Skip to content

Instantly share code, notes, and snippets.

@phishdestroy

phishdestroy/gist:3ade02f7ccbb6e6c232da8a2632751c5 Secret

Created February 8, 2026 22:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save phishdestroy/3ade02f7ccbb6e6c232da8a2632751c5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save phishdestroy/3ade02f7ccbb6e6c232da8a2632751c5 to your computer and use it in GitHub Desktop.
Download ZIP
China USDT trc20 drainer
Raw
gistfile1.txt
# 🔴 BUYTRX Approval Drainer Kit — Full Infrastructure Teardown
> **Threat Type:** TRC-20 USDT Unlimited Approval Scam (Wallet Drainer)
> **Date:** 2026-02-09
> **Investigated by:** [PhishDestroy](https://github.com/phishdestroy)
> **Entry point:** `https://shrill-haze-5ff7.buytrx.workers.dev`
> **Total domains discovered:** 55+ (across 2 kit versions)
> **Drainer contracts:** 2 (current: `TRnru..`, legacy: `TXwXf..` with 323 TXs)
> **Confirmed on-chain victims:** 4 (current) + 323 TXs (legacy contract)
> **Google Ads account:** `AW-17287232508` (paid advertising to lure victims)
> **Operation active since:** July 2025 (`buytron.net`)
---
## Executive Summary
A network of **55+ phishing domains** masquerading as a "USDT → TRX swap service" tricks victims into signing an `approve(MAX_UINT256)` transaction on the TRC-20 USDT contract, granting the attacker's smart contract **unlimited access to the victim's entire USDT balance**. The attacker can then call `transferFrom()` at any time to drain funds.
The operation has been **active since at least July 2025** (`buytron.net`), evolving from a PHP-based kit to the current Next.js architecture. Two drainer smart contracts have been identified — the legacy contract (`TXwXfz8Bp9AoCX79wcHiyB5vWSCtbNuHnS`) has **323 recorded transactions**. The scammer **pays for Google Ads** (account `AW-17287232508`) to drive victims, tracking successful approvals as ad conversions.
The infrastructure spans **7 active frontends**, **20+ dormant/reserve domains**, **6 API backends sharing a single database**, **2 bare-metal origin servers**, and a **hidden admin panel** — all operating without authentication. The victim database, including wallet addresses, IPs, and transaction hashes, is fully exposed via unauthenticated API endpoints.
---
## 1. Infrastructure Map
### 1.1 Frontends
**25+ domains** discovered serving identical or near-identical scam kits. Infrastructure spans Cloudflare Workers, Cloudflare Pages, and bare-metal HIVELOCITY servers.
#### Active Frontends (confirmed serving scam page)
| Domain | Hosting | IP | Status |
|---|---|---|---|
| `shrill-haze-5ff7.buytrx.workers.dev` | Cloudflare Workers | — | ✅ Live |
| `exchange.swap-trx.workers.dev` | Cloudflare Workers | — | ✅ Live |
| `trxev.com` | Cloudflare Pages | CF proxy | ✅ Live |
| `trxmo.com` | Cloudflare Pages | CF proxy | ✅ Live |
| `buytrx.mov` | Cloudflare | `104.21.28.149` / `172.67.170.225` | ✅ Live |
| `buytrx.cx` | Cloudflare | `104.21.45.243` / `172.67.221.36` | ✅ Live |
| `trxdc.org` | Cloudflare | `104.21.16.11` / `172.67.209.192` | ✅ Live |
#### Dormant / Degraded Frontends (503 or connection refused)
| Domain | IP | Hosting | Status |
|---|---|---|---|
| `trxwb.org` | `107.155.88.198` | HIVELOCITY, Inc. | ⚠️ 503 |
| `trxli.org` | `107.155.88.198` | HIVELOCITY, Inc. | ⚠️ 503 |
| `trxog.org` | `107.155.88.198` | HIVELOCITY, Inc. | ⚠️ 503 |
| `trxuk.org` | `107.155.88.198` | HIVELOCITY, Inc. | ⚠️ 503 |
