hosting company is responsible.

darknetbible is a copy of the DNM Bible onion site. With some crucial changes, linking to phishing sites. But probably the problem is that it is a copy of the Tor site

In my opinion, we have to first force the hosting company to shut down the site. Wait for this crook, put the site back online on another server, and repeat the process. Go on collecting this information, and then maybe you can get to the domain. Problem? It may be difficult to do this, it depends on the server where the site is.

The server can be anywhere and does not have to be hosted by a hosting company that is under the authority of the authorities. As the scammer himself says, it can be free hosting, or self-host, so that direction is just a waste of energy. Even if there is a suspension, it will quickly move to a new destination.

[bitmover]

I created an Issue in github (metamask) requesting them to block those domains mentioned in the OP in their app

https://github.com/MetaMask/eth-phishing-detect/issues/150012

This is a small step, just to prevent fund losses, not a permanent solution

Obviously, Namecheap will not respond to our reports through the email form. Let's change that too.

I created a page where all the information about the two domains darknetbible[.]info and monero[.]forex is presented. Now we can publicly invite them to solve these cases.

https://NamecheapScamExpose.info

Amazing idea. Congrats.


I reposted examplens tweet, and they also answered me.


https://x.com/Namecheap/status/1912108422889165309

[Woodie]

OpenDNS seems to be doing something with regards to these reported phishing websites, same reply for the other reports made which is a "W" but the main goal is putting down the domains to put an end to this.

----

Looking at the namecheap website @examplens did (which was an excellent job) , why don't we report that X(twitter ) account just so to send a message when it gets banned 🚫.

And to double up, knowing darknetbible is a copy of the DNM Bible onion site and xchange.me are being defrauded , can we engage DNM Bible & xchange.me owners to get them into this fight...

_________

Lastly, has eXch.net/eXch.cx written to namecheap in their official capacity to have these phishing domains to be taken down, this could be the missing recipe to this takedown.

I reposted examplens tweet, and they also answered me.


https://x.com/Namecheap/status/1912108422889165309

Should we join in on this twitter battles or the two enquiries are enough to do the job??

They have been brought right in the open and will need to provide an answer asap as there is nowhere to hide, I like the approach.

[bitmover]

I submitted a pull request to the Phantom wallet to block the domains in question, which can be found here:
https://github.com/phantom/blocklist/pull/1656.

Since Phantom and MetaMask are two of the most widely used wallets among cryptocurrency users, adding these domains to their blocklists would be an effective way to prevent many users from losing their funds.

[Obim34]

@Haunebu why is this (exch.cy)not showing red on Chrome (Google)

Netcraft mentioned that they are in the process of blocking it and are trying to ensure Google safe browsing marks it as malicious. They made Google take notice pretty quickly when it came to exch.best and exch.cd, but this one is taking more time.

Still accessible, they may be working on suspending the domain, but are just slow to it. If they happen to get more constant reports from different users within close times, they may work faster on the suspension, i don't know how many more users are still reporting this case, the numbers are low, more hands to it will bring fast response.

@eXch Support, you should include scam@netcraft.com in the reports channels, they gave me a quick response after i reported exch.cy, marked as malicious from their end, maybe a few more verifications before they suspend it, if more users keep reporting, it will move to the top of their priority list of malicious cases to be solved.

[joker_josue]

And to double up, knowing darknetbible is a copy of the DNM Bible onion site and xchange.me are being defrauded , can we engage DNM Bible & xchange.me owners to get them into this fight...

This would already make things different, because these companies can report if they are suffering from a copy of their website. And this makes it easier for the registering company to take action.




In the meantime, I reported the situation on this platform, which also provides services against phishing: https://report.netcraft.com/




Another suggestion is to report the gTLD management companies:

Code:

 abuse@identity.digital , https://www.identity.digital/policies/report-abuse 

[Agbamoni]

I will be reporting

BTC address: bc1qvngp6xhvvm0n6c222ngwgspxtt6t88phkrhtyy

[Cyberczar]

For more actionable reporting, here are some tips: More reports can be sent to Cybersecurity & Anti-Phishing Organizations. For the remaining sites, we can send to
   Google Safe Browsing via [Google’s Report Phishing Page](https://safebrowsing.google.com/safebrowsing/report_phish/).
   PhishTank (OpenDNS/Cisco): [Report Here](https://www.phishtank.com/).
Netcraft (https://report.netcraft.com/report).
 APWG (Anti-Phishing Working Group)**: [Report Here](https://apwg.org/reportphishing/).

