[OPEN] eXch Anti-Phishing Campaign

[Woodie]

@Everyone
monero[.]forex isn't down. It's online again.

Wtttttf we back at this...

Seeing how difficult it is to get a response from these guys, perhaps the best approach is using any social media presence they have... Already Twitter (X) has proven itself to be super effective.

Btw has @easyDNS put in a word or two on how to best take these 2 domains down??

Correct. Now they are the ones who need to be approached to alert them to the fact that the site is part of a phishing scheme.

I have already sent two or three emails to them. Now the focus has to be on the two domains that are part of the scheme: xchange[.]cx and stealthex[.]co

Agreed, I think using these two brands (xchange & stealthex) as ground to get the domains shutdown could be our best bet right now... Anything that will put these fraudsters out of business should count for something.

Whats examplens current domain with all piled out info on the phishing sites?


Sent another set of reports monero[.]forex to https://phish.report/contacts/1API


1api are terrible, look at their trust pilot rating and reviews
https://www.trustpilot.com/review/1api.net?languages=all

One of the reviews on their trust pilot 

[Pmalek]

Agreed, I think using these two brands (xchange & stealthex) as ground to get the domains shutdown could be our best bet right now... Anything that will put these fraudsters out of business should count for something.

You can also try to get in touch with the teams and/or owners of xchange and stealthex and ask them to send complaints to registrars about how their exchanges are targeted in this phishing campaign.

Whats examplens current domain with all piled out info on the phishing sites?

I think you are looking for https://cryptofraudexpose.org/

[joker_josue]

The scammer already did transfer their registrar to 1api.net since april 18 . Been emailing their abuse email too but didnt got a response from their CS, only an automated reply with their ticket id.

1API GmbH is a German entity. It's not registered in a country that doesn't care. They can't just provide a safe haven for phishing companies. In our complaints, we need to make them aware that German law enforcement and cybercrime units will take action against them if they don't do their job and protect online users by not removing phishing threats from the internet.

1api are terrible, look at their trust pilot rating and reviews
https://www.trustpilot.com/review/1api.net?languages=all

That's why the bandit moved the domain there.

German hosting companies and the like are already well known for being very liberal, which will make our action more difficult. Considering that this company doesn't like to do anything, it will be even more difficult.

But we will try everything we can.

[Pmalek]

That's why the bandit moved the domain there.

German hosting companies and the like are already well known for being very liberal, which will make our action more difficult. Considering that this company doesn't like to do anything, it will be even more difficult.

But we will try everything we can.

Then we bring the issue to whoever is above them in the hierarchy: Law enforcement and cybercrime units. With the focus being on 1API and how they are not doing anything to battle phishing on the domains they offer services to. 

[Peanutswar]

Just want to inform that ive sent another batch of report for the remaining domains, still I didn't receive any response yet about the report just more likely an acknowledgements.

[examplens]

@Everyone
monero[.]forex isn't down. It's online again. According to WHOIS records, they changed their registrar status on 29 April. That's why they were offline a few days. WHOIS no longer mentions a connection to Identity.Digital, which was there in the past.

Can those who know more about WHOIS confirm that http://www.1api.net is now the sole party that needs to receive complaints for monero.forex?

It seems that it was only a change of hosting or something similar, since there are no recognized changes regarding the domain setup.
You can check here: https://whoisfreaks.com/tools/whois/history/lookup/monero.forex

Also, if anyone here speaks German, maybe it can contact this shady registrar by phone

Code:

Registrar
Name: 1API GmbH
Url: http://www.1api.net
Email: abuse@1api.net
Number: +4968949396850

[Haunebu]

Am getting a 'Domain Suspension Registrant Information Verification Failure' from ICANN when I try to visit monero.forex now implying that it still looks like they got screwed. 1api didn't and won't do shit in this case meaning that ICANN probably intervened successfully.

Still looks like blacklisted exch.cd is the lone survivor.

[joker_josue]

Am getting a 'Domain Suspension Registrant Information Verification Failure' from ICANN when I try to visit monero.forex now implying that it still looks like they got screwed. 1api didn't and won't do shit in this case meaning that ICANN probably intervened successfully.

This suspension has nothing to do with our fraud alerts. This type of suspension occurs when the contact details of the person who owns the domain are not updated or registered with ICANN.

The crook probably ended up suspending himself through his strategy of jumping around domain registrants. 
Probably the contact details he had were associated with a domain that has already been suspended/banned. Since he did not change the details, ICANN, when checking after the domain was transferred to another registrar, detected that the details were not up to date.

Now will he update the data, to have the domain active again? We will see in the next few days what happens.
Either way, this is clear proof that this was a scam domain, as a legitimate company or service would never let things get to this point.

We may not have been able to get the domain registrars to take action, but we were able to give the hacker a hard time by making him make mistakes that led to this outcome.

[Pmalek]

This suspension has nothing to do with our fraud alerts. This type of suspension occurs when the contact details of the person who owns the domain are not updated or registered with ICANN.