| `trxfz.org` | `107.155.88.198` | HIVELOCITY, Inc. | ⚠️ 503 |
| `trxit.org` | CF proxy | Cloudflare | ⚠️ 503 |
| `trxng.org` | CF proxy | Cloudflare | ⚠️ 503 |
| `trxcx.org` | CF proxy | Cloudflare | ⚠️ 503 |
| `trxrk.org` | CF proxy | Cloudflare | ⚠️ 503 |
| `trxhi.org` | CF proxy | Cloudflare | ⚠️ 503 |
| `trxov.org` | CF proxy | Cloudflare | ⚠️ 503 |
| `buy-trx.one` | CF proxy | Cloudflare | ❌ Down |
| `trxgb.org` | CF proxy | Cloudflare | ❌ Down |
| `trxne.org` | CF proxy | Cloudflare | ❌ Down |
| `trxes.org` | CF proxy | Cloudflare | ❌ Down |
| `trxpt.org` | CF proxy | Cloudflare | ❌ Down (frontend) |
| `trxrs.org` | CF proxy | Cloudflare | ❌ Down |
| `trxgt.org` | CF proxy | Cloudflare | ❌ Down |
| `trxln.org` | CF proxy | Cloudflare | ❌ Down |
| `trxok.org` | CF proxy | Cloudflare | ❌ Down |
#### Origin Servers (non-Cloudflare)
| IP | ASN | Provider | Location | Domains |
|---|---|---|---|---|
| `107.155.88.198` | HIVELOCITY, Inc. | Bare metal | Los Angeles, US | trxwb, trxli, trxog, trxuk, trxfz |
| `46.21.151.194` | HVC-AS | VPS | Los Angeles, US | Direct IP access on port 443 and 8020 |
All frontends serve identical Next.js static exports with the same codebase, localized into **20 languages** (en, zh, ru, ja, ko, es, tr, fr, de, pt, ar, hi, th, vi, id, uk, pl, it, nl, cs, ms).
### 1.2 Backend APIs
Five API backends discovered — **all sharing the same database** (identical 30 victim records across all endpoints):
| Service | URL | Purpose | Status |
|---|---|---|---|
| Primary scam API | `https://api.trxmo.com` | TX generation, broadcast, victim logging | ✅ Live |
| Admin/Stats API | `https://api.trxpt.org` | Victim log mirror, visit statistics | ✅ Live |
| Fallback API | `https://api.trxev.com` | Redundant victim log endpoint | ✅ Live |
| API for buytrx.mov | `https://api.buytrx.mov` | Full scam API mirror | ✅ Live |
| API for buytrx.cx | `https://api.buytrx.cx` | Full scam API mirror | ✅ Live |
All backends run **Express.js** behind Cloudflare (`x-powered-by: Express` header leaked). The shared database confirms a single operator managing the entire network.
**Key finding:** The `api.trxdc.org` subdomain also responds to checkWallet requests, confirming at least 6 API endpoints serving the same infrastructure.
### 1.3 Supporting Infrastructure
| Component | Value |
|---|---|
| WalletConnect Project ID (current) | `31eee2e7b3ff1dc4ebdfa6f839467664` |
| WalletConnect Project ID (legacy) | `28c93ed442ee58a550ad41334f4e3c81` |
| Hidden admin panel | `/8fb198a6e9b7af32` (identical path on all domains, no authentication) |
| Telegram contact | [@buytrx9](https://t.me/buytrx9) (display name: "Buytron") |
| CSS build marker | `34190323-6281-4d85-b5cd-2d1b71be55bf` (hidden in `body::after`) |
| Tech stack (current) | Next.js SSG + WalletConnect v2 + TronWeb + Express.js backend |
| Tech stack (legacy) | Static HTML/CSS/JS + PHP backend + TronGrid direct API |
| Google Ads account | `AW-17287232508` |
| Analytics | Plausible.io (`plausible.io/api/event`) |
### 1.4 Historical Evolution (URLScan / Web Archive OSINT)
**Phase 1: PHP Kit (Jul–Nov 2025)**
- Original domain: `buytron.net` (first URLScan: 2025-07-23)
- Backend: PHP (`/api/confirm_payment_approve.php`, `/api/get_price.php`)
- Drainer contract: `TXwXfz8Bp9AoCX79wcHiyB5vWSCtbNuHnS` (**323 transactions**)
- Approve TX built **client-side** via TronGrid API, then signed TX sent to PHP backend for broadcast