Notify Browser & Search Engine Blocklists
   - Microsoft SmartScreen: Report via [Microsoft Defender SmartScreen](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site).

   - Mozilla Blocklist: Email `blocklist@mozilla.org` (if Firefox isn’t blocking it).

   - Bing Webmaster Tools: Report malicious URLs [here](https://www.bing.com/webmasters/about).

Legal & Law Enforcement Options
   - FTC (U.S.): Report at [ReportFraud.ftc.gov](https://reportfraud.ftc.gov/) (if targeting U.S. users).
   - IC3 (FBI’s Cybercrime Division): File a complaint at [ic3.gov](https://ic3.gov/).
   - Local CERT: If the site is hosted in a specific country, report to their national CERT (e.g., [US-CERT](https://www.cisa.gov/report)).


   - Online suggestion says we can publicly shame unresponsive registrars (e.g., Twitter/X tagging their support).

 Public Warnings (If Safe)
   - Post on forums like Reddit’s r/Scams, Spamhaus, or Malwarebytes to alert others.
   - more reports on virustotal.com can be helpful
 Some vendors may block them.

Uniform Rapid Suspension System (URS): https://www.icann.org/urs-en/

You can also submit your complaint at: https://cybercrime.police.gov.cy/police/CyberCrime.nsf/subscribe_en/subscribe_en?openform,

Email: cybercrime@police.gov.cy

Key Evidence to Include
   - Screenshots of phishing pages (with timestamps).
   - Network logs (e.g., `curl` or `traceroute` outputs).
   - Links to archived phishing pages (via [Wayback Machine](https://archive.org/)).

If the sites are still up after these steps, we would assume the registrar/host may be complicit— we should consider naming them in reports to ICANN or legal authorities.

[Ndabagi01]

Joining the campaign

BTC Address: bc1qmek47ct3pv5kk3lsq6tqps768zkhgcgx54s7gz

[ovcijisir]

Seems like Namecheap repeats their excuses like parrots, this is reply I got for retweeting webpage from Examplens:



Basically they repeat excuses from e-mail.

[Haunebu]

@eXch Support, you should include scam@netcraft.com in the reports channels, they gave me a quick response after i reported exch.cy, marked as malicious from their end, maybe a few more verifications before they suspend it, if more users keep reporting, it will move to the top of their priority list of malicious cases to be solved.

Yeah. Netcraft actually did something about a couple of those phishing domains which I explained in my previous posts while many others didn't. They are putting pressure on Google safe browsing to blacklist exch.cy which can be observed through the virustotal malicious reports.

@eXch Support definitely needs to add their email in their main post.

[apogio]

Sorry if anyone mentioned this already...

I was browsing the darknetbible[.]info and I clicked on the link of the alleged eXch exchange, which leads to the phishing website exch[.]best.

This is what I saw:



If you click on the "See details" button it prompts:

exch.best has been reported as a deceptive site. You can report a detection problem or ignore the risk and go to this unsafe site.

Learn more about deceptive sites and phishing at www.antiphishing.org. Learn more about Firefox’s Phishing and Malware Protection at support.mozilla.org.

That's a good start, but the website is unfortunately still up and running.

[eXch Support]

Reminder for those who have not yet done so (there are still 24 hours left):

We invite users who have reported the suspended domains (.center, .cc, .live, .cash) to send us an email to support@exch.cx using the object "eXch Bitcointalk Campaign Participant Information - [YOUR_USERNAME]" including your bitcoin address in the email.
We ask you to send us this email from the same email address you used to make the reports.

We've sent an e-mail to those who haven't given us their username earlier today, this information is required to be eligible for the reward.

[Pmalek]

OpenDNS seems to be doing something with regards to these reported phishing websites, same reply for the other reports made which is a "W" but the main goal is putting down the domains to put an end to this.

I have been in contact with the same person who has told me that all four domains have been blocked. Here is a quote of the email I received from him:

Hello,

I have checked again and the four domains you submitted are being being blocked by Talos and Cisco.

This means that anyone using OpenDNS or Umbrella will receive a warning message and will not be able to access specific these domains. This too has been tested and was found to work as it should.

