Investigations

A $2.56M cryptocurrency wallet drainer disguised as a Proof-of-Stake mining and staking platform. Victims are lured via Telegram and social media with promises of passive yield, then tricked into signing malicious token approvals that silently drain their wallets. 146 confirmed victims across 313 documented drain transactions. Infrastructure traced through Tencent Cloud and bulletproof hosting in the Seychelles, with actor overlaps into the QWDB gambling syndicate and the US Treasury-sanctioned Huione Group.

Longitudinal analysis of mining-themed crypto drainer toolkits across four major generations, documenting infrastructure reuse, code lineage, and shared actor attribution. Gen 1 USDT-DEFI operated 2021–2022, rebuilt 2024 as AI-DeFi with WalletConnect. Gen 1.5 frontweb is a full fake centralized exchange kit hosted on AWS. The defi-ETH variant remains actively deploying new domains — 15+ confirmed active as of March 2026. Chinese SaaS crime operation confirmed by Sophos. $496K+ in documented losses.

Infrastructure mapping and actor attribution for the QWDB gambling guarantee network — 54 active domains on Vultr Japan. The network operates as the trust/escrow layer for the Vigorish Viper / Yabo Group gambling syndicate. Active government phishing campaigns targeting Canadian CRA users and West Virginia residents confirmed running on the same Tencent Cloud IP as the pos-coin drainer. FUNNULL CDN (OFAC-sanctioned May 2025) documented with ecosystem overlaps via Suncity Group and Huione Group.

Technical analysis of two parallel bulletproof hosting models serving Chinese organized crime. Cloud Innovation Ltd (Lu Heng) fraudulently obtained 6.2 million AFRINIC IPv4 addresses and operates through shell ASNs OWGELS (AS139880), LUOGELANG (AS135097/142286), and ASLINE (AS137951). FUNNULL CDN (Liu Lizhi, OFAC-sanctioned May 2025) uses infrastructure laundering via AWS/Azure to hide 200,000+ criminal hostnames. Both models converge on the same Huione Group money laundering infrastructure. 25+ lawsuits filed by Lu Heng against AFRINIC to resist enforcement.

Coordinated bot networks that surveil public social media for crypto fraud disclosures and immediately swarm victims with fraudulent “fund recovery” offers. Documented live on a confirmed pos-coin victim’s tweet: 13+ accounts, 7 from a single @CyberTrack0 cluster, operating within minutes. Double-victimization mechanism, psychological exploitation vectors, and full account map documented.

Chinese business domains hijacked for Kaiyun Sports (开云) / Vigorish Viper gambling SEO. The fafafa.js injection cloaks gambling content from human visitors while feeding SEO authority to zunlong.app for search engine crawlers. Hosted on Cloud Innovation bulletproof infrastructure (same IPs as pos-coin drainer). Part of a 150,000+ website compromise campaign documented by Infoblox in March 2025. Full domain table, injection analysis, and Yabo Group succession chain documented.

Credential harvesting campaign impersonating Canadian Revenue Agency (CRA) and West Virginia state government portals. 19 phishing domains deployed on Tencent Cloud infrastructure (43.135.128.0/18) — the same subnet hosting pos-coin drainer domains. Targets government service credentials including tax filing, benefits, and licensing portals. Attribution links to the same Chinese cybercrime operator cluster behind the pos-coin wallet drainer network.