The crook probably ended up suspending himself through his strategy of jumping around domain registrants. 
Probably the contact details he had were associated with a domain that has already been suspended/banned. Since he did not change the details, ICANN, when checking after the domain was transferred to another registrar, detected that the details were not up to date.

Now will he update the data, to have the domain active again? We will see in the next few days what happens.
Either way, this is clear proof that this was a scam domain, as a legitimate company or service would never let things get to this point.

We may not have been able to get the domain registrars to take action, but we were able to give the hacker a hard time by making him make mistakes that led to this outcome.

You seem to know enough about situations like this. Perhaps you can answer the following question. Is there any way we can take advantage of this situation and get in touch with ICANN to complain to them directly and ask them to take action, proving they are dealing with a malicious site and site owner?

[ChrisfromLees]

Am getting a 'Domain Suspension Registrant Information Verification Failure' from ICANN when I try to visit [Suspicious link removed] now implying that it still looks like they got screwed. 1api didn't and won't do shit in this case meaning that ICANN probably intervened successfully.

This suspension has nothing to do with our fraud alerts. This type of suspension occurs when the contact details of the person who owns the domain are not updated or registered with ICANN.

The crook probably ended up suspending himself through his strategy of jumping around domain registrants. 
Probably the contact details he had were associated with a domain that has already been suspended/banned. Since he did not change the details, ICANN, when checking after the domain was transferred to another registrar, detected that the details were not up to date.

Now will he update the data, to have the domain active again? We will see in the next few days what happens.
Either way, this is clear proof that this was a scam domain, as a legitimate company or service would never let things get to this point.

We may not have been able to get the domain registrars to take action, but we were able to give the hacker a hard time by making him make mistakes that led to this outcome.

You and everyone else here are being PUBLICLY paid tens of thousands of Euros, stolen from ByBit, directly by a "company" that has since shut down because of law enforcement.

You are being paid to launch false complaints and harass the hosts, registrars, and owners of news sites and blogs that reported on eXch laundering money for the Lazurus NK hacking group. Conflating news blogs like monero [.] forex with clone/phishing sites like exch [.] cd may confuse low level staffers at web hosts, but not law enforcement.

The sites have been taken down because it is not worth everyone's time and money to deal with this. But all site owners, hosts, and registrars involved are logging the false complaints and working with law enforcement.

Hopefully everyone involved in this illegal harassment campaign will be identified and dealt with swiftly.

You are also stupid if you think you are going to get more money now that eXch has exited with their $75MM from ByBit. You are doing their dirty work while they are laughing all the way to their private island.

[NotATether]

You are being paid to launch false complaints and harass the hosts, registrars, and owners of news sites and blogs that reported on eXch laundering money for the Lazurus NK hacking group. Conflating news blogs like monero [.] forex with clone/phishing sites like exch [.] cd may confuse low level staffers at web hosts, but not law enforcement.

Sorry kid but monero[dot]forex and darknetbible[dot]info (which is not even the real DNM Bible, I later learned) directed people to phishing links = ban.

Maybe you should audit Bybit to identify more security holes first before ranting here.

[Ambatman]

You and everyone else here are being PUBLICLY paid tens of thousands of Euros, stolen from ByBit, directly by a "company" that has since shut down because of law enforcement.

You are being paid to launch false complaints and harass the hosts, registrars, and owners of news sites and blogs that reported on eXch laundering money for the Lazurus NK hacking group. Conflating news blogs like monero [.] forex with clone/phishing sites like exch [.] cd may confuse low level staffers at web hosts, but not law enforcement.

The sites have been taken down because it is not worth everyone's time and money to deal with this. But all site owners, hosts, and registrars involved are logging the false complaints and working with law enforcement.

Hopefully everyone involved in this illegal harassment campaign will be identified and dealt with swiftly.

Lol this made my day. It was really funny and served its purpose of been a joke.
We specifically targeted sites that were or promoted phishing sites and nothing more.
If they were not found wanting, they wouldn't have been banned.

You are also stupid if you think you are going to get more money now that eXch has exited with their $75MM from ByBit. You are doing their dirty work while they are laughing all the way to their private island.

Lol Thisssss
Knowing that a phishing site can be reported like this and get a listening ear is enough for me.
I believe it's a start of something beautiful, so yeah the closing of the sites is already a reward in my book.

[coaltin]

Reporting the one which is left:

btc: 1DDjnKAn1Vq273JScK7KDWcq5wDEjuDVQ5

[ChrisfromLees]

Thank you to exch and exch-support for making these illegal payments publicly. A shocking number of people involved here were stupid about their identities.

[TerryW]

You are being paid to launch false complaints and harass the hosts, registrars, and owners of news sites and blogs that reported on eXch laundering money for the Lazurus NK hacking group. Conflating news blogs like monero [.] forex with clone/phishing sites like exch [.] cd may confuse low level staffers at web hosts, but not law enforcement.

Sorry kid but monero[dot]forex and darknetbible[dot]info (which is not even the real DNM Bible, I later learned) directed people to phishing links = ban. https://yoursmiles.org/tsmile/forum/t1253.gif

Maybe you should audit Bybit to identify more security holes first before ranting here.

