[OPEN] eXch Anti-Phishing Campaign

[PX-Z]

A few things that can be the final nail to this.

Invite the registrar to have a test transaction and see if coins will be exchanged and transferred to them, if not it proves what kind of site exch[.]cd is (phishing website) .

Something worth looking at for the registrar, we have them compare the two websites, the phishing site has an old snapshot and numbers never change, never gets notifications like whats on the real one, and the knockoff shows 24hr data while real one moved to monthly stats for customers privacy concerns...

Registrar has to act now.

I highly doubt the registrar will take action. All they really need to do is verify that Google Safe Browsing has flagged the site as deceptive or phishing and other proofs given on those reports we've made, then suspend or shut down the domain accordingly. But from the way things have gone so far, it’s pretty clear they’ve been uncooperative from the very beginning.

[bitmover]

This is truly impressive! I've never before seen a domain registrar risk money to test if a site steals from their customers.

Easydns didn't believe they were scammers at first.

They asked for more details, and after sharing the examplens page about scam they decided to try. You can check it in the X thread.
https://x.com/bitmover2/status/1915051014685933568

I was impressed as well, it was very quick from their side.

[zasad@]

It was a good campaign and a very interesting experience.  It is unlikely that scammers will copy sites after the service is shut down.
Moreover, the price of Monero has grown well.

[CryptSafe]

I got a confirmation from sites@mcafee.com of monero.forex phishing complaint being resolved.
Good that the scammer's website is being banned.



Looking forward to seeing the remaining get banned as well.
This is the Power of Unity at play. Since these scammers want to make life miserable for innocent people, they too would never succeed in their evil act. All their websites must be brought down with alacrity.

[SamReomo]

I highly doubt the registrar will take action. All they really need to do is verify that Google Safe Browsing has flagged the site as deceptive or phishing and other proofs given on those reports we've made, then suspend or shut down the domain accordingly. But from the way things have gone so far, it’s pretty clear they’ve been uncooperative from the very beginning.

You're right I also don't think that the registrar will take any action no matter how much we try but still we will try our best and who knows if they somehow feel that they're on the wrong path of allowing such domain names and later on they might disable that domain name. I've e-mailed them multiple times in hope that they might take action but so far no replies and no results.

[examplens]

What happens to nuked phishing domains in the long run? Will they become available again once their registration expires in the future, or will they stay locked forever?

The scammer has transferred the domain to another registrar several times. Each transfer requires a new renewal. So this domain is under the control of the registrar (easyDNS) at least until 2028-05-01. I don't think the scammer will wait 3 years to try his method again with this same domain.

I was impressed as well, it was very quick from their side.

Of the 8 domains on the list, two were with easyDNS, and we can say that both were suspended shortly after the report. All praise for the responsibility of this service.

[joker_josue]

What happens to nuked phishing domains in the long run? Will they become available again once their registration expires in the future, or will they stay locked forever?

Normally the domain will be locked forever, unless the legitimate company decides to acquire it.
Of course, this decision is up to the registrar to decide whether to blacklist the domain or not. But as a general rule, it stays blocked for a long time.

I was impressed as well, it was very quick from their side.

Of the 8 domains on the list, two were with easyDNS, and we can say that both were suspended shortly after the report. All praise for the responsibility of this service.

My question is: Does easyDNS accept BTC payments?
The price of their domains is also a little above average. But if they accept BTC it would be very interesting.

[Pmalek]

My question is: Does easyDNS accept BTC payments?

They do. According to their X profile, they accept bitcoin, ether, solana, litecoin, and dogecoin. Perhaps other cryptocurrencies as well depending on how old that information is. That reminds me, I need to praise them publicly and show them some love on X. They were instrumental in taking down darknetbible and did much more than what I expected. Give credit where credit is due.

[bitmover]

My question is: Does easyDNS accept BTC payments?

They do. According to their X profile, they accept bitcoin, ether, solana, litecoin, and dogecoin. Perhaps other cryptocurrencies as well depending on how old that information is. That reminds me, I need to praise them publicly and show them some love on X. They were instrumental in taking down darknetbible and did much more than what I expected. Give credit where credit is due.

You can also check that information in their official website
https://kb.easydns.com/knowledge/invoice-payments-renewals/

easyDNS currently accepts the following methods of payment.

    Credit Card (Visa, MasterCard, American Express, and Maestro – Discover needs to be done via PayPal)
    PayPal (also can be used as a credit card processor)
    Cheque/check
    Money Order (International money order required if sent from outside Canada)
    Bitcoin
    Ethereum
    Litecoin
    Dogecoin

[examplens]

I got a confirmation from sites@mcafee.com of monero.forex phishing complaint being resolved.
Good that the scammer's website is being banned.



Looking forward to seeing the remaining get banned as well.
This is the Power of Unity at play. Since these scammers want to make life miserable for innocent people, they too would never succeed in their evil act. All their websites must be brought down with alacrity.

It seems you misinterpreted the information. The scammer's phishing complaint has been imported, and the warning label on this domain has now been removed. It is available without any warnings.

[Woodie]

It looks like eXch just closed shop, and upon checking known domains "exch.net" completely offline then both tor and clearnet(exch.pw) showing the "eXch has closed its operation. (announcement)" guess making reports becomes difficult as it's not possible to see the phishing as website layout are now totally different when compared to each other:'(...

We wait for official communication on what's to happen with the campaign.

[SamReomo]

It looks like eXch just closed shop, and upon checking known domains "exch.net" completely offline then both tor and clearnet(exch.pw) showing the "eXch has closed its operation. (announcement)" guess making reports becomes difficult as it's not possible to see the phishing as website layout are now totally different when compared to each other:'(...

