The anatomy of a cryptocurrency scam
June 19th, 2022
The story starts from a reddit bot post that went to an interesting image link. I couldn’t help myself, I needed to see what this was all about.
https://imgtsj5.pics/tweet-saved-728347-16-06-22.png
The tweet is a decent looking fake, now I had the domain where the shenanigans were happening. Time to flex and bust out nslookup for the IP address and search for more data with Shodan.
borntobekyle@InTheShell:~/Documents/crypto_scam_research$ nslookup imgtsj5.pics
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: imgtsj5.pics
Address: 198.54.114.189
Running nslookup for the server's IP address and using Shodan revealed some interesting information for the domain imgtsj5.pics.
The image server was running on Namecheap and seemed to only be used to serve fake tweets.
Researching the scam site elonsdrop.org
Using almost the same pattern nslookup → shodan → researching Ethereum public addresses with etherscan.io I was able to get all information needed to take down these servers.
borntobekyle@InTheShell:~/Documents/crypto_scam_research$ nslookup elonsdrop.org
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: elonsdrop.org
Address: 198.54.116.86
This websites index looked almost exactly like Medium.
Techniques used to make the site look authentic
One of the reasons the scam site looks just like Medium is because the scammers used assets from Medium's CDN.
Using static assets of the official Medium site
"https://cdn-images-1.medium.com","moduleUrls":{"base":"https://cdn-static-1.medium.com/_/fp/gen-js/main-base.bundle.a_0SBgxPULz_GVgC-U5MmQ.js","common-async":"https://cdn-static-1.medium.com/_/fp/gen-js/main-common-async.bundle.vWDRWXvUlyU9MUnZJ5unQg.js","hightower":"https://cdn-static-1.medium.com/_/fp/gen-js/main-hightower.bundle.3AufMPfabFGJltxyMLH98A.js","home-screens":"https://cdn-static-1.medium.com/_/fp/gen-js/main-home-screens.bundle.DaiofFU9x4J3msxiq64FBw.js","misc-screens":"https://cdn-static-1.medium.com/_/fp/gen-js/main-misc-screens.bundle.zOBwDBnpVNg6uSYPyVXUOQ.js","notes":"https://cdn-static-1.medium.com/_/fp/gen-js/main-notes.bundle.rf5EtkVnQGqwWYHm8U-fDw.js","payments":"https://cdn-static-1.medium.com/_/fp/gen-js/main-payments.bundle.srCv9laZ2xasQFbsmLW5bA.js","posters":"https://cdn-static-1.medium.com/_/fp/gen-js/main-posters.bundle.TOzm_nxVqf5LFg0jMss1qw.js","power-readers":"https://cdn-static-1.medium.com/_/fp/gen-js/main-power-readers.bundle.z6UphZLEmrRb11QXOCHb_g.js","pubs":"https://cdn-static-1.medium.com/_/fp/gen-js/main-pubs.bundle.sqooqPdM4SGprRNdmlC6bw.js","stats":"https://cdn-static-1.medium.com/_/fp/gen-js/main-stats.bundle.FqmH4_IHv5cSI7iPHoT2DQ.js"}
Hard coded comments
<p name="2611" id="2611" class="graf graf--p graf--leading graf--trailing">WOW, I have no words! Thanks for this generosity.</p></div>
<div class="section-content"><div class="section-inner sectionLayout--insetColumn"><p name="2611" id="2611" class="graf graf--p graf--leading graf--trailing">Thanks man! Markets are crazy and this is a welcome in these hard times! I can brag now - I got 30 ETH from Elon himself!</p></div>
<p name="2611" id="2611" class="graf graf--p graf--leading graf--trailing">Yeahhh!! 22.0 ETH came!!<br/>
<br/>
I started being interested and studying crypto about a month ago.<br/>
<br/>
Thanks<br/><br/>
Keep up the good work!</p></div>
Hard coded sources
musk-airdrop.org/files/1_U3yrRtqWkn2cCwLnYCxN-w1.html
Used smartsupp as fake customer support
Medium's official domain doesn't even have a support option on articles.
<script type="text/javascript">
var _smartsupp = _smartsupp || {};
_smartsupp.key = '1f462ed9bc43b26f82d920030e3eb564858df8d3';
window.smartsupp||(function(d) {
var s,c,o=smartsupp=function(){ o._.push(arguments)};o._=[];
s=d.getElementsByTagName('script')[0];c=d.createElement('script');
c.type='text/javascript';c.charset='utf-8';c.async=true;
c.src='https://www.smartsuppchat.com/loader.js?';s.parentNode.insertBefore(c,s);
})(document);
</script>
After clicking on either the Ethereum drop or Bitcoin drop the Medium clone redirected me to a separate html page.
