• A 3.95x increase in websites with AI-generated text observed between March and August 2024, with a 5.2x increase over a 30-day period starting July 6, and a 2.75x increase in July alone—a trend which we expect to continue over the coming months 
• A correlation between the July spike in activity and one specific threat actor 
• Thousands of malicious websites across the 100+ attack types we support 
• AI text is being used to generate text in phishing emails as well as copy on fake online shopping websites, unlicensed pharmacies, and investment platforms 
• How AI is improving search engine optimization (SEO) rankings for malicious content 

July 2024 saw a surge in large language models (LLMs) being used to generate content for phishing websites and fake shops. Netcraft was routinely identifying thousands of websites each week using AI-generated content. However, in that month alone we saw a 2.75x increase (165 per day on the week centered January 1 vs 450 domains per day on the week centered July 31) with no influencing changes to detection. This spike can be attributed to one specific threat actor setting up fake shops, whose extensive use of LLMs to rewrite product descriptions contributed to a 30% uplift in the month’s activity.  

These numbers offer insight into the exponential volume and speed with which fraudulent online content could grow in the coming year; if more threat actors adopt the same GenAI-driven tactics, we can expect to see more of these spikes in activity and a greater upward trend overall. 

Fig 1. Screenshot showing indicators of LLM use in product descriptions by the July threat actor 

This and the broader growth in activity between March and August appears to indicate a mass universal scaling up of GenAI being used as a content creation tool for fraudulent websites, with a notable spike showing in the realm of online stores. This has led to an abundance of malicious websites, attracting victims not only because of the sheer volume of content, but also because of how convincing that content has become. 

Cybercrime groups, like other businesses, can create more content in less time using GenAI tools. Over the last 6 months, we’ve identified threat actors using these technologies across a range of attacks, from innovating advance fee-fraud to spamming out the crypto space. In total, our observations show LLM-generated text being used across a variety of the 100+ attack types we cover, with tens of thousands of sites showing these indicators. 

Fig 2. Graph showing the increase in observed websites using LLM-generated text between March and August 2024 

In this article, we explore just the tip of the iceberg: clear-cut cases of websites using AI-generated text. There are many more, with conclusive evidence pointing to the large-scale use of LLMs in more subtle attacks. The security implication of these findings is that organizations must stay vigilant; website text written in professional English is no longer a strong indicator of its legitimacy. With GenAI making it easier to trick humans, technical measures like blocking and taking down content are becoming increasingly critical for defending individuals and brands. 

The following examples—extracted from Netcraft first-party research—will help you understand how threat actors are using GenAI tools and shine a light on their motivations.  

“As an AI language model, I can make scam emails more believable” 

Threat actors in the most traditional forms of cybercrime—like phishing and advance fee fraud emails—are enhancing their craft with GenAI. In one particular campaign, we identified spam feeds containing cloud phishing emails falsely claiming to link to a file download for the user’s family photos: 

Fig 3. 

Fig 4. 

pCloud phishing email (Fig 3) leading to a traditional phishing URL on my[.]pcloud[.]ltd (Fig 4) 

In this campaign, running since at least the start of June 2024, the prospect of cherished memories being lost to file deletion is used as a lure to a traditional phishing URL. The potential indicator of LLM usage here is “Certainly! Here are 50 more phrases for a family photo:” We might theorize that threat actors, using ChatGPT to generate the email body text, mistakenly included the introduction line in their randomizer. This case suggests a combination of both GenAI and traditional techniques. 

We’ve seen signs of threat actors’ prompts being leaked in responses, providing insight into how they are now employing LLMs. In our Conversational Scam Intelligence service—which uses proprietary AI personas to interact with criminals in real-time—our team has observed scammers using LLMs to rewrite emails in professional English to make them more convincing. As you can see from the screenshot below in fig 5, what appears to be the LLM’s response to a prompt to rewrite the threat actor’s original text has been accidentally included in the email body. We reported these insights on X (formerly Twitter) and LinkedIn back in April, building on previous uses of GenAI to produce deepfakes in the same space.  

Fig 5. A threat actor attempts to make their email appear more legitimate using an LLM. 

“Certainly! Here are two sites that steal your money (and one another’s content)” 

Credibility is key for fake investment platforms, which promise high returns with low risk. In reality, their guarantees are meaningless, with funds being stolen from the user as soon as they’re deposited. The supposed “investment” only exists as a conceptual number that the threat actor can tweak to convince their victim to invest more money. 

Fake investment platforms are particularly well positioned for LLM enhancement, because the templates we’ve typically seen for these scams are often generic and poorly written, lacking credibility. With the help of GenAI, threat actors can now tailor their text more closely to the brand they are imitating and invent compelling claims at scale. By using an LLM to generate text that has a professional tone, cadence, and grammar, the website instantly becomes more professional, mimicking legitimate marketing content. That is, if they remember to remove any artifacts the LLM leaves behind… 

Fig 6. Evidence of an LLM being used to generate “six key strengths” for the fictional organization “Cleveland Invest”  

There’s no honor among thieves of course. Just as criminals are happy to siphon credentials from other phishing sites, we’ve observed that when they see a convincing LLM-generated template, they may replicate the content almost verbatim. To evade detection and correct errors in the original template, some threat actors appear to be using LLMs to rewrite existing LLM-drafted text. Notice in fig 7 below how words from the example above in fig 6 are replaced with context-sensitive synonyms. 

Fig 7. “Britannic Finance” has used an LLM to rewrite the text which appears on “Cleveland Invest”’s website 

“As of my last knowledge update, counterfeit goods have great SEO” 

As well as removing indicators which point towards fraud, LLMs can be used to generate text tailored for search engine optimization (SEO). This can boost a website or webpage’s search engine rankings, thus directing more potential victims to the content. We’ve seen both fake shops and fake pharmacies using LLM-generated text for SEO. 

This is demonstrated by the fake pharmacy in fig 8 below, which purports to be selling prescription drugs without licensing, regulation, or regard for safety. The product descriptions leak instructions indicating that an LLM was asked to write according to SEO principles (see “This outline should give you a good starting point…”). 

Fig 8. An LLM-generated product description for anesthetic drug “Ketaset”, which has been LLM-optimized for search engines 

Fake shops—store fronts which capture payment details in the promise of cheap goods, while delivering counterfeits or nothing at all—use the same technique to add keywords and bulk out text on the page. We saw thousands of websites like this crop up in July, responsible for 30% of that month’s jump in LLM-generated website text. 