- Associated domains: `buytrx.vip`, `buytrx.link`, `buytrx.zip`
**Phase 2: Next.js Kit (Nov 2025–present)**
- First Next.js domain: `trxone.net` (2025-11-08)
- Backend migrated to Express.js with centralized API (`/api/checkWallet`, `/api/submitTx`)
- Drainer contract changed to: `TRnruCYe2k3kSMYCGwM51rzDD591w7UPJ8`
- Massive domain expansion: 49+ unique domains observed on URLScan
**Complete Domain Timeline (55+ domains from URLScan + Shodan):**
```
2025-07-23 buytron.net ← ORIGINAL DOMAIN (PHP kit)
2025-11-08 trxone.net ← First Next.js deployment
2025-11-12 trxone.org
2025-11-13 trxline.org
2025-11-14 a.campins.info (compromised domain)
2025-11-19 trx-swaps.org, trx-transfer.com
2025-11-20 trx-bridges.com, trx-new.com, trxus.org
2025-11-22 trx-bridges.org
2025-12 trx-power, trx-storm, trxln, trxcc, trxsw, trxex, trxme, buytrx.vip,
trxby, trxbm, zerotrx.money, trx-lock, trx-flow, trxos, buytrx.zip,
trx-bnd, trx-one.org, trxne
2026-01 swap.trxgb, swap.trxyz, trxop, swap.trxnav, swap.trxcs,
trx-speedy, tronmarket.pro, trxa, buytrx.tools,
how-to-buy-trx.hovode3078.workers.dev
2026-02 trxdc, trxli, trxle, trxog, trxhub.it.com, trxpay.biz,
trxchange.online, trxsk, trxlk, trxtg,
exchange.swap-trx.workers.dev, shrill-haze-5ff7.buytrx.workers.dev
buytrx.mov, buytrx.cx, trxwb, trxfz, trxuk, trxit, trxng, trxcx,
trxrk, trxhi, trxov, trxgb, trxrs, trxgt, trxok, buy-trx.one, trxes
```
### 1.5 Google Ads & Paid Advertising
The scammer **pays for Google Ads** to drive traffic and **tracks successful approve() signatures as ad conversions**.
| Service | Identifier | Purpose |
|---|---|---|
| Google Ads Account | `AW-17287232508` | Paid advertising campaign |
| Conversion Tag | `AW-17287232508/GjSVCMa-xewaEPz3mLNA` | Tracks approve() as ad conversion |
| Plausible Analytics | `plausible.io` | Visit tracking |
**Evidence from decompiled PHP kit JS:**
```javascript
gtag('event','conversion',{
send_to:'AW-17287232508/GjSVCMa-xewaEPz3mLNA',
transaction_id:''
});
```
This fires immediately after the victim signs the approve() transaction — each successful drain is counted as a Google Ads conversion. The Google Ads account can be reported to Google for suspension.
### 1.6 Leaked API Keys
| Key | Service | Source |
|---|---|---|
| `7b5ae8c4-20b2-4244-bde1-1c4c8a6d8dd0` | TronGrid Pro API | PHP kit (USDT balance check) |
| `af548b3a-2ce3-429f-bb6f-1cc099f1b6fe` | TronGrid Pro API | PHP kit (TRX balance check) |
| `33ab00bc-3f8a-4bdb-942d-17a4406d4fed` | TronGrid Pro API | Next.js bundle |
---
## 2. Attack Flow
### Phase 1 — Wallet Connection
The victim selects TronLink or Trust Wallet. Connection is established via:
- **TronLink:** Direct injection — `window.tronLink.request({method: "tron_requestAccounts"})`
- **Trust Wallet:** WalletConnect v2 with `tron_signTransaction` capability
### Phase 2 — Malicious Transaction Generation
The frontend sends the victim's address to the backend:
```http
POST https://api.trxmo.com/api/checkWallet
Content-Type: application/json
{"type": "tronlink", "address": "<victim_address>"}
```
The backend queries the TRON network for the victim's USDT balance. If non-zero, it returns an **unsigned transaction** — an `approve()` call on the USDT contract (`TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t`) granting **unlimited allowance** (`115792089237316195423570985008687907853269984665640564039457584007913129639935`) to the scam contract.