Investigating the Ethereum html file
The url for this page was https://elonsdrop.com/eth/index.html
There’s a few attributes of this page that jump out. One is the banner on top actually displays accurate prices of cryptocurrencies. Second is the Ethereum public address that the scammer wants people to send payments too. Lastly the qr code which may have an interesting endpoint.
First I looked up the Ethereum address 0x87E17E82705C4A1a92d5512BAf6881cb1dDFaa29 with etherscan etherscan.io/address/0x87E17E82705C4A1a92d5512BAf6881cb1dDFaa29. At the time there were no comments labeling this address as a scammer. There were some interesting out transactions though that gave it away.
After looking up the recipient address 0x52de8d3febd3a06d3c627f59d56e6892b80dcf12 the comments section said it all etherscan.io/address/0x52de8d3febd3a06d3c627f59d56e6892b80dcf12#comments we were official dealing with the classic double your money scam.
Games like Runescape and Eve Online prepare you for these kind of scams.
Now to check the QR code for interesting info, unfortunately there wasn’t anything super interesting. You can read most QR codes on Linux with zbar-tools.
zbarimg qrce.png
QR-Code:0x87E17E82705C4A1a92d5512BAf6881cb1dDFaa29
scanned 1 barcode symbols from 1 images in 0.01 seconds
The price banner at the top ended up having the correct prices because the site was leveraging a coinlib.io widget to make everything more believable.
Panic tactics
A common tactic with scams is trying to create panic for the user so they are more likely to fall for the scam.
localStorage.setItem("progress", alt_count);
if (alt_sec_count <= 300)
clearInterval(ctd);
if (alt_count <= 9999 && alt_sec_count >= 2001)
document.getElementById("leftETH").innerHTML = "Left ETH";
if (alt_count <= 700 && alt_sec_count >= 301)
document.getElementById("leftETH").innerHTML = "Hurry up, not much more ETH left!";
if (alt_count <= 300)
document.getElementById("leftETH").innerHTML = "Last chance to get your ETH!";
if (alt_count <= 1000)
document.title = alt_count + " ETH left";
if (alt_count <= 500)
document.title = "Get your " + alt_count + " ETH now!";
Decoding byte data
Some of the elements of the website were byte encoded, one of the easiest ways to decode byte encoded values is with Python3 bytes() function combined with decode().
bytes("\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39", encoding="utf8").decode('utf-8')
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
>>> bytes("\x72\x61\x6E\x64\x6F\x6D", encoding="utf8").decode('utf-8')
'random'
>>> bytes("\x66\x6C\x6F\x6F\x72", encoding="utf8").decode('utf-8')
'floor'
>>> bytes("\x63\x68\x61\x72\x41\x74", encoding="utf8").decode('utf-8')
'charAt'
>>> bytes("\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x69\x6E\x6E\x65\x72\x22\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x74\x6F\x70\x22\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x72\x6F\x77\x20\x72\x6F\x77\x2D\x74\x72\x61\x6E\x73\x2D\x6F\x75\x74\x22\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x68\x61\x73\x68\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x33\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x33\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x33\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x33\x22\x3E\x7B\x74\x31\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x62\x6C\x6F\x63\x6B\x2D\x6E\x75\x6D\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x31\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x31\x22\x3E\x7B\x74\x32\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x61\x67\x65\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x31\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x31\x22\x3E\x7B\x74\x33\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x61\x64\x64\x72\x65\x73\x73\x2D\x62\x74\x63\x2D\x73\x65\x63\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x32\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x32\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x32\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x32\x22\x3E\x7B\x74\x34\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x6F\x75\x74\x2D\x74\x72\x61\x6E\x73\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x32\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x32\x22\x3E\x7B\x74\x35\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x61\x64\x64\x72\x65\x73\x73\x2D\x62\x74\x63\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x32\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x32\