[OPEN] eXch Anti-Phishing Campaign

[Haunebu]

The new registrar is http://www.nicenic.net. Abuse can be reported online via the following form: https://nicenic.net/customer/reportabuse.php and/or via email abuse@nicenic.net. Make sure your reports contain detailed information and point out exactly where the phishing domains they link to are located on darknetbible(.)info. It's under the Cryptocurrencies > Converting section.

Clever scammers! I wouldn't bother reporting to nicenic.net because they are pretty infamous for hosting scam sites and you can find a lot more information about that through their trustpilot rating.

At this point, it's better to simply get monero.forex and darknetbible.info blacklisted just like exch.cd since their registrars will protect them.

[joker_josue]

You seem to know enough about situations like this. Perhaps you can answer the following question. Is there any way we can take advantage of this situation and get in touch with ICANN to complain to them directly and ask them to take action, proving they are dealing with a malicious site and site owner?

Usually they do not intervene in these cases. Unless it is really something very big and that involves the competent authorities.

That is why there are registration companies, to manage and control what is done with the domains.

But, there is no problem sending an email.

You are being paid to launch false complaints and harass the hosts, registrars, and owners of news sites and blogs that reported on eXch laundering money for the Lazurus NK hacking group. Conflating news blogs like monero [.] forex with clone/phishing sites like exch [.] cd may confuse low level staffers at web hosts, but not law enforcement.

If this so-called monero(.)Forex has nothing to do with these phishing sites... Why was you using the DNS service of one of these phishing sites? Can you give me a logical explanation for why this happened?


https://whoisfreaks.com/tools/whois/history/lookup/monero.forex

[Woodie]

You seem to know enough about situations like this. Perhaps you can answer the following question. Is there any way we can take advantage of this situation and get in touch with ICANN to complain to them directly and ask them to take action, proving they are dealing with a malicious site and site owner?

Not the expert here but I think considering monero . Forex are now on the watchlist of ICANN, I think it makes logical sense to now report the registrar now for failing to follow up the abuse (phishing) which they haven't done anything about it.

Did my part , others can report the registrar there too.
https://icannportal.force.com/compliance/s/abuse-contact

[joker_josue]

You seem to know enough about situations like this. Perhaps you can answer the following question. Is there any way we can take advantage of this situation and get in touch with ICANN to complain to them directly and ask them to take action, proving they are dealing with a malicious site and site owner?

Not the expert here but I think considering monero . Forex are now on the watchlist of ICANN, I think it makes logical sense to now report the registrar now for failing to follow up the abuse (phishing) which they haven't done anything about it.

Did my part , others can report the registrar there too.
https://icannportal.force.com/compliance/s/abuse-contact

I think this is a bit of an exaggeration. Because part of the crook's scheme was that when he started to be investigated by the registrar company, he would change companies. Soon the company would no longer have autonomy over the domain, and the other company would become responsible.

In this case, the new company ends up having control of the domain for a short time, and therefore ends up not having a minimally viable margin of maneuver to take action.

There are some deadlines that must be met between domain transfers, which can create delays in analysis and little capacity for intervention. Therefore, I say that it makes no sense to keep accusing the Registrar. Perhaps the previous one could suffer this type of accusation, but it can also claim that when it started investigating, the domain transfer process began.

In this case and at this time, I don't think it makes sense to go that route. We must pay attention, so as not to be too "inconvenient" (individually speaking) we may lose weight in future cases. At this point, we don't need to do anything else, it's just a matter of waiting and watching to see what happens next. 

[zasad@]

https://darknetbible(.)info/bible/cryptocurrencies/converting/ working
https://xchange(.)cx/  not working

[Mpamaegbu]

You are being paid to launch false complaints and harass the hosts, registrars, and owners of news sites and blogs that reported on eXch laundering money for the Lazurus NK hacking group...

So, in your mind's eye the complaints generated on this issue are all motivated by greed and hatred right? Now take a look below 👇 where one of the sites you're advocating for also rugged a registrar. Was that also wrong accusation?

Hey @eXch Support, Darknetbible was just nuked down by easydns. They replied to us on X!!!

https://x.com/easyDNS/status/1915560482573873270

[Pmalek]

https://darknetbible(.)info/bible/cryptocurrencies/converting/ working
https://xchange(.)cx/  not working

Both of those work. Additionally, monero(.)forex is back. They got the domains back after some complaints most probably and had people tricked that they aren't doing anything bad and malicious even though they advertise phishing sites.