[Cricktor]

~~~

It's blocked for those who use Cisco Umbrella as sort of "moderated" DNS which blocks malicious sites already on the DNS layer. This is likely a paid service where threat intelligence, like Cisco Talos and other contributors filter or mask out flagged malicious domains from DNS requests of their clients.

Anyway, any part that blocks the scammers even only for corporate users is fine and maybe seep into non-paid services or phishing flagging sites. Eventually the big browsers may catch up and red flag those scammer domains, too.

[Woodie]

Seems like Namecheap repeats their excuses like parrots, this is reply I got for retweeting webpage from Examplens:



Basically they repeat excuses from e-mail.

From the stance that namecheap has taken makes me think they aren't the people company calling the shots.... perhaps there is a big player (silent partner perhaps) controlling this show and namecheap is the puppet or middleman in this whole front. Are the saying they have no T&C's to protect their business from bad actor's? And why should something within their reach go to local authorities to be resolved 😔🤯

It would be interesting to dig out what the internet has on such issues and how they were resolved, because eXch certainly can't be the first to be denied justice.

[TerryW]

Seems like Namecheap repeats their excuses like parrots, this is reply I got for retweeting webpage from Examplens:

https://www.talkimg.com/images/2025/04/15/xjKog.jpeg

Basically they repeat excuses from e-mail.

From the stance that namecheap has taken makes me think they aren't the people company calling the shots.... perhaps there is a big player (silent partner perhaps) controlling this show and namecheap is the puppet or middleman in this whole front. Are the saying they have no T&C's to protect their business from bad actor's? And why should something within their reach go to local authorities to be resolved 😔🤯

It would be interesting to dig out what the internet has on such issues and how they were resolved, because eXch certainly can't be the first to be denied justice.

You people are clowns. darknetbible [.] info is not a malicious site, it's registered and hosted legally, and has direct authorization from the Bible's author to reprint it. It says to only get links from Daunt, and provides more harm reduction than any of you idiots ever will.

Your campaign is a joke and posting here is just promoting this exchange, not genuinely trying to help anything.

[joker_josue]

From the stance that namecheap has taken makes me think they aren't the people company calling the shots.... perhaps there is a big player (silent partner perhaps) controlling this show and namecheap is the puppet or middleman in this whole front. Are the saying they have no T&C's to protect their business from bad actor's? And why should something within their reach go to local authorities to be resolved 😔🤯

It would be interesting to dig out what the internet has on such issues and how they were resolved, because eXch certainly can't be the first to be denied justice.

The problem, as I mentioned, is the way the scheme is set up.

In these cases, the domain and the website itself have no problems directly related to eXch. This was the same as someone creating a website imitating TalkImg.whatever and phishing with it. And then advertise here on the forum. I can't go to the domain provider and say I want to shut down bitcointalk.com because it shares phishing links.

I am using an extreme example to explain why the approach has to be different in these cases. What needs to be done is to take down the phishing domains that these sites are pointing to. But, we can say that they will continue to point to other fake domains. Yes it is true. But it is also true that it is these copy domains of the real eXch that are phishing, and not the sites that provide the links.

In these two cases the problem is not in the domain (mainly from the domain registrar's point of view), but in the content of the website. Since the content of the website is a fraud, it must be the hosting company or the authorities directly who take down the website. Just like search engines blocking these sites.

We have to look at what the domain registrar does when it blocks a domain. Typically, once a domain is flagged as being used for phishing, it can never be purchased/used again. Or when you are classified as imitating a brand, you are blocked until that brand wants to buy you. And that's what's creating the difficulty in blocking. These two domains are not doing these two things directly. So, the domain registrar company, blocking the domain is unitizing a domain that theoretically is not involved in any scheme.

I want to make it clear, I am not defending these domains, nor Namecheap's position. Only, after a more careful analysis of the situation of these two domains, I think that this approach will not be efficient, unfortunately.   

[PX-Z]

Seems like Namecheap repeats their excuses like parrots, this is reply I got for retweeting webpage from Examplens:



Basically they repeat excuses from e-mail.

Yeah, i did make a post about this and they did same reply. And with those repeated replies probably they never read the content on namecheapscamexpose.info. So far their latest reply is this one (image below) after providing them the problem and the actual link from those two sites.


https://x.com/Namecheap/status/1912261795424747614?s=19