It was an exact copy of the one and only real "DNM Bible", written by u/SamWhiskey on Dread, you stupid fucking child.

Quite easily verifiable (https://web.archive.org/web/20250422212203/https://darknetbible[.]info/) to everyone who is literate beyond a third grade level.

I also am amazed that many of you wannabe vigilantes were so desperate for a few hundred dollars that you would do this publicly and in your own name. The thread about this on XSS is getting fucking hilarious.

[Cricktor]

You and everyone else here are being PUBLICLY paid tens of thousands of Euros, stolen from ByBit, directly by a "company" that has since shut down because of law enforcement.

Show proof that eXch pays us with exactly the stolen coins from ByBit OR STFU! You sockpuppet only blabber the shit you're told to spread here. Hilarious...

You are being paid to launch false complaints and harass the hosts, registrars, and owners of news sites and blogs that reported on eXch laundering money for the Lazurus NK hacking group. Conflating news blogs like monero [.] forex with clone/phishing sites like exch [.] cd may confuse low level staffers at web hosts, but not law enforcement.

Now show proof that monero[.]forex and darknetbible[.]info didn't funnel traffic to phishing carbon-copies of real eXch OR STFU!

If you make accusations, you've to provide proof otherwise who cares about your sockpuppet blabber. Get some medical help, you need a reboot of your brain v0.1alpha.

Thank you to exch and exch-support for making these illegal payments publicly. A shocking number of people involved here were stupid about their identities.

How much did you get for your brain-farts to post here and maybe somewhere else on asocial media? Genuinely curious.

–––

Ah, the other sockpuppet again. How much did you get for your lame insults blabber to post here? Genuinely curious.

[Doan9269]

Thank you to exch and exch-support for making these illegal payments publicly. A shocking number of people involved here were stupid about their identities.

I also am amazed that many of you wannabe vigilantes were so desperate for a few hundred dollars that you would do this publicly and in your own name. The thread about this on XSS is getting fucking hilarious.

I want to believe you're the same person talking in respect of the two accounts, that is why all you could have for now is bunch of red tags, maybe you're the one missing out something important to know concerning this, or do you have any evidence to show, you're making me feel that it seems you're being jealous, because what you can't acheive you must envied, but not to attack, wise up and learn.

[NotATether]

It was an exact copy of the one and only real "DNM Bible", written by u/SamWhiskey on Dread, you stupid fucking child.

Quite easily verifiable (https://web.archive.org/web/20250422212203/https://darknetbible[.]info/) to everyone who is literate beyond a third grade level.

I also am amazed that many of you wannabe vigilantes were so desperate for a few hundred dollars that you would do this publicly and in your own name. The thread about this on XSS is getting fucking hilarious.

No shit.

Here is SamWhiskey's original page:



And here is your laughable attempt to recommend a bunch of exchangers when the origional author quite clearly said "I'm not gonna recommend any exchanges":



Yeah, sure, try to convince me that big-ass section called "Non-KYC Crypto Exchanges" added itself to the HTML.

I guess it would have been better for you to stay silent, as 1) now everybody knows you're lying, 2) you were probably the webmaster and 3) the other sockpuppets in this thread are also being ran by you.

There is no crime gang - Dread users are too high to form one anyway.

[Medusah]

The strange thing with exch[.]cd is that it is not listed in any WHOIS database:

• https://godaddy.com/whois/results.aspx?domain=exch.cd
• https://lookup.icann.org/whois/en?q=exch.cd&t=a

Then, I read this on Wikipedia:  https://en.wikipedia.org/wiki/.cd

Until 2011, the registry was managed by nic.cd. It was then delegated to the Société Congolaise des Postes et Télécommunications (SCPT).

As far as I understand, this means that .CD domain names are not managed by the same government department of Congo, since 2011.  The management has been transferred to "Office Congolais des Postes et Telecommunications".

Therefore, I think we should contact the people in here:  https://www.iana.org/domains/root/db/cd.html.  Specifically, David KINSAKA NDUENGA and Maurice MUFUSI NTETE UBAKA.

To further illustrate it, if you visit "nic.cd", this is what it says at the bottom:

Please contact us by eMail (support  AT  nic.cd) to receive instructions on how to regain your Registrar access account.

Nothing to do with reports for phishing or any other support.  It is basically abandoned since 2011.

[Pmalek]

Therefore, I think we should contact the people in here:  https://www.iana.org/domains/root/db/cd.html.  Specifically, David KINSAKA NDUENGA and Maurice MUFUSI NTETE UBAKA.

I have shared the same contact details and a few others in this thread as well. I have sent complaints to them but nothing has happened.
darknetbible(.)info is back guys. Seems like easyDNS wasn't successful in taking down the domain. The new registrar is http://www.nicenic.net. Abuse can be reported online via the following form: https://nicenic.net/customer/reportabuse.php and/or via email abuse@nicenic.net. Make sure your reports contain detailed information and point out exactly where the phishing domains they link to are located on darknetbible(.)info. It's under the Cryptocurrencies > Converting section.