At least neither darknetbible nor monero(.)forex drive traffic to phishing websites of eXch anymore. For whatever that's worth.

[Wakate]

I feel like joining this campaign!

BTC: bc1q7j03xpwa334npu3vxf5adg7z4fptntjemjuc3s

[Cricktor]

The strange thing with exch[.]cd is that it is not listed in any WHOIS database:

• https://godaddy.com/whois/results.aspx?domain=exch.cd
• https://lookup.icann.org/whois/en?q=exch.cd&t=a

...

I get these details from https://whois.domaintools.com/exch.cd:

Code:

Whois Record for ExCh.cd

Domain Profile
Registrar 		SCPT
IANA ID: 		—
URL: 			—
Whois Server: 		—
Registrar Status 	ok
Dates 	124 days old
Created on 2024-12-30
Expires on 2025-12-30
Updated on 2025-02-03 	
  
Name Servers 	MILLIE.NS.CLOUDFLARE.COM (has 29,956,777 domains)
		SRI.NS.CLOUDFLARE.COM (has 29,956,777 domains)
	
  
IP Address 	185.196.11.206 - 1 other site is hosted on this server
	
  
IP Location 	Switzerland - Bern - Port - Global-data System It Corporation
ASN 		Switzerland AS42624 swissnetwork02 Global-Data System IT Corporation, SC (registered Mar 24, 2017)
IP History 	2 changes on 2 unique IP addresses over 0 years 	
  
Hosting History 1 change on 2 unique name servers over 0 year 	
  
Whois Record ( last updated on 2025-05-03 )
Domain Name: exch.cd
Registry Domain ID: 20195-niccd
Registry WHOIS Server: whois.nic.cd
Updated Date: 2025-02-03T12:00:16.313Z
Creation Date: 2024-12-30T10:45:03.526Z
Registry Expiry Date: 2025-12-30T10:45:03.588Z
Registrar Registration Expiration Date: 2025-12-30T10:45:03.588Z
Registrar: SCPT
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID: h6OGA-3X0LX
Registrant Name: Redacted | EU Data Subject
Registrant Street: Redacted | EU Data Subject
Registrant City: Redacted | EU Data Subject
Registrant State/Province: Redacted | EU Data Subject
Registrant Postal Code: Redacted | EU Data Subject
Registrant Country: DE
Registrant Phone: Redacted | EU Data Subject
Registrant Email: Redacted | EU Data Subject
Registry Admin ID: 7dtdU-MNNaA
Admin Name: Redacted | EU Data Subject
Admin Street: Redacted | EU Data Subject
Admin City: Redacted | EU Data Subject
Admin State/Province: Redacted | EU Data Subject
Admin Postal Code: Redacted | EU Data Subject
Admin Country: DE
Admin Phone: Redacted | EU Data Subject
Admin Email: Redacted | EU Data Subject
Registry Tech ID: tu4lt-ZDyS4
Tech Name: Redacted | EU Data Subject
Tech Street: Redacted | EU Data Subject
Tech City: Redacted | EU Data Subject
Tech State/Province: Redacted | EU Data Subject
Tech Postal Code: Redacted | EU Data Subject
Tech Country: DE
Tech Phone: Redacted | EU Data Subject
Tech Email: Redacted | EU Data Subject
Registry Billing ID: pE2EY-DMCVw
Billing Name: Redacted | EU Data Subject
Billing Street: Redacted | EU Data Subject
Billing City: Redacted | EU Data Subject
Billing State/Province: Redacted | EU Data Subject
Billing Postal Code: Redacted | EU Data Subject
Billing Country: DE
Billing Phone: Redacted | EU Data Subject
Billing Email: Redacted | EU Data Subject
Name Server: millie.ns.cloudflare.com
Name Server: sri.ns.cloudflare.com
DNSSEC: unsigned