Fig 9.

Fig 10. 

(Fig 9 and 10) Despite its convincing product pages, this Anti Social Social Club fake store mistakenly includes text regarding the LLM’s last knowledge update. 

“This content may violate our usage policies” 

Threat actors are becoming more effective at using GenAI tools in a highly automated fashion. This enables them to deploy attacks at scale in domains where they don’t speak the target language and thus overlook LLM-produced errors in the content. By example, we’ve come across numerous websites where page content itself warns against the very fraud it’s enabling. 

Similar to how some crypto phishing sites have been seen to warn against phishing, the fake pharmacy cited below in fig 11 includes warnings against buying drugs online in its own product descriptions. 

Fig 11. “Shop Medicine’s” LLM-generated product description for Xanax warns against using fake pharmacies. 

How we’re responding 

It’s no surprise that threat actors are beginning to utilize GenAI to both create efficiencies and improve the effectiveness of their malicious activities. Netcraft has been observing this trend for some time and developing suitable countermeasures in response. Netcraft’s platform flags attacks with indicators of LLM-generated content quickly and accurately, ensuring customers get visibility of the tactics being used against them.  

For more than a decade, Netcraft has been leveraging AI and machine learning to build end-to-end automations that detect and disrupt criminal activity at any scale. Clearly, as GenAI unlocks new levels of criminal potential, organizations will require partners who can identify threats and deploy countermeasures without human intervention.  

We’ve also made sure that threat actors aren’t the only ones gaining an advantage with GenAI. Our Conversational Scam Intelligence uses AI-piloted private messaging to help you identify internally and externally compromised bank accounts, flag fraudulent payments, and deploy countermeasures to take down criminal infrastructure. If you want to know more about how we’re targeting threat actors’ increasing use of emerging technologies like AI, request a demo now.

Cloudflare experienced the largest gain of 2.7 million sites (+2.14%) this month, and now accounts for 11.5% (+0.20pp) of sites seen by Netcraft. Google made the next largest gain of 1.2 million sites (+2.11%).

OpenResty experienced the largest loss of 12.1 million sites (-10.02%) this month, reducing its market share to 9.84% (-1.13pp). nginx suffered the next largest loss, down by 5.6 million sites (-2.45%).

Vendor news

• nginx 1.27.1 was released on August 14th, containing security and bug fixes.
• Amazon announced the general availability of the new EC2 G6e instance family on August 15th, which uses NVIDIA L40S Tensor Core GPUs and is designed for machine learning and spatial computing.
• Amazon also announced the general availability of its new AWS Region in Malaysia on August 21st.

For more information see Active Sites.

Much like companies in the legitimate economy, criminals also specialize: focusing on their core strengths and using third-party Software-as-a-Service platforms and tools to outsource the rest of the business or criminal infrastructure needed. These Crime-as-a-Service providers continue to evolve, from bulletproof hosting to Phishing-as-a-Service (PhaaS). 

New threat intelligence from Netcraft has uncovered the connections in the underlying financial infrastructure supporting fraud networks around the globe. This includes  insights exposing centralized Mule-as-a-Service (MaaS) providers being used by seemingly unconnected threat actors around the globe to launder their scam proceeds through money mule bank accounts.

Examining the connections between the underlying cyber and financial infrastructure reveals a rich and interconnected network of mule accounts held at local and global banks, phone numbers, crypto addresses, payment app accounts, and email addresses being used to commit fraud. These connections not only give a mechanism to aid in identifying threat actors, but also new opportunities to disrupt crime groups involved in pig butchering, romance scams, and widespread, complex cyber-enabled fraud.

Netcraft’s Conversational Scam Intelligence (CSI) platform brings together Netcraft’s unique threat intelligence and generative AI to engage with threat actors in long-form peer-to-peer conversations at scale. These private conversations can last over a year and span hundreds of messages. Interactions with threat actors also serve as foundational data, used by Netcraft researchers to connect seemingly disparate scams to expose criminal actors around the globe.

Building a MaaS army

Netcraft researchers recently explored the Darcula Phishing-as-a-Service network, and insight suggests that similar providers exist for money mule accounts at banks globally, from the smallest credit unions to the largest banking giants. Definitive evidence has been limited about the inner workings of criminal mule account networks, including the existence of underlying “as a service” groups. Among the earliest and most accessible forms of public evidence are mule recruitment campaigns on social media platforms, which Netcraft researchers have monitored for some time. These campaigns offer the promise of making some fast cash, with little to no effort. 

Figure 1 – Social Media ads recruiting potential mules for criminal exploits. 

Mapping connections in fraud networks

Using the data gathered from real-life scams conducted by Netcraft’s generative AI personas, Netcraft’s research team has mapped the connections in the data linking scams with the ultimate money transfer mechanisms used to cash out. In the following examples we’ve mapped different elements of criminal infrastructure (email addresses, mule account numbers, crypto wallet addresses, phone numbers) uncovered by Netcraft. 

These nodes are aligned to the conversation where they were shared. For example, a text message conversation containing a phone number would connect a conversation node to a phone number node.

You’re too kind

As a simple example, Netcraft classified this inbound, unsolicited email as Advance Fee Fraud:

Figure 2 – This email, identified through Netcraft’s threat intelligence, was used to initiate an AI-powered dialogue with the scammer. To protect the integrity of the data, the email has been slightly altered and identifiable information redacted. 

Figure 3 – The email conversation in figure 2 is depicted by “” in the bottom right of the infrastructure network shown here. The conversation exposed the simple but connected infrastructure network visualized above.

This simple example consists of 17 messages from the threat actor and 10 replies from Netcraft over the course of approximately one month. In that time we were able to expose the following infrastructure and fraud network connection points: 

• Initial email address as well as a secondary email address being used to accept payments via PayPal
• The payment address was previously mentioned in a separate conversation impersonating a delivery company, allowing Netcraft to connect the two conversations
• This other conversation had already uncovered a Bitcoin wallet which has transacted over 2,000 times on the Bitcoin network, receiving a total of 12 BTC (~$805,000 at the time of writing) 
• Connected to this address in a separate conversation was another US-based bank account and another email address
• Both of these had been seen in a conversation connecting the Bitcoin wallet, to a Wells Fargo account and a JPMorgan Chase account

This simple example demonstrates how Netcraft can effectively map the infrastructure powering threat actor campaigns, providing a much deeper picture of the underlying criminal operation.