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x32\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x32\x22\x3E\x7B\x74\x36\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x76\x61\x6C\x75\x65\x2D\x73\x75\x6D\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x31\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x31\x22\x3E\x7B\x74\x37\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x74\x78\x2D\x66\x65\x65\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x31\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x31\x22\x3E\x7B\x74\x38\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x62\x6F\x74\x74\x6F\x6D\x22\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x72\x6F\x77\x20\x72\x6F\x77\x2D\x74\x72\x61\x6E\x73\x2D\x69\x6E\x22\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x68\x61\x73\x68\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x33\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x33\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x33\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x33\x22\x3E\x7B\x62\x31\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x62\x6C\x6F\x63\x6B\x2D\x6E\x75\x6D\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x31\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x31\x22\x3E\x7B\x62\x32\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x61\x67\x65\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x31\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x31\x22\x3E\x7B\x62\x33\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x61\x64\x64\x72\x65\x73\x73\x2D\x62\x74\x63\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x32\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x32\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x32\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x32\x22\x3E\x7B\x62\x34\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x69\x6E\x2D\x74\x72\x61\x6E\x73\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x31\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x31\x22\x3E\x7B\x62\x35\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x61\x64\x64\x72\x65\x73\x73\x2D\x62\x74\x63\x2D\x73\x65\x63\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x32\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x32\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x32\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x32\x22\x3E\x7B\x62\x36\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x76\x61\x6C\x75\x65\x2D\x73\x75\x6D\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x31\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x31\x22\x3E\x7B\x62\x37\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x74\x78\x2D\x66\x65\x65\x20\x63\x6F\x6C\x2D\x6C\x67\x2D\x31\x20\x63\x6F\x6C\x2D\x6D\x64\x2D\x31\x20\x63\x6F\x6C\x2D\x73\x6D\x2D\x32\x20\x63\x6F\x6C\x2D\x78\x73\x2D\x32\x22\x3E\x7B\x62\x38\x7D\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x2F\x64\x69\x76\x3E\x0D\x0A\x20\x20\x20\x20", encoding="utf8").decode('utf-8')
' <div class="inner">\r\n <div class="top">\r\n <div class="row row-trans-out">\r\n <div class="hash col-lg-3 col-md-3 col-sm-3 col-xs-3">{t1}</div>\r\n <div class="block-num col-lg-1 col-md-1 col-sm-1 col-xs-1">{t2}</div>\r\n <div class="age col-lg-1 col-md-1 col-sm-1 col-xs-1">{t3}</div>\r\n <div class="address-btc-sec col-lg-2 col-md-2 col-sm-2 col-xs-2">{t4}</div>\r\n <div class="out-trans col-lg-1 col-md-1 col-sm-2 col-xs-2">{t5}</div>\r\n <div class="address-btc col-lg-2 col-md-2 col-sm-2 col-xs-2">{t6}</div>\r\n <div class="value-sum col-lg-1 col-md-1 col-sm-1 col-xs-1">{t7}</div>\r\n <div class="tx-fee col-lg-1 col-md-1 col-sm-1 col-xs-1">{t8}</div>\r\n </div>\r\n </div>\r\n <div class="bottom">\r\n <div class="row row-trans-in">\r\n <div class="hash col-lg-3 col-md-3 col-sm-3 col-xs-3">{b1}</div>\r\n <div class="block-num col-lg-1 col-md-1 col-sm-1 col-xs-1">{b2}</div>\r\n <div class="age col-lg-1 col-md-1 col-sm-1 col-xs-1">{b3}</div>\r\n <div class="address-btc col-lg-2 col-md-2 col-sm-2 col-xs-2">{b4}</div>\r\n <div class="in-trans col-lg-1 col-md-1 col-sm-1 col-xs-1">{b5}</div>\r\n <div class="address-btc-sec col-lg-2 col-md-2 col-sm-2 col-xs-2">{b6}</div>\r\n <div class="value-sum col-lg-1 col-md-1 col-sm-1 col-xs-1">{b7}</div>\r\n <div class="tx-fee col-lg-1 col-md-1 col-sm-2 col-xs-2">{b8}</div>\r\n </div>\r\n </div>\r\n </div>\r\n '
>>> bytes("\x30\x78", encoding="utf8").decode('utf-8')
'0x'
>>> bytes("\x2E\x2E\x2E", encoding="utf8").decode('utf-8')
'...'