For more information on Whois status codes, please visit https://icann.org/epp

~~~

To complain to ICANN about a registrar's negligence to prevent phishing abuse by domains under registrar's control, we would need solid evidence that the registrar didn't act after being notified.

Whatever it takes to gather such evidence, I would assume it needs to be solid and best a lot of it, too. We may need to pool such evidence somehow.

E.g. 1api.net responded with a ticket no. but hasn't came back to me since too many days. I speak German, but I don't have a burner phone to call them and maintain my anonymity properly. Need to figure out how to do it with proper opsec. I don't really want to link my account here easily with my real identity or get doxxed.


@eXch and @eXch Support should in my opinion show clearly on their remaining online domains that any other imposter domains offering coin swap services are a scam, like exch(.)cd still does. exch.cx-->exch.pw clearly tell, they closed their operation. In my opinion they should list the only valid domain names they use(d) and any other domains are imposters with scam intent.

At least neither darknetbible nor monero(.)forex drive traffic to phishing websites of eXch anymore. For whatever that's worth.

If they still funnel traffic to phishing or scam sites, we still have arguments and evidence to have them shut down by whoever can flip the switch.

[DYING_S0UL]

Just want to inform that ive sent another batch of report for the remaining domains, still I didn't receive any response yet about the report just more likely an acknowledgements.

One of my email got blocked by google/gmail because it contained a phishing link while reporting a phishing domain! I mean WTF!

sent another set of reports!

[examplens]

E.g. 1api.net responded with a ticket no. but hasn't came back to me since too many days. I speak German, but I don't have a burner phone to call them and maintain my anonymity properly. Need to figure out how to do it with proper opsec. I don't really want to link my account here easily with my real identity or get doxxed.

Isn't there a possibility to make a call from a public phone or similar? How much does a temporary "burner phone" cost, I am willing to donate the cost.
I am very interested in what 1api.net has to say about all the reports so far and why they do not respond to them.

One of my email got blocked by google/gmail because it contained a phishing link while reporting a phishing domain! I mean WTF!

sent another set of reports!

Do not use direct links, but always with [.]
Emails with links will be ignored even by some of the strictest spam protections

[Peanutswar]

Just want to inform that ive sent another batch of report for the remaining domains, still I didn't receive any response yet about the report just more likely an acknowledgements.

One of my email got blocked by google/gmail because it contained a phishing link while reporting a phishing domain! I mean WTF!

sent another set of reports!

Upon sending an email, I keep doing the (.) or the [.] because most of them detect the links, and we know how email providers have recently become sensitive to inbound and outbound links attached to the body of the message.

[Haunebu]

E.g. 1api.net responded with a ticket no. but hasn't came back to me since too many days. I speak German, but I don't have a burner phone to call them and maintain my anonymity properly. Need to figure out how to do it with proper opsec. I don't really want to link my account here easily with my real identity or get doxxed.

I don't advise going to such lengths just to contact 1api gmbh since they are a proven trash registrar who protect scammers. Bad reviews about them can be found everywhere.

[Pmalek]

I agree with one of the previous users who said that if the registrars won't suspend the domains, the next best thing is to have the sites be tagged for driving traffic to and advertising phishing. Reporting to Google, Microsoft, and even MetaMask is another way to go.

Make sure your reports point out exactly where the malicious phishing links are:
https://safebrowsing.google.com/safebrowsing/report_phish/
https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest
https://support.metamask.io/

[joker_josue]

https://darknetbible(.)info/bible/cryptocurrencies/converting/ working
https://xchange(.)cx/  not working

Both of those work. Additionally, monero(.)forex is back. They got the domains back after some complaints most probably and had people tricked that they aren't doing anything bad and malicious even though they advertise phishing sites.

At least neither darknetbible nor monero(.)forex drive traffic to phishing websites of eXch anymore. For whatever that's worth.

As I said earlier, these two domains will be difficult to take down (despite all our communications alerting the registrars), as their content is not phishing in itself. They may claim that they were also deceived and caught in this scheme.

To try to be more efficient, we have to go after these two domains:
xchange[.]cx
stealthex[.]co

They are the new element of the scheme, and for that they have to be overthrown.

[Pmalek]

To try to be more efficient, we have to go after these two domains:
xchange[.]cx
stealthex[.]co

They are the new element of the scheme, and for that they have to be overthrown.