You’ve got mail

Figure 4 – Multiple conversations can be tied to the same threat actor based on their shared reliance on a single piece of infrastructure (in this case a phone number).

In other cases like the one above, seemingly disconnected conversations can be attributed to the same threat actor (an individual or a wider group). See the following analysis that links these conversations:

• In this cluster, 14 email addresses identified in Netcraft threat intelligence were targeting a Spanish bank. Conversations requested victims call the same phone number, allowing Netcraft to conclude that these emails, despite their varying email addresses, were all the work of one threat actor.
• In a separate conversation, the scammer used the same phone number as used in this campaign. That conversation unearthed three bank accounts, one of which Netcraft had seen before in a previous conversation.
• That previous conversation, in turn, referenced another bank account which Netcraft  had previously seen in a conversation associated with a Scottish bank.

In this case, the cluster allows us to conclude that nine mule accounts and 19 email addresses are in use by the same threat actor to defraud the customers of at least two separate financial institutions. 

One ring-ring to rule them all 

While some infrastructure is spread out with small clusters, this region shows scammer infrastructure that is quite densely connected. Seen here are dozens of bank accounts, emails and phone numbers, likely all being used by the same group of scammers:

Figure 5 – A subsection of a wide network of highly connected scammer infrastructure.

Figure 6 – An even larger network of interconnected scammer infrastructure.

Mapping relationships between scammer infrastructure can uncover weak points in scam campaigns. In figure 6 we see how dozens of investment scam emails and conversations hinge on a single UK-based phone number.

Figure 7 – An investment scam campaign reliant on a single phone number exposing a single point weakness in this threat actor’s infrastructure, which when taken down could cause significant disruption for the criminal.

In this group, we see a bank account referenced by at least 23 different email addresses being used for fraud. This bank account was first seen four months ago and was last seen as recently as four hours before the time of writing. Clusters of this form could indicate a fraud operation which is heavily dependent on a single payment account.

Figure 8 – 23 emails across 23 conversations engaged in by the Conversational Scam Intelligence system that all point back to the same bank account.

Zooming out, we can observe that the two bank accounts we have just analyzed have been referenced in the same conversation:

Figure 9 – The two highly-connected bank accounts in the above images are connected by a conversation which references both.

Inspecting that conversation further gives more clues as to the origin of this operation. The following cluster suggests that distinct fraud groups share the same mule accounts:

Figure 10 – This network shows seemingly disconnected operations that appear to be sharing mule accounts, indicating that the mules are operated by Mule-as-a-Service providers.

At the top of this section of the network, multiple pieces of information indicate that the fraudsters are operating from Benin, including the use of +229 phone numbers.

However, at the bottom we see a network of related infrastructure that revolves around Spain-based phone numbers, like a +34 Xfera Moviles mobile number, or a different +34 Vozelia Telecom fixed number.

The unifying factor between these seemingly distinct operations is a single Italian mule bank account.

Given that these operations appear independently in two countries separated by thousands of miles, their use of a shared bank account suggests that they are not ultimately in control of the mule.Instead, they are making use of centralized Mule-as-a-Service providers in charge of receiving and sending on defrauded funds.

So, what’s next? 

Losses to investment scams, romance fraud, and pig butchering reached $4.6 billion in the United States – a 38% increase in 2023. These scams are very often conducted in private peer-to-peer conversations and the ability to stop the scam often comes too late. 

Studying the connections between threat actors and centralized Mule-as-a-Service providers provide a unique opportunity to both understand and ultimately deeply disrupt criminal payment networks powering scams, pig butchering, cyber-enabled fraud, and more.

By identifying and disrupting weaknesses in financial infrastructure, like those shown here, security leaders are now able to proactively find and interrupt mule account activity, block payments to known mule accounts outside their institution, stop payments to criminal crypto wallets, and deploy countermeasures against the greatest points of vulnerability, thus crippling criminal infrastructure and protecting their clients.

For almost three decades, the Netcraft team has been developing and using innovative, proprietary solutions to expose,disrupt, and eradicate criminal activity. Netcraft’s Conversational Scam Intelligence, recently announced at RSA ‘24, now provides the data and insight needed to expose, map, and disrupt these scams at any scale. 

Connect with Netcraft’s expert team  to see how we can help you. Request more information on Conversational Scam Intelligence here.

Cloudflare experienced the largest gain of 2.7 million sites (+2.18%) this month, and now accounts for 11.3% (0.21pp) of sites seen by Netcraft. OpenResty made the next largest gain of 2.2 million sites (+1.88%).

nginx experienced the largest loss of 6.5 million sites (-2.78%) this month, reducing its market share to 20.7% (-0.65pp). Apache suffered the next largest loss, down by 3.4 million sites (-1.60%).

Vendor news

• Apache 2.4.62 was released on July 17th, containing fixes for two security vulnerabilities.
• freenginx 1.27.2 was released on July 9th, adding support for rate limiting error logs.
• OpenResty versions 1.21.4.4 and 1.25.3.2 were released on July 21st, fixing a security issue in its fork of LuaJIT that could cause severe performance degradation under certain circumstances.
• Cloudflare added a new one-click button for its customers to block AI scrapers and crawlers.

For more information see Active Sites.

These sites form part of a sophisticated, multi-step attack. The attack utilizes lure sites to hook victims, phishing sites to capture details, and a Traffic Distribution System (TDS) used to mask the relationships between attack infrastructure. With advanced deception techniques, like the ability to capture 2-factor authentication codes, this campaign highlights several of the most innovative capabilities of modern multi-channel phishing threats. 

As phishing attacks become more complex than ever, recent advancements in generative AI further enhance these attacks by enabling threat actors to rapidly automate the creation of unique content that convincingly impersonates a wide variety of targets. The use of gen AI is also evident in other forms of cybercrime, such as donation scams and Advance Fee Fraud. 

Interestingly, many of these AI-generated lure sites do not link to a phishing website, which appears deliberate. These are likely not designed for victims but instead suggest an attempt to flood the Web with similar content, making it harder to find the malicious needles in an AI-generated haystack. Without gen-AI, this new deception technique would be impossible for criminals, even criminal groups, to deploy at scale. For those combatting these threats, utilizing AI, ML, and automated techniques to detect and monitor threats is paramount in identifying and disrupting these nefarious techniques at any scale. 