**Response codes:**
| Code | Meaning |
|---|---|
| `ok: true` | Unsigned TX returned — victim has USDT balance |
| `1001` | Address already in database (duplicate attempt) |
| `1002` | Multisig wallet detected (unsupported) |
| `1003` | Insufficient USDT balance |
| `1004` | Network error / invalid address |
### Phase 3 — Social Engineering the Signature
The site displays a dedicated "TronLink Help" modal instructing victims to ignore wallet warnings:
> *"The address TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t is the official USDT contract on TRON. The platform interacts with it to complete the swap. The 'May fail / Insufficient balance' message is just a generic notice — simply tap Confirm to continue."*
> *"The wallet warning about 'TRX or energy usage' is normal. The platform covers all fees — no TRX will be deducted from your account. Tap Confirm to complete."*
### Phase 4 — Broadcast & Logging
```http
POST https://api.trxmo.com/api/submitTx
Content-Type: application/json
{"address": "<victim>", "signedTx": <signed_tx_object>}
```
Upon successful broadcast, the backend records: wallet address, txid, IP address, wallet type, referral source, and timestamp.
### Phase 5 — Drain
The attacker calls `transferFrom()` through the scam contract `TRnruCYe2k3kSMYCGwM51rzDD591w7UPJ8` to transfer all USDT from the victim's wallet.
---
## 3. On-Chain Evidence
### 3.1 Scam Contract
| Field | Value |
|---|---|
| **Address** | `TRnruCYe2k3kSMYCGwM51rzDD591w7UPJ8` |
| **Name** | SwapTRX |
| **Created** | 2025-12-13 08:29:03 UTC |
| **Creator** | `TBoZFHuKda8SkDux7nQH2DDMEJ2w2xkvor` |
| **Function** | TRC-20 approval spender — receives unlimited USDT allowance from victims |
### 3.2 Creator Wallet
| Field | Value |
|---|---|
| **Address** | `TBoZFHuKda8SkDux7nQH2DDMEJ2w2xkvor` |
| **Created** | 2025-12-13 |
| **Total transactions** | 157 |
| **Current TRX balance** | 352.53 TRX |
### 3.3 Fund Flow — Connected Wallets
| Address | Role | Observed Volume |
|---|---|---|
| `TFGDbUyP8xez44C76fin3bn3Ss6jugoUwJ` | Primary transit wallet | 888 USDT, 5 USDT, 3 USDT |
| `TC6B75fi2G3KKRcBJDiUZrbZkwHFis4uGX` | Inbound funding source | 888 USDT |
| `TKaccVBy6d7gVBYhMe3e9URDMYyzm2rme8` | Outbound cashout | 5 USDT |
| `TQ9yjnYtWkD98jNWkX6GKbGnMoZ51SCWPV` | Outbound cashout | 2.999 USDT |
### 3.4 Confirmed Victim Transactions
All confirmed on-chain transactions are `approve(MAX_UINT256)` calls on the USDT contract with spender `TRnruCYe2k3kSMYCGwM51rzDD591w7UPJ8`:
| Time (UTC) | Victim Address | Wallet | TX Hash | Block |
|---|---|---|---|---|
| 2026-02-09 04:39 | `TWwNFHkj1Lj81hEe5DBcMK2X6MhQ9h7a8P` | TronLink | [`249f86b8...`](https://tronscan.org/#/transaction/249f86b80b6450e9578da6423fa671f1e8a591d4663173fc9e5bbd256bb95f7a) | 79972858 |
| 2026-02-09 02:37 | `TNqpoUZ78fpeLZRRamvdmiK7cehx5tWhm6` | Trust | [`8e3bae63...`](https://tronscan.org/#/transaction/8e3bae631ecd80feaf34200f9aaa6610fe687b7badbc89595759ddc5f62b31c1) | 79970416 |
| 2026-02-08 23:23 | `TKwHQPuikEqz2g1PKjQphSZZKNdCoEfSvK` | Trust | [`40b2ccc5...`](https://tronscan.org/#/transaction/40b2ccc57d616d4bb0c475762100516ab1b5394e008be169a6b6df80f63d3676) | 79966540 |
| 2026-02-08 06:47 | `TBkdg7w2SXcNVBZtX3ECaZfrcyijpmVT1d` | Trust | [`90d7b19b...`](https://tronscan.org/#/transaction/90d7b19bf74dbb0f4913d23436ee4318a83ff3f20e371cc884d363f8d0251d25) | 79946621 |
30 total records in the victim database; 4 confirmed on-chain, 26 not on-chain (unsigned or failed broadcasts). The 20 records (#7–#30) originating from `exchange.swap-trx.workers.dev` at 03:38–03:40 UTC with sequential US IPs in the `96.16x–96.18x` range are likely the operator's test data, not real victims.
