Inside a Crypto Scam Nexus

MITRE Techniques

• [T1588] Obtain Capabilities – Actors registered multiple domains and used a shared hosting IP (8.221.100[.]222) to deploy phishing sites and deliver malicious artifacts (“…all these seemingly disparate scams were hosted on a single IP address: 8.221.100[.]222”).
• [T1222] Phishing – Webclip and fake app installation via iOS configuration profile to capture credentials (“…the user installs the profile on their iPhone… a new “Novacrypt” icon now appears on the home screen… it quietly opens Safari to h5.novacryptmax[.]com/#/pages/auth/sign-in”).
• [T1606] Data from Local System – Web-based wallet connect prompts and malicious JavaScript request signing/approvals to obtain permissions and siphon funds (“…clicking “Connect” does not trigger a secure wallet handshake… the site can hide code that makes your wallet approve a dangerous transaction”).
• [T1204] User Execution – Social engineering and UI mimicry (copied Trust Wallet CSS/fonts) to trick users into approving transactions or installing profiles (“…the CSS from Trust Wallet’s Chrome extension… is a key mechanism to provide styling and fonts… mimics the look of the genuine extension UI”).
• [T1566] Phishing via Web Services – Phishing pages and fake trading apps hosted on attacker-controlled domains used to harvest credentials (“…h5.novacryptmax[.]com/#/pages/auth/sign-in – The crux of the scam: this is the URL that the WebClip opens… a phishing webpage”).
• [T1203] Exploitation for Client Execution – Malicious JavaScript and links to an Android APK that may deliver malware to users (“…zzztd[.]com shares infrastructure or code with known malware… anedhaude[.]xyz… ioeai.apk”).
• [T1583] Acquire Infrastructure – Use of Cloudflare, free certificates, and registrar accounts (Gname) to host and obscure scam domains (“…registered through the same registrar (Gname.com Pte. Ltd.)… hosted behind Cloudflare… signature references “Let’s Encrypt””).