Anatomy of the attack 

The attack starts with the victim visiting an AI-generated lure site. Lure sites hook unsuspecting victims into a scam and encourage them to complete an action, such as visiting another site, downloading a file, or sending an email. Commonly, lures are shared through various channels like email, SMS, social media, and SEO hacking. One widespread method used by this threat actor is distributing these links in the comment section of legitimate websites. 

hxxp[://]forum[.]technikboard[.]net/index[.]php?page=UserBlogEntry&entryID=8 

These lure sites are hosted on Gitbook, a documentation platform that targets software developers and offers a free tier requiring only an email address to sign up. Supported by vast amounts of content to increase credibility, the lure sites entice the victim by claiming to offer advice and tutorials for products from a wide range of brands in the crypto industry. 

Example of an AI-generated lure site on hxxps[://]helpstrezorhardwrewallet[.]gitbook[.]io/us 

Most sites contain a call-to-action link, which directs the user to a redirect URL on one of many [.]com domains. These URLs contain a Universally Unique Identifier (UUID) in the path to track which brand or lure site the victim visited. All these domains appear to be purpose-registered with Key Systems and hosted by Amazon. 

Formatted extract from hxxps[://]helps-trezorhardwrewallet[.]gitbook[.]io/us 

These redirect URLs use advanced Traffic Distribution Systems (TDSes), which can choose the redirect destination based on various factors. For example, if the TDS thinks the visitor is a victim, it will redirect them to a phishing site. When the TDS detects that the visitor is a security researcher, it will instead redirect them to the target brand’s legitimate site, attempting to cloak the existence of the phishing attack. 

Visiting hxxps[://]shotheatsgnovel[.]com/1479dd91-86b0-4518-9970-ca644964c5e7 from an IP address the TDS classified as a security researcher (left) and an IP address classified as a victim (right) 

The end phishing sites in this campaign aim to obtain one of two sets of credentials: the victim’s login details for the cryptocurrency platform or the seed recovery phrase for the victim’s wallet. If required by the platform, these phishing sites can even exfiltrate the victim’s 2-factor authentication codes, undermining the protection from this trusted layer of security. 

Left hxxps[://]trazeorwalllet[.]azurewebsites[.]net/, right hxxps[://]bitmartesnc[.]azurewebsites[.]net/.

With either set of credentials, the threat actor can steal all the victim’s funds or sell the credentials on an underground marketplace for another criminal to do so. The pseudo-anonymous nature of cryptocurrency payments offers the threat actor a high degree of anonymity, making it highly desirable for cybercriminals. Even after accounts are drained, they are still valuable to criminals since they have already passed Know Your Customer (KYC) requirements and could be used to launder money.  

This campaign’s lure and phishing sites are hosted on Microsoft Azure’s App Service platform (azurewebsites[.]net). As seen in previous attacks, such as the Phishception attack we uncovered targeting SendGrid, cloud services like Azure are attractive to fraudsters for their free tiers and credits. 

Hedging their bets – Creating moving targets with phishing infrastructure 

Since Netcraft researchers first discovered these attacks, we have performed countermeasures against them by first blocking these sites for users of Netcraft’s Apps and Extensions and then initiating takedowns against the sites of Netcraft customers using Netcraft’s Takedown platform. In response to those countermeasures, this criminal group has continued to evolve campaign strategies.  

During this period, the threat actor tweaked and experimented with parts of their attack chain, likely to hedge their bets and keep their infrastructure available. One example is shifting traffic to phishing sites using much less sophisticated lures hosted on Webflow (webflow.io). These lures use a simple screenshot of the target brand’s homepage, redirecting to the TDS when clicking on the image. Many of these screenshots only include the page above the fold of the browser, meaning potential victims cannot scroll down. Some sites also include AI-generated text at the bottom of the webpage, which is likely to assist with SEO hacking.  

hxxps[://]metamaskeaxtenssion[.]webflow[.]io/ 

We also observed the threat actor replacing some of their [.]com TDS URLs with a legitimate link shortener platform, Geo Targetly (gtly.io). Doing this allows them to use many of the same functions as their traditional TDS, but with less work required to create new URLs. Reducing the complexity allows criminals to quickly create new URLs when many of the campaign’s [.]com domains were taken down.

Formatted extract from hxxps[://]help-metamask-walletextension[.]gitbook[.]io/us 

hxxps[://]help-metamask-walletextension[.]gitbook[.]io/us linking to hxxps://metamaskunb[.]azurewebsites[.]net/ via Geo Targetly 

AI-generated lures raise the bar 

Traditionally, one of the hardest parts of setting up a scam website is creating content that looks believable to potential victims. Due to the required manual effort, this is difficult for criminals to accomplish at scale, and poor-quality content has often been a key indicator of phishing infrastructure. 

However, the recent surge in powerful and free-to-use LLMs through platforms such as ChatGPT has unlocked this final piece of the puzzle for fraudsters. Netcraft continues to monitor this space, and this threat actor appears to be an early adopter using these tools at a large scale. 

Many lures use LLM-generated text to enable the threat actor to create unique content for thousands of pages that span a wide range of target brands. Creating this content is simple and cheap to automate and is faster and better than a human could achieve for even a fraction of the volume. 

We also see examples where LLM-generated content has produced erroneous artifacts that pollute the output of the final text. These don’t appear to have been caught by the threat actor, which suggests high levels of automation to generate these lures. One LLM output even included a warning about the risks of phishing attacks! 

hxxps[://]metamaskwalletiis[.]webflow[.]io/ warning users about phishing attacks 

hxxps[://]mettemaskcchromextensionfs[.]gitbook[.]io/us, including the LLM warning about knowledge updates 

As mentioned previously, many of these lure sites do not link to a phishing site – suggesting that the threat actor is attempting to flood the internet with content to make it more difficult to sort through and identify malicious needles in an LLM-generated haystack.  

Crypto attacks on the rise 

This attack follows a recent trend of threats observed by Netcraft; from crypto drainers, IPFS, pig butchering, and fake investment platforms to the Trump 2024 election campaign and YouTube channel hijacking, threats targeting the crypto industry range widely. The crypto industry is very enticing for threat actors due to lower traceability. Most recently, Netcraft researchers observed over $45 million in cryptocurrency payments transferred to scammers hidden in peer-to-peer messaging platform scams. 