>>> bytes("\x72\x69\x67\x68\x74\x20\x6E\x6F\x77", encoding="utf8").decode('utf-8')
'right now'
>>> bytes("\x49\x4E", encoding="utf8").decode('utf-8')
'IN'
>>> bytes("\x74\x6F\x46\x69\x78\x65\x64", encoding="utf8").decode('utf-8')
'toFixed'
>>> bytes("\x20\x45\x54\x48", encoding="utf8").decode('utf-8')
' ETH'
>>> bytes("\x4F\x55\x54", encoding="utf8").decode('utf-8')
'OUT'
>>> bytes("\x72\x65\x70\x6C\x61\x63\x65", encoding="utf8").decode('utf-8')
'replace'
>>> bytes("\x63\x65\x69\x6C", encoding="utf8").decode('utf-8')
'ceil'
>>> bytes("\x7B\x74\x31\x7D", encoding="utf8").decode('utf-8')
'{t1}'
>>> bytes("\x7B\x74\x32\x7D", encoding="utf8").decode('utf-8')
'{t2}'
>>> bytes("\x7B\x74\x33\x7D", encoding="utf8").decode('utf-8')
'{t3}'
>>> bytes("\x7B\x74\x34\x7D", encoding="utf8").decode('utf-8')
'{t4}'
>>> bytes("\x7B\x74\x35\x7D", encoding="utf8").decode('utf-8')
'{t5}'
>>> bytes("\x7B\x74\x36\x7D", encoding="utf8").decode('utf-8')
'{t6}'
>>> bytes("\x7B\x74\x37\x7D", encoding="utf8").decode('utf-8')
'{t7}'
>>> bytes("\x7B\x74\x38\x7D", encoding="utf8").decode('utf-8')
'{t8}'
>>> bytes("\x7B\x62\x31\x7D", encoding="utf8").decode('utf-8')
'{b1}'
>>> bytes("\x7B\x62\x32\x7D", encoding="utf8").decode('utf-8')
'{b2}'
>>> bytes("\x7B\x62\x33\x7D", encoding="utf8").decode('utf-8')
'{b3}'
>>> bytes("\x7B\x62\x34\x7D", encoding="utf8").decode('utf-8')
'{b4}'
>>> bytes("\x7B\x62\x35\x7D", encoding="utf8").decode('utf-8')
'{b5}'
>>> bytes("\x7B\x62\x36\x7D", encoding="utf8").decode('utf-8')
'{b6}'
>>> bytes("\x7B\x62\x37\x7D", encoding="utf8").decode('utf-8')
'{b7}'
>>> bytes("\x7B\x62\x38\x7D", encoding="utf8").decode('utf-8')
'{b8}'
>>> bytes("\x2E\x74\x72\x61\x6E\x73\x2D\x74\x61\x62\x6C\x65", encoding="utf8").decode('utf-8')
'.trans-table'
>>> bytes("\x70\x72\x65\x70\x65\x6E\x64\x54\x6F", encoding="utf8").decode('utf-8')
'prependTo'
>>> bytes("\x69\x6E\x64\x65\x78", encoding="utf8").decode('utf-8')
'index'
>>> bytes("\x20\x6D\x69\x6E\x75\x74\x65\x73\x20\x61\x67\x6F", encoding="utf8").decode('utf-8')
' minutes ago'
>>> bytes("\x68\x74\x6D\x6C", encoding="utf8").decode('utf-8')
'html'
>>> bytes("\x65\x71", encoding="utf8").decode('utf-8')
'eq
>>> bytes("\x2E\x74\x6F\x70\x20\x2E\x72\x6F\x77\x20\x64\x69\x76", encoding="utf8").decode('utf-8')
'.top .row div'
>>> bytes("\x66\x69\x6E\x64", encoding="utf8").decode('utf-8')
'find'
>>> bytes("\x2E\x62\x6F\x74\x74\x6F\x6D\x20\x2E\x72\x6F\x77\x20\x64\x69\x76", encoding="utf8").decode('utf-8')
'.bottom .row div'
>>> bytes("\x65\x61\x63\x68", encoding="utf8").decode('utf-8')
'each'
>>> bytes("\x2E\x69\x6E\x6E\x65\x72", encoding="utf8").decode('utf-8')
'.inner'
>>> bytes("\x66\x61\x64\x65\x49\x6E", encoding="utf8").decode('utf-8')
'fadeIn'
>>> bytes("\x2E\x74\x6F\x70", encoding="utf8").decode('utf-8')
'.top'
>>> bytes("\x66\x65\x77\x20\x73\x65\x63\x6F\x6E\x64\x73\x20\x61\x67\x6F", encoding="utf8").decode('utf-8')
'few seconds ago'
>>> bytes("\x72\x65\x61\x64\x79", encoding="utf8").decode('utf-8')
'ready'
Not exactly sure why all of this was converted into bytes, it was fun decoding it all to plaintext though.
Reporting the servers to Namecheap
At first I called the spam website out on Twitter and Namecheap wanted me to provide additional info via direct message. I was very impressed with their response time after providing enough information proving these servers belonged to a scammer or scam group. In total it probably took less than 30 minutes to take down two scam servers.
Key takeaways
Scammers are using valid services to create authentic looking experiences. For example, borrowing Medium CDN assets, fake customer support with smartsuppchat, coinlib.io for a price banner etc. If something looks to good to be true it probably is, stay diligent and research public addresses.
What next?
I’m currently creating a tool that can find scam websites based on common patterns and known addresses. Stay tuned, for the next episode of scammer no scamming!! :D
Subscribe to b3nac.eth
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
sv5SMyp_Aq_Kcuy…xk4TZz19poV9rcQ
Author Address
0x034c06c0d32c7D5…560a2923ffe8aCb
Content Digest
aaQWyGRrVADnY5H…rkeOpRWi-VB-420