### Full Victim Database Dump (30 records)
| # | Address | TX Hash | Status | On-Chain | Wallet | Source | IP | Time (UTC) |
|---|---|---|---|---|---|---|---|---|
| 1 | `TWwNFHkj1Lj..` | `249f86b8..` | success | ✅ APPROVE | tronlink | shrill-haze..workers.dev | `173.79.169.22` | 2026-02-09 04:39 |
| 2 | `TNqpoUZ78fp..` | `8e3bae63..` | success | ✅ APPROVE | trust | shrill-haze..workers.dev | `182.183.162.100` | 2026-02-09 02:37 |
| 3 | `TKwHQPuikEq..` | `40b2ccc5..` | success | ✅ APPROVE | trust | shrill-haze..workers.dev | `2401:4900:..` | 2026-02-08 23:23 |
| 4 | `TUL9BHMyrU5..` | `ad6307d1..` | pending | ❌ | tronlink | shrill-haze..workers.dev | `203.144.74.232` | 2026-02-08 22:02 |
| 5 | `TWKM19X4CT7..` | `df6342f9..` | pending | ❌ | tronlink | exchange..workers.dev | `2409:40d2:..` | 2026-02-08 10:29 |
| 6 | `TBkdg7w2SXc..` | `90d7b19b..` | success | ✅ APPROVE | trust | exchange..workers.dev | `2402:e000:..` | 2026-02-08 06:47 |
| 7 | `TVuNgnJZJRr..` | `337bdcf3..` | pending | ❌ | trust | exchange..workers.dev | `96.170.26.22` | 2026-02-08 04:14 |
| 8 | `TQEb61b4Urz..` | `93cf9ae8..` | pending | ❌ | trust | exchange..workers.dev | `96.166.204.183` | 2026-02-08 03:57 |
| 9 | `TYgteY78UCk..` | `7a396c60..` | pending | ❌ | tronlink | trxev.com | `185.194.53.224` | 2026-02-08 03:47 |
| 10 | `TVnTbqhpwx7..` | `1ad81ab4..` | pending | ❌ | tronlink | exchange..workers.dev | `62.95.255.100` | 2026-02-08 03:43 |
| 11–30 | *(20 records)* | — | pending | ❌ | mixed | exchange..workers.dev | `96.16x–96.18x` | 03:38–03:41 |
**Records 11–30 analysis:** 20 entries submitted from `exchange.swap-trx.workers.dev` within a 3-minute window (03:38–03:41 UTC), with sequential US IPs in the `96.164.x.x`–`96.189.x.x` range. All pending, none confirmed on-chain. Pattern consistent with **operator testing** rather than real victims.
---
## 4. Exposed APIs — No Authentication
The entire backend data layer is accessible without any form of authentication.
### 4.1 Victim Transaction Log
**All 6 API backends return identical data** (shared database):
```
GET https://api.trxmo.com/api/2fb198a6e9b7af38
GET https://api.trxpt.org/api/2fb198a6e9b7af38
GET https://api.trxev.com/api/2fb198a6e9b7af38
GET https://api.buytrx.mov/api/2fb198a6e9b7af38
GET https://api.buytrx.cx/api/2fb198a6e9b7af38
GET https://api.trxdc.org/api/2fb198a6e9b7af38
```
Returns the last 30 victim records including wallet addresses, transaction hashes, IP addresses, wallet types, referral sources, and timestamps.