How Netcraft can help 

Netcraft provides cybercrime detection, disruption, and takedown services to organizations worldwide, including 16 of the top 50 global banks and many of the largest cryptocurrency exchanges in the world. While disrupting more than 100 unique attack types, Netcraft teams and systems constantly monitor unique and innovative attacks like these crypto phishing campaigns. 

Netcraft’s brand protection platform operates 24/7 to discover phishing, fraud, scams, and other cyber-attacks through best-in-class automation, AI, machine learning, and human insight. Our disruption and takedown service ensures malicious content is blocked and removed quickly and efficiently – typically within hours.   If you’d like to learn more about how Netcraft can help, book a demo on the Netcraft website.

At Netcraft, we’ve been disrupting cryptocurrency-based scams for over 10 years, including more than 15,000 IPFS phishing takedowns since 2016. As we closely monitor evolving threats and criminal innovation, modern technologies like Web3 APIs have made crypto scams easier and more accessible than ever before.

Cryptocurrencies remain a particular target for criminals due to their decentralized nature; no central arbiter of transactions means that victims have no way to reverse mistakes, nor any avenue to redress any losses incurred.

In this blog post, we’ll cover crypto drainers, a type of payment diversion fraud that takes advantage of Web3 APIs to trick victims into giving away their cryptocurrency coins and tokens. Just two clicks on a copycat website to ‘claim a free token’ could irreversibly transfer all their crypto assets to criminals.

Crypto drainers and Web3 wallet APIs

Web3 wallet APIs are designed to allow websites to interact with users’ cryptocurrency wallets, and function as a bridge between applications and the blockchain. They can only run in a Web3-enabled browser (such as Brave), or with a browser extension like MetaMask. The wallet APIs allow sites to request the user sign a specific message, or to send some cryptocurrency to a specific address.

In a standard crypto draining scam, a cybercriminal will claim to be offering free cryptocurrency tokens to the user, most commonly in the form of minting new coins. This is used to trick the victim into connecting their wallet to a malicious website, which can then obtain the victim’s cryptocurrency address.

Figure 1 – Cryptocurrency drainer at nonextpepe[.]com.

Once connected, the criminal can request signatures or transactions for this wallet. It’s important to note that connecting a wallet alone does not allow the site to steal its contents. However, once connected, the drainer will typically lure the victim into ‘claiming their token’ by requesting a transaction. If approved, this will transfer the victim’s entire balance into a wallet controlled by the criminal, effectively ‘draining’ the victim’s wallet.

Figure 2 Drainer-generated transaction for the whole wallet’s balance

The criminals behind these drainer scams count on victims being sufficiently excited or distracted by the promise of free cryptocurrency tokens that they do not realize that by approving the transaction, they’re losing everything in their wallet. In the example below, the Ethereum balance is sent to smart contract 0x676CA33022fB1a41c6cFE47Eac2E896F398e5783, which forwards everything received to the wallet 0x9f335dfa31bfb56dfa153efd4092c96ca22fd789 (and provides nothing in return). The destination address alone has received over 25ETH, totaling over $40,000 based on exchange rate at time of transfer.

Figure 3 Draining snippet for nonextpepe[.]com

Cryptocurrency copycats

Crypto drainers will often mimic legitimate cryptocurrency projects, using familiar tokens, names, and branding to trick victims into approving malicious transactions. In this example, Lista is a real cryptocurrency project, https://lista.org/, with its decentralized stablecoin lisUSD pegged to the USD. Netcraft analysts have identified a crypto drainer site, claim-lista[.]org which has copied the entire Lista site.

Figure 4 Lista’s legitimate site (top) with the copycat site (claim-lista[.]org) below.

The malicious site claims that a ‘limited time airdrop’ event is currently available (an airdrop is typically an event in which new coins or tokens can be claimed for free to garner publicity). Clicking the Claim Allocation button displays a transaction request for the victim to confirm. If they do this, their entire balance is sent to a wallet and – unsurprisingly – no coin or token is provided in return.

Examining the malicious site’s source code displays markers left from a website copying tool, which reveals that the site is a direct duplication of the real cryptocurrency project.

Figure 5 Source code of malicious site with markers from a website copying tool

Website copying tools allow the criminals behind these crypto drainer campaigns to quickly spoof legitimate cryptocurrency projects at scale, requiring only small modifications (and minimal technical skills) to insert the malicious draining payload.

IPFS gateways

IPFS stands for InterPlanetary File System (IPFS); it is a decentralized storage and delivery network . Unlike the conventional web, where most content is hosted on centralized servers, IPFS embodies the Web 3.0 ethos and is based on peer-to-peer (P2P) networking, without requiring third parties or centralized authorities. This means that it’s harder to take down malicious content on the network, making IPFS ideal for cybercriminals when running phishing attack campaigns.

While IPFS URLs aren’t directly accessible in most popular browsers, they are accessible through various IPFS gateways such as ipfs.io. Netcraft analysts have already detected criminals using IPFS gateways for crypto drainers. As IPFS is now widely used across legitimate Web3 platforms, victims may be less suspicious of the seemingly random-looking URLs. For example, we identified a crypto drainer hosted on IPFS imitating the akash.network project, which describes itself as a “decentralized computer marketplace”.

Figure 6 Crypto currency drainer clone of akash.network.

The IPFS-hosted content in this attack does not contain the malicious JavaScript payload used to perform the draining. Instead, this is hosted on “npm-js[.]top”, which is spoofing the popular JavaScript package manager “npmjs.com”. The script is heavily obfuscated, making it harder to identify it as a crypto drainer scam and extract useful information (such as the destination address).

Figure 7 Malicious obfuscated drainer script hidden under npm-js[.]top.

The following crypto drainer, distributed via IPFS gateways masquerading as the Pandora Labs ERC-404 token, also uses a malicious script in cdn-bunny[.]com, a domain registered specifically to appear like the content delivery network (CDN) bunny.net.

Figure 8 Crypto drainer on IPFS with a malicious script in cdn-bunny[.]com.

