ALERT! PHISHING!We have found that a known .onion directory "dark.fail" currently lists an URL impersonating our service.
The domain "SWP[dot]CX" has been registered less than 30 days ago and somehow managed to get listed by DARK.FAIL - a popular .onion URL monitor that only lists well-known and reputable resources (perhaps not anymore).
This is an unusual phishing attempt when the scammer has ripped off our original design and HTML template assets used by us in the past along with our current template performing a slight "rebranding". Meanwhile it's still a confirmed phishing since this website got to our knowledge from some scammed user who thought it was our original website and explained to us how they found it.
As a preventive measure we have decided to use the same background image that was in our assets some years ago which the current scammer also uses, as well as restoring our previous "light" text-only logo version, which the scammer is also trying to impersonate.
Our current website design changes will remain while we are dealing with that scammer and till the situation is resolved.
However, during investigation of this issue we have also got very interesting findings where we were able to trace back this domain to someone who have made the first ever eXch phishing vanity-generated .onion domain and managed to scam a few of our users in the past, that caused the phishing alert at our original .onion domain: hszyoqnysrl7lpyfms2o5xonhelz2qrz36zrogi2jhnzvpxdzbvzimqd[dot]onion
(WARNING: THE LINK ON THE LEFT IS A PHISHING LINK FOR DEMONSTRATION PURPOSES ONLY - DO NOT USE)We were able to find
hszyoqnysrl7...onion on some Tor listing directories earlier that we have managed to wipe by contacting admins of such resources directly, which apparently worked because we stopped receiving complaints of scammed users who accidently used phishing links.
However it seems this actor has returned under a new "brand", since after performing some brief OSINT we have found that the only other place on the Internet where both
SWP[dot]CX and
hszyoqnysrl7...onion are listed are here: github[dot]com/
tarpetra/welcome-to-darknet
(WARNING: THE LINK ON THE LEFT IS A MALICIOUS GITHUB REPO FOR DEMONSTRATION PURPOSES ONLY - DO NOT USE)What's even more interesting is that the username
tarpetra behind that Github repo have managed to get ~1500 Github stars by supposedly using bots/fake accounts to create visibility and the fact he/she lists both scam resources (
SWP[dot]CX and
hszyoqnysrl7...onion) confirms that he/she is the operator of both resources (main indicator here is how recent SWP[dot]CX is and how fast it was added to a repo with "1500" [fake] stars)
We have tried to contact the DARK.FAIL admin regarding this incident but got no reply and hope other concerned users will have better luck on that in case they want to try.
We also suspect that DARK.FAIL admin might be involved in this scam scheme because we don't believe that such an experienced Tor user might have overlooked our service and .onion, since our actual onion link
hszyoqwrcp7cxlxnqmovp6vjvmnwj33g4wviuxqzq47emieaxjaperyd.onion is listed at least on the following popular resources: kycnot.me, monerica.com, tor.taxi, darknet-bible[.]net, darknetdaily[.]net, darkweblink[.]com
Another few important points:
- the scammer is reverse-proxying their domain via Cloudflare - something that eXch would never do, since we genuinely care about customers privacy.
- the scammer is using a third-party email provider (Protonmail) as their email server - something that eXch would never do, since we genuinely care about customers privacy.
This was an important announcement to make today but there is still work ongoing which we will update on during next days, depending on how long this issue will persist.
P.S. will communicate on other subjects later since this announcement had to be prioritized.
UPDATE:We have managed to obtain ultimate confirmation that the SWP[dot]CX website belongs to and operated by the person behind the malicious Github repo containing phishing links to popular services.
We have compared server headers of the HSv3 addresses linked on the clearnet version of SWP[dot]CX (uicrmrl3...onion) and Github repo one (uicrmrtwpfy4y5...onion) and both domains appeared to be served by the same web-server.
There are at least 8 identical headers including "LINK" one containing the persistent data "</assets/application-a378fdd15ea888387175a4e8c29abafb78057f4adeb418ea46d9dc6b7438e2c0.css>;" and another one containing the same ETAG between 2 different hosts indicating that it's the same server responding on both domains. Anyone can replicate this and confirm themselves. We have also managed to find the real IP address behind the Cloudflare. Further work still in course.
UPDATE #2:Turned out this scammer has created some considerable "ecosystem" of phishing cross-referencing system that apparently works very well in terms of SEO.
Just by googling the vanity-generated .onion they had for us, you will be able to find at least 7 other sites that appear like "legitimate" directories of .onion URLs representing dedicated phishing sites carefully built for each separate project.
We don't want their server shutdown yet because we are curious about their domain registrar's stance on this matter (sarek.fi /
abuse@sarek.fi) as well as DARK.FAIL's admin stance to understand the level of their involvement into this scheme. Given that today is a celebration day approximating a weekend, we'll give them 48 hours to answer before proceeding with action.
UPDATE #3:Following up with the investigation, we have found there is a big probability of
https://anir0y.in being a real scammer's personal website exposing himself as Animesh Roy from India, based on one of his blog posts named "Blog Tor Darknet Links" where he claims that "all the sites listed have been verified by DarkNetEye as being legitimate operations", where he links to some fake DarkNetEye copy with a domain registered only a few months ago, which on purpose provides phishing links of at least 3 known services mixed with other links that are valid onions of some other services.
- That list from both his blog and that fake DarkNetEye copy targets 3 specific legitimate resources related to crypto swaps and mixing with phishing:
eXch,
Majestic Bank and
Coinomize mixer.
- The list provides a valid onion link to Infinity Exchanger which also raises another question - is Infinity is behind that or he listed it just to setup Infinity to look behind that in case all this scheme is exposed (which is happening right now), since we already know that the person behind this scam scheme is quite smart.
- All other links on the list are valid links.
The reason why we believe Animesh Roy might be behind all this is that in his blog post he lists at least 3 malicious resources in the same way they are advertised on other websites that make part of his quite sophisticated phishing infrastructure that targets eXch, Majestic Bank and Coinomize mixer:
httpx://github[dot]com/tarpetra/welcome-to-darknet - a repo with constant commit poisoning to simulate activity and bot-starred reputation containing phishing links
httpx://github[dot]com/vtempest/dark-web - fake darkneteye repo
httpx://darkneteye[dot]com - fake darkneteye site
httpx://dark[dot]taxi - a project pretending to be like tor.taxi and dark.fail but almost every single link there is phish
httpx://darknetmarketlinks.net - same as above
httpx://tor2doormarket[dot]io - a "tutorial" on how to use darknet with a "friendly" recommendation of eXch linking to the phishing (also in its FAQ page). Also at the footer there is a mix of legit links mixed with his own projects like dark[dot]taxi to confuse people and search engines
httpx://royalmarket[dot]org - a "tutorial" on how to use darknet with a "friendly" recommendation of eXch linking to the phishing
All 5 domains (or 6 including SWP[dot]CX) above are registered with Sarek.fi (aka Njalla). Sarek resells Tucows for domain zones unreachable for him directly (I say "him" because Njalla is a one-man operation by Peter Sunde) so you might see WHOIS of those on Tucows to show KN as a country of registrant and the company named "1337 services" which is Njalla aka Sarek.
Abuse mail boxes to report all domains:
abuse@sarek.fi,
domainabuse@tucows.com (except for SWP[dot]CX)
We invite everyone to contribute by emailing abuse reports to the above mailboxes. Additionally, in case you got a Github account, you can also contribute by reporting 2 repos mentioned above.
https://i.gifer.com/B6NA.mp4