They can easily be replaced with other phishing websites just like they removed the eXch phishing site from there. It's the same group that operates the phishing sites and these 'news sites' driving traffic to them. Plus, they are not the focus of this campaign. The xchange and stealthex teams can deal with that if they see fit. xchange seems more willing to do something.

[Cricktor]

Isn't there a possibility to make a call from a public phone or similar? How much does a temporary "burner phone" cost, I am willing to donate the cost.

The town I live in doesn't have any operational public phone boxes anymore as far as my search revealed. Mobile phones killed them all unfortunately.

Prepaid burner phones or prepaid SIM cards aren't available without KYC officially in Germany to my knowledge unless I go for the black market or other shady offers. That's not quite my cup of tea, sorry.

Thanks for the offer to donate, but I doubt it's worth it, see below.

I am very interested in what 1api.net has to say about all the reports so far and why they do not respond to them.

To some extend, me too. But as Haunebu says, it may not yield anything. They could simply refuse to comment or say anything. It's already not promising that they seem not to respond to any report sent to them. They sit it out and get away with it if no German authorities (cybercrime units?) have a reason to pressure them or ICANN kicking their butt (if ICANN actually does this, waiting to see proof).

I can't really contact German cybercrime without revealing my identity and without personally being scammed I doubt they would persue any hints from me even with good details on examplens' fraud expose website (kudos!).

Call me a chicken, I won't be offended. I value my privacy in crypto space.


Last edit:
... aren't available without KYC officially in Germany to my knowledge unless ...

[LoyceV]

Prepaid burner phones or prepaid SIM cards aren't avalaible officially without KYC

Here, they're still available. Years ago, prepaid phones were being sold starting at €10 including the phone, but the market for those seems to have disappeared. Now €30 gets you a phone, and prepaid cards are available in many shops. No KYC needed, some offer bundles for calling to other countries.

[FatFork]

Prepaid burner phones or prepaid SIM cards aren't avalaible officially without KYC <cut>

Seriously? You can no longer buy a prepaid SIM card or a burner phone without KYC in Germany? That's a shame. I didn't know that. Here in Croatia, you can still walk into a Tisak (newsstand) or a Tele2 shop and grab a prepaid SIM with no questions asked.

[joker_josue]

To try to be more efficient, we have to go after these two domains:
xchange[.]cx
stealthex[.]co

They are the new element of the scheme, and for that they have to be overthrown.

They can easily be replaced with other phishing websites just like they removed the eXch phishing site from there. It's the same group that operates the phishing sites and these 'news sites' driving traffic to them. Plus, they are not the focus of this campaign. The xchange and stealthex teams can deal with that if they see fit. xchange seems more willing to do something.

But it's always like this in phishing schemes, the domain is closed and they open others. It's part of it. Unless you can get clearer proof that the owner of a domain that is just releasing information, with a domain that is phishing, it will be difficult to take it down.

I'll give you a very simple example - perhaps many haven't lived through that time - Torrent sites.
There is nothing wrong with the torrent site itself, most of them just list links to a file (movie, music, book, etc.). The content is not hosted by the site, the site owner, nor does he create any torrent file. Usually it is users who share this torrent of the content you have.

For this simple reason, large companies in the music and film industries have always had great difficulty in shutting down these sites. They have had to resort to various authorities, courts and other means to get them shut down. Even so, they have only managed to shut down a few of the big ones.

And why did they take so long and only manage to go after the big ones? Well, because in reality the torrent site didn't have anything illegal. It just has links, which allow you to obtain data/files that other people have on their computer. In the midst of all this content, there are legal things and "allegedly" illegal things.

Thinking about this example, it's the same in this case. These two domains in particular do something more or less similar. Their content is not illegal, one shares "news" and the other has a set of "tutorials". You will say that they point to links from fake websites. Yes, it is true. But unless it is proven - very clearly and irrefutable - that both projects are from the same person. It will be difficult to take them down.

Unfortunately, although it may seem obvious to us, these companies have to work with more than the obvious. They have to have irrefutable foundations, and in this area, unfortunately we are unable to provide them. This would only be possible with a clear leak of information, or a more in-depth investigation by the authorities.

I think we already have very little room to maneuver to do what we want. All that's left is to report that these sites are phishing, and VPNs, browsers and the like, do their job of blocking them (which is more or less working). But, there is no clear evidence, the owner of these sites can refute the accusations and everything goes back to normal.  
Thinking about this example, it is the same in this case.