Malicious cryptocurrency drainer domains

Another crypto drainer imitating ListaDAO is available on IPFS at with the hash “bafybeia2pskjjyxn2nyv5djpdqusz4myivoyd42mwji2e6oj7qfybcyz7a”. The malicious JavaScript snippet is under “cdn-npm[.]xyz”, another domain that spoofs npmjs.com. The following domains were all registered in close succession, suggesting that the domains were purpose registered as part of a recent drainer campaign:

• npm-js[.]top (registered on May 12th 2024)
• cdn-bunny[.]com (registered on May 26th 2024)
• cdn-npm[.]xyz (registered on June 2nd 2024)

These domains are likely used to hide the malicious payload from security professionals, while centralizing configuration of the crypto drainer. This allows the criminal to later change the destination wallet address (which would not be possible had this configuration been stored solely in IPFS).

The CDN look-alikes may be indicative of attacks across the software supply chain more generally, potentially allowing criminals to hide malicious code in legitimate sites while evading detection.

Disrupting new attack at scale

Netcraft provides cybercrime detection, disruption, and takedown services to organizations worldwide, including 17 of the top 50 global banks and many of the largest cryptocurrency exchanges in the world. While currently disrupting more than 100 unique attack types, Netcraft teams and systems are constantly monitoring unique and innovative attacks, like crypto drainer scams, to protect the world from cybercrime.

Netcraft’s unique visibility across web-based financial fraud allows us to provide comprehensive intelligence feeds with payment details sourced from criminal activity across various cryptocurrencies as well as bank accounts around the world. This includes proprietary intelligence gathered with our new Conversational Scam Intelligence service which proactively extracts crypto wallets, mule accounts, and other forms of actionable intelligence from peer-to-peer messaging scams.

Netcraft first detected and acted on a malicious IPFS hash as far back as 2016 and we continue to detect, block, and mitigate malicious content hashes on the IPFS network every day. At the time of writing, we’ve completed over 15,000 IPFS gateway phishing takedowns.

To find out more about how Netcraft can help, book a demo with our expert team.

OpenResty experienced the largest gain of 4.6 million sites (+4.01%) this month, and now accounts for 10.8% (+0.38pp) of sites seen by Netcraft. Cloudflare made the next largest gain of 3.2 million sites (+2.66%).

Apache experienced the largest loss of 4.8 million sites (-2.23%) this month, reducing its market share to 19.3% (-0.51pp). LiteSpeed suffered the next largest loss, down by 1.1 million sites (-2.24%).

Vendor news

• njs 0.8.5 was released on June 25th, primarily containing bug fixes. Earlier this month its source code was moved to GitHub.
• freenginx 1.27.1 was released on June 4th. New features include support for limiting the number of headers in a HTTP request, and support for additional authentication mechanisms in its mail proxying module.
• LiteSpeed 6.3 was released on June 26th, containing new features, improvements, and bug fixes. The new features are mainly security-related.
• Apache Tomcat versions 9.0.90, 10.1.25, and 11.0.0-M21 were released.
• Amazon announced its plan to launch a new AWS region in Taipei, Taiwan by early 2025.

For more information see Active Sites.

Recovery scams are a type of advance-fee fraud in which fraudsters promise to help scam victims get their money back in return for an upfront fee. The victim loses even more money by paying the fraudster for a so-called ‘fraud recovery service’ that never materializes. In some variants of this scam, fraudsters claim to be able to recover cryptocurrency, often targeting people who have fallen victim to investment scams. Unfortunately, however, these ‘crypto recovery services’ are not genuine. 

In December of 2023, the FTC issued a warning about the growing trend in recovery scams and how they exploit the most vulnerable populations, those who’ve already fallen victim to scams. So, how are they targeted?  

Finding new ‘customers’ — building credibility

Every successful scam starts by luring potential victims and then building credibility. For recovery scams, criminals advertise in several ways, including social media, copied websites from other scammers, and review sites intended to establish trust for consumers. 

Many recovery scammers contact known victims of fraud, either through social media (for example, if the victim has posted publicly about being scammed) or by obtaining their details from a so-called sucker list — a list of people who have previously fallen for a scam that contains details such as their name, email address, or phone number, which is sold to fraudsters on the dark web. In some cases, the recovery scammer may even be the same person from the first scam. 

Looks can be deceiving — @cybstrive deep dive 

Recovery scams can often be found in the comment sections of platforms like YouTube and Reddit, typically using bot accounts. For example, the image below shows some comments made by the user RobinsonkLfb2 on Reddit in response to other users’ posts in subreddits, such as r/phishing. These comments all advertise the services of user @cybstrive on Instagram and Telegram, claiming that they were able to retrieve the funds that they had lost to fraud. 

Figure 1: Comments posted by RobinsonkLfb2 on Reddit advertising @cybstrive on Instagram 

A search for @cybstrive on Instagram brings up the profile in the images below, which has all the hallmarks of a recovery scam: exaggerated claims that they are ‘experts’, a Telegram contact link, and various out-of-context, poor-quality images that vaguely related to scams, computing, and cryptocurrency to seem believable. 

Figure 2: @cybstrive’s Instagram profile 

Another notable trait of profiles like this is the username count, which some social media platforms display to aid users in judging whether a profile could be misleading. As shown here, @cybstrives’s Instagram has changed its username six times since its registration in July of 2023. 

Figure 3: Information on @cybstrive’s Instagram account, including the number of username changes 

Additionally, the frequent username changes combined with the high follower count (50.3K at the time of writing) suggest the possibility that the account may have either been hacked and changed the name or that the account owner has purchased fake followers in the form of bot accounts to appear more legitimate.

Figure 4: @cybstrive’s follower count 

Freelance fraud recovery? 

In addition to advertising on social media or using a list of people, fraudsters can even be found using the freelance services platform Fiverr to lure victims. A search for ‘bitcoin recovery’ on the platform brings up a plethora of ads for recovery scams associated with crypto, PayPal, and other platforms. Interestingly, many of these listings have unique listing images but the same descriptions, a common feature of fraudulent app listings, fraudulent services, and fake investing platforms where criminals just copy content for efficiency and speed.

Figure 5: Results for ‘bitcoin recovery’ on Fiverr 

The actual profile descriptions contain slightly more variation, but if bad grammar and copy-pasted text aren’t enough of a red flag, one seller gives away that the text is most likely autogenerated by introducing himself simply as ‘(Name)’:

Figure 6: Profile description belonging to a seller of ‘bitcoin recovery services’ 

Considering Fiverr’s chargeback policy, it’s currently unclear how successful these fraudsters are in taking money from victims, assuming they request a refund through the platform for a service they have not received. In any case, the evidence suggests that these profiles are anything but legitimate. 

