Investment scam websites are increasingly common, often promising impossibly high returns and involving cryptocurrency transfers to obscure their traces. Many of these sites are created by individuals or groups based in China. This document aims to expose these websites, analyze their key details, and present the necessary information to take them down.
| Website URL | Hoster | DNS middleman | Domain Registrar | Alleged Violations | Impersonations / brand infringements |
|---|---|---|---|---|---|
| tunework.world | ? | Cloudflare | Alibaba | redirects to tunework.live | - |
| tunework.live | ? | Cloudflare | Alibaba | cryptocurrency investment scam advertised as a work opportunity | alleges to be partners with Google, Apple, Microsoft, Meta, TikTok, and |
| ilpudse.pics | ? | Cloudflare | Public Domain Registry | investment scam | pretends to be Spiegel |
| www.adjust6.com | ? | Gname | Gname | forwards to a WhatsApp number which tells you to visit adjust-work.net | adjust.com |
| adjust-work.net | ? | Gname | Gname | Cryptocurrency investment scam involving the Telegram number +33745348532 | using the name and logo of adjust.com |
| m.aocfx.com | ? | Cloudflare | Gname | cryptocurrency investment scam involving the Telegram username BainCapitalDelia |
impersonates BainCapital in WhatsApp & uses their logo |
| inwinoo.com | ? | Namecheap | Namecheap | collecting contact data for an investment scam | Tagesschau |
| sportsmentorshipprogram.org | Sav.com, LLC (suspected) | Cloudflare | Sav.com, LLC | collecting contact data for an investment scam | Tagesschau |
| cabinsecure.com | Dreamhost | N/A | GoDaddy.com, LLC | collecting contact data for an investment scam | Tagesschau |
| littlefeatherin.rest | ? | Cloudflare | NameSilo, LLC | forwards to a page to collect contact data for an investment scam | Tagesschau, Berliner Sparkasse, Transfermarkt |
| sefaneconsulting.rest | ? | Cloudflare | NameSilo, LLC | forwards to a page to collect contact data for an investment scam | - |
| grutnikgroup.skin | ? | Cloudflare | NameSilo, LLC | collecting contact data for an investment scam | Tagesschau, Forbes |
| app-sparkasse.info | ? | Cloudflare | OwnRegistrar, Inc. | redirects to reaktivierungs-sprks.xyz for phishing | Sparkasse |
| reaktivierungs-sprks.xyz | ? | OwnRegistrar, Inc. | OwnRegistrar, Inc. | phishing | Sparkasse |
| sid-check.com | ? | OwnRegistrar, Inc. | OwnRegistrar, Inc. | phishing | Sparkasse |
| dacmcrypto.com | ? | Cloudflare | NameSilo, LLC | cryptocurrency investment scam (presented as mining) | - |
| dacm-crypto.com | ? | Cloudflare | GoDaddy.com, LLC | cryptocurrency investment scam (presented as mining) | - |
| alf-crypto.top | ? | Cloudflare | NameSilo, LLC | cryptocurrency investment scam (presented as mining) | - |
| msssetd.com | ? | Cloudflare | CNO Bin / Ordertld | cryptocurrency investment scam | - |
| https://wealthjourney.world | suspected: GoDaddy | GoDaddy.com, LLC | Wild West Domains, LLC | gateway for a Whatsapp-based investment scam | impersonates Martin Currie Limited in Whatsapp |
| enterpagepoliicy.com | UltaHost | N/A | Web Commerce Communications Ltd | phishing website pretending to be Meta/Facebook | |
| dex-crypto.com | heng.ai | N/A | Web Commerce Communications Ltd | fake cryptocurrency trading platform | |
| axvc-exchange.net | ? | Cloudflare | Public Domain Registry | fake cryptocurrency trading platform | - |
| noitn.top fduft.top |
? | Cloudflare | NameSilo, LLC | gateway for a Whatsapp-based investment scam (presented as trading signals) | - |
| fnewky.com | ? | Cloudflare | GoDaddy.com, LLC | gateway for a Whatsapp-based investment scam | - |
| worldminer.io | ? | Dynadot LLC | Dynadot Inc. | cryptocurrency investment scam (presented as mining) | - |
| computingpower.live | ? | DigitalOcean | Namecheap | redirects to ai-quantum-worldtrde.com | - |
| ai-quantum-worldtrde.com | ? | Cloudflare | Namecheap | investment scam data collection / suspected fake broker | Bild |
DNS middleman - the company that offers anonymization services for the web server regardless of content, essentially enabling cybercrime
N/A - not applicable, i.e. when a DNS middleman was not chosen (easier prosecution)
? hoster cannot be determined thanks to the DNS middleman
Domain Registrar - the company registering the domains for scammers & managing the registration
Alleged Violations - details on the wrongdoings, but without redefining them, i.e. phishing
Impersonations / brand infringements - crucial information to take them down the scam website
The following domains are shielded by OwnRegistrar, Inc. but their names give away that they're most likely phishing:
- bundesfinanz-ministerium.info
- finanzamt2024.online
- finanzamt2024.info
- bawag-autorisieren.com
- activer-bnpparibas.com
- connexion-bnpparibas.com
- etape-bnpparibas.com
- 20-bnpparibas.com
- 21-bnpparibas.com
- 29-bnpparibas.com
- mabanque-bnpparibas.com
- aktivierung-o2de.online
- derspk-aktualisierung369.xyz
- kvk2024.info
- not cross-checking newly registered domains with brand databases to flag them for manual review
- can be done as a post-purchase process to avoid impacts on sales
- TBD
- i.e. https://whoisprotection.cc/complaint
- https://privacyprotect.org/#report_abuse
- privacyguardian.org
- "Super Privacy Service LTD c/o Dynadot"
- TODO: add a column although often it appears to be the registrar itself or their shell company
TDB
TDB
TDB
- https://phish.report: easy-to-use tool to report infringements
- report to the domain registrar
- ineffective when no contact form / data provided, especially when located in China
- report to the web hoster
- often anonymized by a DNS middleman
- report to the internet service provider (ISP) if hosters/registrars ignore requests
- https://safebrowsing.google.com/safebrowsing/report_phish
- https://phish.report: easy-to-use tool to report infringements
DNS middleman services hide the IP addresses of servers. Whilst originally designed as a cybersecurity measure, those providers see no problem with being an enabler of crime and refuse to take action even when the scam report is very easy to validate. The nameservers indirectly reveal who the DNS middleman is, as their DNS servers listed in the whois query can be mapped to the middleman:
| DNS server | Real middleman |
|---|---|
| *.registrar-servers.com | Namecheap |
| *.ns.cloudflare.com | Cloudflare |
| *.managedns.org | OwnRegistrar, Inc. |
| *.dyna-ns.net | Dynadot LLC |
| *.digitalocean.com | DigitalOcean |
As you can see, some DNS middlemen choose domain names very different from the company name and do not always provide a landing page under these domains. This indicates how well-aware these companies are of the abuse potential associated with their services. Their idea of a solution consists not of taking action, but instead of trying to mask their affiliation while consciously doing business with cybercriminals.
If you find any new domains, just open an issue with the domain or (even better) create a pull request with the amendments.
These websites represent a significant threat to unsuspecting web users / investors, primarily through the promise of high returns and the use of cryptocurrency to obscure their operations. By exposing these websites and detailing their operations, we aim to help authorities and internet service providers take action to shut them down and protect potential victims.