**Sample response:**
```json
{
"ok": true,
"count": 30,
"data": [
{
"source": "shrill-haze-5ff7.buytrx.workers.dev",
"wallet_type": "tronlink",
"wallet_address": "TWwNFHkj1Lj81hEe5DBcMK2X6MhQ9h7a8P",
"txid": "249f86b80b6450e9578da6423fa671f1e8a591d4663173fc9e5bbd256bb95f7a",
"status": "success",
"ip": "173.79.169.22",
"created_at": "2026-02-09 04:39:57"
}
]
}
```
### 4.2 Site Visit Statistics
```
GET https://api.trxpt.org/api/a9c3f7e2d4b8ff21?site=trxev.com
```
```json
{"site": "trxev.com", "today_views": 9, "total_views": 91}
```
**Observed traffic at time of investigation:**
| Site | Today | Weekly |
|---|---|---|
| trxev.com | 9 | 91 |
| trxmo.com | 5 | 29 |
| shrill-haze-5ff7.buytrx.workers.dev | 0 | 0 |
| exchange.swap-trx.workers.dev | 0 | 0 |
### 4.3 Address Enumeration via checkWallet
The `/api/checkWallet` endpoint leaks whether an address exists in the victim database through differentiated error codes:
- **Response `1001`** → Address is in the database (previously approved)
- **Response `1004`** → Address is not in the database
This allows enumeration of all compromised addresses.
---
## 5. Hidden Admin Panel
All frontend domains expose an unauthenticated admin dashboard at path `/8fb198a6e9b7af32`.
**Features:**
- Real-time victim feed with auto-refresh (10s / 60s intervals)
- Wallet address, txid, status, IP, timestamp for each victim
- Click-to-geolocate victim IPs via `ipwho.is` API (with `lang=zh-CN`)
- Per-site visit statistics
- Dark/light mode toggle
**UI language is entirely Chinese:**
- 日间 / 夜间 (Day / Night mode)
- 今日访问 (Today's visits)
- 周访问 (Weekly visits)
- 钱包地址 (Wallet address)
- 状态 (Status)
- 点击查询地理位置 (Click to query geolocation)
---
## 6. Attribution Indicators
| Signal | Value |
|---|---|
| Admin panel language | Chinese (Simplified) |
| IP geolocation API | `ipwho.is` with `lang=zh-CN` |
| Source code comments | `"⚠️ 清理 WalletConnect 存储失败"` (Failed to clean WalletConnect storage) |
| | `"⚠️ 移动端 request 异常"` (Mobile request exception) |
| | `"未获取到 TronLink 地址"` (Failed to get TronLink address) |
| Telegram handle | @buytrx9 / "Buytron" |
| Profile | Chinese-speaking developer, proficient in Next.js, Express.js, TRON ecosystem |
---
## 7. Vulnerabilities & Weaknesses
### 7.1 Unauthenticated Data Access
All data endpoints (victim logs, statistics, admin panel) require no tokens, cookies, or credentials of any kind.
### 7.2 Weak Rate Limiting
- `x-ratelimit-limit: 6` per window, per IP
- Trivially bypassed with IP rotation
- ~50% of rapid requests succeed even without proxy rotation
- `api.trxmo.com` has softer limits than `api.trxpt.org`
### 7.3 Backend Resource Consumption
Each `/api/checkWallet` call forces the backend to:
1. Query the TRON network for the victim's USDT balance
2. Generate an unsigned transaction
3. Write to the database
High-volume requests with randomized addresses exhaust the backend's TronGrid/fullnode API quotas.
### 7.4 Cloudflare Workers Compute Limits
Workers on the free plan have a **100,000 requests/day** cap with **10ms CPU per invocation**. The frontend Workers are vulnerable to quota exhaustion.
### 7.5 Hardcoded WalletConnect Project ID
The WalletConnect Project ID `31eee2e7b3ff1dc4ebdfa6f839467664` is hardcoded in the frontend bundle. Reporting this ID to WalletConnect as malicious would disable Trust Wallet connectivity — eliminating approximately half of the attack surface.