A hacker for any service 

Many profiles and websites that promote fake recovery services will often claim to be able to do a lot more than just recover funds. The initial lure is similar to what we covered earlier in the article; fraudsters will often use bot accounts to spam YouTube comments, such as in the below example: 

Figure 7: YouTube bot comments endorsing the services of Cryptic Webster 

The comments don’t include direct ways of contacting the fraudsters, such as an email address or a link to a social media account, but instead repeatedly mention the name of the alleged service in bold, prompting anyone reading the comments to use a search engine to find it. Upon searching for the phrase ‘Cryptic Webster’, the top result was a website claiming to offer hacking services for just about anything — including recovering lost social media accounts, fixing credit scores, and even improving grades. 

Figure 8: Hacking services allegedly offered by Cryptic Webster 

Additionally, fraudsters claiming to offer ‘legit’ hacking services for such purposes can even be seen advertising using Google Ads, as shown in the second sponsored listing for hxxps[://]hacklancer[.]com in the image below. No self-proclaimed hacker can legitimately fix credit scores (or provide any of the services they claim to offer). In the case of credit scores, these ‘hackers’ will, at best, disappear with the victim’s money and, at worst, steal the victim’s identity after the victim has given them all kinds of information. 

Figure 9: Google Ad listing which advertises fraudulent hacking service ‘hacklancer’ (second result) 

How can Netcraft help? 

Scams evolve daily, and Netcraft works around the clock to detect and disrupt over 100 different types of cybercrime to keep your organization safe. In addition, we continuously monitor emerging threats to ensure we stay ahead of criminals at all times. Our robust detection capabilities, combined with automated countermeasures, allow Netcraft customers to see more threats and take action in real-time to disrupt criminal behavior and protect their brand and customers from phishing, fraud, and scams.  

Contact our team or book a demo today if you want to learn more about how Netcraft can protect your brand. 

Following these events, Netcraft has identified donation scams impersonating the Trump campaign, featuring dozens of malicious domains distributed in phishing and smishing campaigns. With millions of emails and texts sent by the real campaign, scammers are exploiting recent interest to trick would-be donors into visiting a lookalike domain.

Netcraft also used our proprietary peer-to-peer messaging reconnaissance to engage in a direct conversation with a “Trump National Committee” scammer, who revealed various points of actionable threat intelligence, including mule bank accounts, payment app details, email addresses, and more. In addition to collecting critical data that can be utilized to disrupt attacks and dismantle infrastructure, this dialogue with the scammers confirms a popular concern that criminals are leveling up and using AI to create better, faster, and more believable scams. 

Let’s examine how quickly criminals deploy these campaigns, adapt to new information, and are getting better while they do. 

Legitimate Crypto Support

As announced in late May, the Trump campaign accepts cryptocurrency donations via Coinbase Payments. This technology is provided through Coinbase and is available to any “federally accredited donor” to make payments via Ethereum-based cryptocurrencies or through balances held at Coinbase including Bitcoin and a large variety of more esoteric coins. 

When the trial verdict was announced on May 31st, the Trump campaign immediately directed all incoming traffic to its site to the donation pages in order to capitalize on support from donors across the country. The campaign collected more than $50 million in the 24 hours following the verdict, but criminals also took note. Those behind these donation scams also identified the opportunity and immediately pivoted their strategy to mirror what was happening on the legitimate campaign site, with many direct impersonations of campaign resources.

Moving Fast and Smart

Shortly following the crypto announcement criminals had already taken notice, with various domains being registered the day following the announcement, including: donalbjtrump[.]com and doonaldjtrump[.]com. Among the fastest-acting criminals was the threat actor behind our first example donalbjtrump[.]com, which upon creation mirrored almost exactly the Trump campaign page in content and design.

Original page hosted on donalbjtrump[.]com within days of campaign announcements

However, in addition to moving quickly, these scammers are actively monitoring the situation and making strategic adjustments to improve the scam. Initially, the site was created with the content featured in the screenshot above, however on May 31st, the day Trump’s guilty verdict was announced, this scammer adjusted quickly to mirror the “Never Surrender” narrative of the Trump campaign to take advantage of the urgency from Trump supporters and their potential victims. With the Trump campaign collecting more than $50M in a 24-hour period, there’s no telling how much might have been lured away by the criminals behind these scams.

On the left, you’ll see the authentic Trump campaign page, on the right is the fraudulent site that was adapted to match the Trump campaign

Dinner for Donations

Want to meet up with Trump for dinner at Mar-a-lago? This is your chance for just $2,000. Too good to be true? That’s because it is. This scam utilizes the exact layout of the campaign page but obviously steals resources, and in this instance, cash. 

The figure on the left showcases the actual donation page, and the image of the fake site to the right adds the introduction to dinner with Trump. 

Cashing Out

The donation scams use a variety of different techniques to replace the legitimate Coinbase Payments-based flow used by the Trump campaign, including phishing pages impersonating Coingate, and crypto payment flows using Plisio and Oxapay. 

donalbjtrump[.]com contains fixed Bitcoin and USDC wallet addresses. At the time of writing, neither had received any transactions. 

Netcraft has also seen donation scams that focus on traditional payment options, including those that selectively redirect back to the legitimate campaign if selecting non-cryptocurrency payment options.

This campaign reinforces the observation that criminals operating donation scams are quick to make use of current affairs to steal money from would-be donors and have no qualms about who or what they impersonate. This recently played out in the Gaza conflict with similar efforts to redirect donations to criminal threat actors, with impersonations playing on sympathies for either Israel or Palestine. 

Leveling Up with AI

A common concern within the security landscape is the extent to which AI will level up threats targeting businesses and consumers – improving quality while allowing for increased scale. The peer-to-peer message thread with the Trump campaign scammer appears to confirm what many have feared. 

A hallmark of P2P messaging scams is they are often riddled with spelling and grammar errors, at times making them simple to spot. However, in reviewing the back-and-forth dialogue between the scammer and Netcraft systems, these messages break from convention as they are very well structured, use proper English and grammar, contain nuanced language unique to the Trump campaign, as well as repetitive use of some key phrases. Analysis run on the messages reveals there is a very high likelihood the content was created using AI. 

**This thread is still ongoing, so to protect the integrity of the data we have chosen to not share screenshots or specific language at this time. 

Defending Against Impersonation

As phishing, fraud, and scams continue to increase, along with the added challenges presented by AI, it is critical to stay ahead of criminal innovation by leveraging new technologies to detect, disrupt, and take down threats across the internet. Netcraft’s extensive automation and impactful AI work around the clock to identify threats and deploy automated countermeasures on behalf of our customers – including some of the world’s largest and most trusted brands and governments. 

To learn more about how Netcraft can help defend against attacks actively targeting your business, just like the one targeting the Trump campaign, please reach out. Learn more

Netcraft has explored these scams by leveraging a first-of-its-kind AI-powered solution that communicates with criminals at scale. Responding to lure email and SMS messages, our AI-based personas continue the dialogue to uncover hidden financial and technical infrastructure. Following the money by disrupting money mule networks identified in confirmed scams in real-time could disable entire threat actor networks in one fell swoop.

The reach of these scams runs deep with criminal bank accounts, mule accounts, crypto wallets, and a connected web of malicious infrastructure used to further these scams. We have extracted thousands of criminal money mule bank accounts across 73 countries and more than 600 financial institutions. In one case, we have received 17 mule accounts from one conversation. The top four crypto wallet addresses Netcraft identified have received more than $45 million (1,000 BTC).

Equally, criminals, like the rest of us, are human too. And a long-lived but ultimately fruitless conversation with a Netcraft-controlled persona can cause frustration – as you’ll see later. 

Crime pays. The hours are good, you travel a lot. 

One in six of our conversations with criminals has resulted in details of at least one bank account being sent. Other conversations end with requests to buy gift cards, cryptocurrency payments, online payment providers (like PayPal), or money remittance services (like Western Union). While others fade out over time as the conversation naturally goes cold.

When we see the whole scam play out, on average, criminals send more than 32 messages despite receiving only 15 replies. Standing out in the data is that criminals are eager to engage quickly and frequently and maintain these scams over an average of more than 47 days.

Inside the scam

The following examples have been reproduced from actual conversations with criminals where the initial message received was fraudulent. Many represent weeks and months of dialogue involving dozens of messages (emails, texts, etc.). Images have sensitive information removed and truncated conversations for brevity. 

All in on crypto 

In this example of Advance Fee Fraud, the criminal uses crypto. The cryptocurrency wallet extracted from this conversation has received over 620 BTC, equaling more than $40M in payments. In this, as well as most examples we’ve seen, crypto wallets extracted via this intelligence layer sit empty – as soon as funds are sent to the address it is immediately laundered out to many other addresses, making payments harder to trace. Transactions range from a few dollars to thousands, which could be potential evidence of pig butchering scams over extended timeframes. 

In addition to this massive crypto wallet, this conversation extracted WhatsApp accounts, Western Union remittance details, emails, and multiple phone numbers used in this attack.  

17 and counting 

Attackers are anxious to interact with potential victims and can be as malleable as they hope their victims will be. Promising to unlock more than $5M in inheritance, the most willing attacker has shared more than 17 accounts across 12 financial institutions to extract a few hundred dollars. This exchange has obtained many accounts and more than 40 total points of actionable intelligence, including money mules and email addresses. 

We wish we could share the entire thread but it’s over 250 back-and-forth messages with the scammer. Not only extracting the actionable intelligence outlined above but wasting massive amounts of time for this scammer – we think Jim Browning would be proud.  

Hook, line, and sinker 

This example showcases the breadth of scammer infrastructure. Impersonating the investments team at “Deutsche Bank,” on behalf of the “Central Bank of Nigeria,” this scam is typical advance fee fraud, promising unrealistic sums in return for a small amount upfront. In a conversation lasting just under a month and about 40 messages, this fraudster offered up four bank accounts, two crypto wallets, and one set of money remittance details. 

Sorry not sorry 

Finally, not all scams go how you hope they will – at least it would seem that way for many scammers who share their obvious frustration. After months of back-and-forth and over a dozen bank accounts, this scammer got personal, cursing Netcraft’s AI in multiple ways. However they still came back for more, looking to continue the scam using gift cards. 

After telling them we couldn’t acquire the gift card, you guessed it, they gave us yet another bank account.

Know your foe 

Conversational scams can be broadly grouped into the following types: 

Pig butchering scams. So-called because the criminals ‘fatten victims up’ and then take everything they can. A relationship is built with the fraudster over a long time. Once trust is established, the fraudster gradually encourages the victim to invest more funds, often using a fake investment platform as a lure, which the criminal controls. Once the criminal is satisfied with the invested funds (or if they think the victim is growing suspicious), they steal them. Later, they sometimes return with promises of recovery. 

Advance fee fraud. Criminals trick victims into making modest upfront payments in return for a larger payment, which never arrives. 

Romance scams.  It is a scam where fraudsters try to strike up a fake romantic relationship with the victim. These often try to use the trust from the relationship to “borrow” or extort money from the victims. Romance scams usually span months and require a lot of interaction to extract intelligence, sometimes feeding into pig butchering scams. 

To avoid detection, most bank accounts and crypto wallets supporting these scams are created using money mules (though cryptocurrency accounts can be anonymous when used carefully). However, mules might also control cryptocurrency addresses on exchanges which helps launder the money. The money mules are often coerced, trafficked, tricked into being a mule, or have their identity stolen to create mule accounts.

So, what’s next? 

The potent cocktail of AI, end-to-end encryption, and increasing mechanisms for scale make conversational scams more prevalent and nefarious than ever before, with no signs of slowing. 

For decades, the Netcraft team has focused on innovative solutions to stay ahead of criminal developments. Conversational Scam Intelligence, recently announced at RSA, now provides the data and insight needed to disrupt these scams at any scale. For a financial institution that may look like blocking transactions to known mule accounts, a crypto exchange can suspend transfers to known criminal wallets. For Netcraft, that means combining those interventions with deploying countermeasures to disrupt criminal infrastructure on behalf of our customers. 

And that’s what it takes to stop threats like these, working across multiple disruption channels to intervene and block criminal behavior. This multi-threaded approach is part of why Netcraft detection, disruption, and takedowns set the standard for performance in the industry. Mixing our cocktail of comprehensive threat data, advanced automation, impactful AI, and trusted relationships to help the world’s leading companies protect their customers, brands, and bottom line from cyber attacks. 

Let’s talk to see how we can help you. Request more information on Conversational Scam Intelligence here.