We wait for official communication on what's to happen with the campaign.

I think eXch team still observes this thread from time to time and they're checking out each user who's contributing to this campaign. The campaign's main goal was to take strict action against phishing domain names and it has got so much success because aside from 1 domain name all others are suspended and that's a big success. Most of us already gone over that eXch's announcement of shutting their operations and after visiting the site the action is executed. The ones who contributed will surely get paid for their efforts as eXch already paid for the suspended domains that it promised to pay and I'm very sure that they'll keep their promise and pay for the rest of the suspended domains to the ones who contributed here. I still think that their main motive behind this campaign is to take strict action against phishing domains and we still have 1 left and as long as that one isn't down we should try our best so that domain may also get suspended and the campaign becomes one of the kind with 100% success.

[Haunebu]

We wait for official communication on what's to happen with the campaign.

As @Sam already specified above, this campaign will continue until their team decides to stop it themselves. Reread their recent posts thoroughly.

[Woodie]

We wait for official communication on what's to happen with the campaign.

As @Sam already specified above, this campaign will continue until their team decides to stop it themselves. Reread their recent posts thoroughly.

I read their last update as a vivid follower of the campaign , but unfortunately the website outlook as changed 100% that's my main concern.

@SamReomo and @Haunebu have you guys tried opening exch.pw today

If yes, you tell me if you were registrar's and received  reports today about the cd phishing Website how would you handle this as the 100% clone is no longer there, and websites are now technically totally different... 

[Doan9269]

It looks like eXch just closed shop, and upon checking known domains "exch.net" completely offline then both tor and clearnet(exch.pw) showing the "eXch has closed its operation. (announcement)" guess making reports becomes difficult as it's not possible to see the phishing as website layout are now totally different when compared to each other:'(...

We wait for official communication on what's to happen with the campaign.

I think eXch team still observes this thread from time to time and they're checking out each user who's contributing to this campaign. The campaign's main goal was to take strict action against phishing domain names and it has got so much success because aside from 1 domain name all others are suspended and that's a big success. Most of us already gone over that eXch's announcement of shutting their operations and after visiting the site the action is executed. The ones who contributed will surely get paid for their efforts as eXch already paid for the suspended domains that it promised to pay and I'm very sure that they'll keep their promise and pay for the rest of the suspended domains to the ones who contributed here. I still think that their main motive behind this campaign is to take strict action against phishing domains and we still have 1 left and as long as that one isn't down we should try our best so that domain may also get suspended and the campaign becomes one of the kind with 100% success.

Indeed it has been a tremendous success in bringing down the domains and if we can achieve to this extent, that single one left will not be an issue to conquer and also get down.

Bitcointalk is a strong crypto community that has unity in achieving a goal, I hope other platforms will also recognize us by this in taking down fake domains impersonating their website and bring lots of opportunities to us in launching campaigns related to this.

I wish the eXch.cx team success in their further endeavors and remain by you till the last fake domain is nuked down.

[Pmalek]

@Everyone
monero[.]forex isn't down. It's online again. According to WHOIS records, they changed their registrar status on 29 April. That's why they were offline a few days. WHOIS no longer mentions a connection to Identity.Digital, which was there in the past.

Can those who know more about WHOIS confirm that http://www.1api.net is now the sole party that needs to receive complaints for monero.forex?

[joker_josue]

Can those who know more about WHOIS confirm that http://www.1api.net is now the sole party that needs to receive complaints for monero.forex?

Correct. Now they are the ones who need to be approached to alert them to the fact that the site is part of a phishing scheme.

I have already sent two or three emails to them. Now the focus has to be on the two domains that are part of the scheme: xchange[.]cx and stealthex[.]co


However, based on the WHOIS information, I found another domain that is part of the scheme, and may help to warn about phishing: darknetmarkets[.]org. This site only has links to sites that are part of the scheme: DarknetBible[.]info - already taken down; and of course monero[.]forex

This is clear evidence that it is all part of the same phishing scheme.

[Medusah]

Can those who know more about WHOIS confirm that http://www.1api.net is now the sole party that needs to receive complaints for monero.forex?

They do:  https://godaddy.com/whois/results.aspx?domain=monero.forex.  It's transferred to 1API GmbH, and you can contact by email at:  abuse@1api.net and legal@1api.net.  

When reporting monero[.]forex, you can use archive.org for convincing the domain name provider that the owner of the site has directed visitors to phishing sites before (exch[.]best, exch[.]cash, xchange[.]sbs etc.).  I think it leaves no doubt that they are running a phishing site.  

Has anyone got a response from a person responsible for the .cd domain?

[PX-Z]

Can those who know more about WHOIS confirm that http://www.1api.net is now the sole party that needs to receive complaints for monero.forex?

Correct. Now they are the ones who need to be approached to alert them to the fact that the site is part of a phishing scheme.

They do:  https://godaddy.com/whois/results.aspx?domain=monero.forex.  It's transferred to 1API GmbH, and you can contact by email at:  abuse@1api.net and legal@1api.net.

The scammer already did transfer their registrar to 1api.net since april 18 . Been emailing their abuse email too but didnt got a response from their CS, only an automated reply with their ticket id.

[Pmalek]

1API GmbH is a German entity. It's not registered in a country that doesn't care. They can't just provide a safe haven for phishing companies. In our complaints, we need to make them aware that German law enforcement and cybercrime units will take action against them if they don't do their job and protect online users by not removing phishing threats from the internet.