Solana, Ethereum, and NFT drainers from wl-now[.]com. Uses fake unpkg to serve drainer js and Discord webhooks for real-time alerts. Shows relation to presaless[.]com and drainer kit from cryptokens[.]sellix[.]io (previously tokens404[.]com).

Likely to be a Chinese threat actor/s due to multiple indications:
- Configuration of the receiver wallet was left untouched and showed 钱包 which translates to "wallet"
- Discord webhook was given a username of "houmen" which translates to "backdoor". The avatar displays a Chinese school girl (cdn.discordapp.com/avatars/979351082012659755/b791e87ac09e0fcd70bef0721b074513.png -> facebook.com/JK照片-100190912056316/photos/pcb.100195085389232/100195032055904/)
- Drainers were hosted in a server from HK/China (Cloudie Limited [AS55933] 103.105.23[.]18
- The fake unpkg domain displays a default page in Chinese

https://twitter.com/Iamdeadlyz/status/1540767704281272322

https://twitter.com/Iamdeadlyz/status/1540767665824108544

https://twitter.com/Iamdeadlyz/status/1540767724603068416

https://twitter.com/Iamdeadlyz/status/1540767681007480832

https://twitter.com/Iamdeadlyz/status/1540767691803242496

https://twitter.com/Iamdeadlyz/status/1540767732463194112

https://www.facebook.com/JK%E7%85%A7%E7%89%87-100190912056316/photos/pcb.100195085389232/100195032055904/

https://twitter.com/Iamdeadlyz/status/1540767712020156416

https://twitter.com/Iamdeadlyz/status/1540767738259734530

https://urlscan.io/result/f5edb196-9a01-4bb7-b129-049d012683ff/

https://twitter.com/Iamdeadlyz/status/1540767698099249152

6.png

13.png

7.png

22.png

18.jpg

16.png

8.jpg

2 escroquerie Rapports

Adresse déclarée

Adresse déclarée

Adresses et domaines signalés

Domaine signalé

Domaine signalé

Adresse déclarée

Rapports par catégorie

Inscrivez-vous et restez informé de nos dernières mises à jour de produits.

Soutenu par

Inscrivez-vous et restez informé de nos dernières mises à jour de produits.

Soutenu par