### 7.6 Express.js Information Disclosure
The `x-powered-by: Express` header is not disabled, confirming the backend framework.
### 7.7 Potential Stored XSS in Admin Panel
The admin panel renders `wallet_address`, `source`, and `ip` fields directly from the database. If `submitTx` writes these fields without sanitization, injected payloads could execute in the attacker's admin session.
---
## 8. Recommended Actions
### Immediate Takedown
| Target | Action | Scope |
|---|---|---|
| Cloudflare | Abuse report for all domains behind CF proxy | 7 active + 15 dormant domains + 6 API subdomains |
| HIVELOCITY | Abuse report for origin server | `107.155.88.198` — hosts 5 scam domains |
| HVC-AS | Abuse report for origin server | `46.21.151.194` — direct IP scam hosting |
| Domain registrars | Abuse report per domain | 25+ domains across `.org`, `.com`, `.mov`, `.cx`, `.one` TLDs |
| WalletConnect | Report Project ID `31eee2e7b3ff1dc4ebdfa6f839467664` as malicious | Kills Trust Wallet connectivity |
| Telegram | Report @buytrx9 for fraud | Primary scammer contact channel |
| Tronscan | Flag contract `TRnruCYe2k3kSMYCGwM51rzDD591w7UPJ8` and wallet `TBoZFHuKda8SkDux7nQH2DDMEJ2w2xkvor` as scam | On-chain flagging |
### Victim Protection
- Monitor the open victim API in real-time
- Notify confirmed victims to **revoke USDT approval** for `TRnruCYe2k3kSMYCGwM51rzDD591w7UPJ8`
- Submit compromised addresses to public blocklists
---
## 9. IOC Summary
### Domains
**Active:**
```
shrill-haze-5ff7.buytrx.workers.dev
exchange.swap-trx.workers.dev
trxev.com
trxmo.com
buytrx.mov
buytrx.cx
trxdc.org
```
**API backends:**
```
api.trxmo.com
api.trxpt.org
api.trxev.com
api.buytrx.mov
api.buytrx.cx
api.trxdc.org
```
**Dormant / Down (same kit, same operator):**
```
buy-trx.one
trxwb.org
trxli.org
trxog.org
trxuk.org
trxfz.org
trxit.org
trxng.org
trxcx.org
trxrk.org
trxhi.org
trxov.org
trxgb.org
trxne.org
trxes.org
trxpt.org
trxrs.org
trxgt.org
trxln.org
trxok.org
```
**Origin IPs (non-Cloudflare):**
```
107.155.88.198 # HIVELOCITY, Los Angeles (trxwb, trxli, trxog, trxuk, trxfz)
46.21.151.194 # HVC-AS, Los Angeles (direct IP, ports 443/8020)
```
### TRON Addresses
```
TRnruCYe2k3kSMYCGwM51rzDD591w7UPJ8 # Scam contract ("SwapTRX")
TBoZFHuKda8SkDux7nQH2DDMEJ2w2xkvor # Contract creator
TFGDbUyP8xez44C76fin3bn3Ss6jugoUwJ # Fund transit
TC6B75fi2G3KKRcBJDiUZrbZkwHFis4uGX # Fund source
TKaccVBy6d7gVBYhMe3e9URDMYyzm2rme8 # Fund exit
TQ9yjnYtWkD98jNWkX6GKbGnMoZ51SCWPV # Fund exit
```
### API Endpoints
```
POST /api/checkWallet # Malicious TX generation
POST /api/submitTx # Signed TX broadcast + victim logging
GET /api/2fb198a6e9b7af38 # Victim transaction log (no auth)
GET /api/a9c3f7e2d4b8ff21 # Site visit statistics (no auth)
```
### Other Indicators
```
WalletConnect Project ID: 31eee2e7b3ff1dc4ebdfa6f839467664
CSS Build UUID: 34190323-6281-4d85-b5cd-2d1b71be55bf
Admin Panel Path: /8fb198a6e9b7af32
Telegram: @buytrx9
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment