Monthly report attached - September 2024


Thanks for your continuous support!

Bad and suspicious domains detected, shared with vendors for removal where applicable: 31

    UrlScan IoCs
     Balancer

    Pingdom monitoring Uptime and DNS changes - all good



Multiple offenders exposed and banned in Discord

from:dubstard After: 2024-09-01 Before: 2024-09-30 in: 👮︲moderation

158 scammers/offenders banned in September 2024, on top of the bans enforced by the AutoMod + the Multi server bot and the new MEE6 bots, who do much of the heavy lifting now in terms of auto bans and deleting bogus invitations towards external discord servers.


Warnings issued Discord

Public facing


1 September

2 September


5 September



9 September - double agent

12 September - user report

16 September









20 September

21 September - user report


28 September





Key for DeBank

Still plenty of Computing Units available - 891,120



Fake Blogs

There is a large scale attack on almost all web3/defi/amm/dex/cex brands, which involves a complex redirect chain and search engine poisoning.

The modus operandi is as follows:
1. Scammers register a large number of "blogs" which pretend to be purely informational services, for example how to use "Trezor"
2. This leads to search engine "poisoning" with links registered, because the threat actors abuse legitimate service providers like Vercel, GitHub, GitBook, Webflow and others to name a few.
3. By registering nested subdomains which resemble the brand, the scammers then stay dormant until the search engines index and pick up their scams.
4. Then once indexed, the contents get changed and from a harmless "blog" the scams start redirecting users to fraudulent scams, seed stealers, wallet drainers, malicious smart contracts and so on.

So a lot of sites pretend to be blogs, but are not.
Removing those is harder as it is harder to prove the abuse to the service providers.



Unless users come from search engine, scam is not activated (pretends to be fake blog etc)

Eg - fake captcha, which never opens


Suspending the intermittent "redirect" bait sites takes forever as the actors use registrars with less than honest practices.

Apart from GITHUB they also abuse GitBook Webflow and Microsoft Azure and Vercel - all legit services, but abused by actors

This is the modus operandi:

1. BING search
bing[.]com/search?q=Balancer

2. Leads to random intermittent domain or github hosted scam
balancer-v3[.]online

Linked inside is a seed phrase stealer


Complete lifecycle, all legitimate services abused!

So they are very hard to take down and volumes are absolutely huge!

Top phishing platforms - Pages.dev and r2.dev

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/its-raining-phish-and-scams-how-cloudflare-pages-dev-and-workers-dev-domains-get-abused/


Same applies to almost all brands i tested with 😑


Revoke cash