[False Negative]: add 15 phishing domains (yupoo[.]biz, ff-excharge[.]cyou, ...) #219689
Description
Important
Executive Summary
This report documents 15 domain(s) that have been identified as part of active phishing operations. These domains exhibit characteristics consistent with malicious infrastructure and pose an immediate security risk to internet users.
The following 15 domain(s) have been analyzed and confirmed as participating in phishing campaign(s):
yupoo.biz
ff-excharge.cyou
io-kly.com
legderhealth.com
ff-excharge.icu
kraken-exchange.com
phnto.com
nodego.network
yupooshoes.org
yupooclothing.com
insurebitbox.com
trezordevices.io
trezordevicesupport.com
helpwithledgerdevice.com
scanledgerapi.com
Threat Analysis
Phishing Attack Details
These domains are part of a phishing campaign targeting cryptocurrency companies and cryptocurrency holders/investors.
Attackers may use fake login pages, fake Web3 wallet connection prompts, fake cryptocurrency exchange/swap interfaces, or modified/malicious software to steal cryptocurrency seed phrases/keys.
Technical Details
- No sophisticated cloaking detected.
Detections & Targeted Brands
yupoo.biztargets Yupoo (yupoo.com)- VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/yupoo.biz/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=yupoo.biz
ff-excharge.cyoutargets FixedFloat (ff.io)- VirusTotal: 4 detections - https://www.virustotal.com/gui/domain/ff-excharge.cyou/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=ff-excharge.cyou
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=ff-excharge.cyou
io-kly.comtargets Unknown- VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/io-kly.com/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=io-kly.com
legderhealth.comtargets Ledger (ledger.com)- VirusTotal: 3 detections - https://www.virustotal.com/gui/domain/legderhealth.com/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=legderhealth.com
ff-excharge.icutargets FixedFloat (ff.io)- VirusTotal: 4 detections - https://www.virustotal.com/gui/domain/ff-excharge.icu/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=ff-excharge.icu
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=ff-excharge.icu
kraken-exchange.comtargets Kraken (kraken.com)- VirusTotal: 14 detections - https://www.virustotal.com/gui/domain/kraken-exchange.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=kraken-exchange.com
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=kraken-exchange.com
phnto.comtargets Phantom Wallet (phantom.com)- VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/phnto.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=phnto.com
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=phnto.com
nodego.networktargets NodeGoAI (nodegoai.com)- VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/nodego.network/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=nodego.network
yupooshoes.orgtargets Yupoo (yupoo.com)- VirusTotal: 6 detections - https://www.virustotal.com/gui/domain/yupooshoes.org/detection
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=yupooshoes.org
yupooclothing.comtargets Yupoo (yupoo.com)- VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/yupooclothing.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=yupooclothing.com
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=yupooclothing.com
insurebitbox.comtargets BitBox (bitbox.swiss)- VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/insurebitbox.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=insurebitbox.com
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=insurebitbox.com
trezordevices.iotargets Trezor Wallet (trezor.io)- VirusTotal: 15 detections - https://www.virustotal.com/gui/domain/trezordevices.io/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=trezordevices.io
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=trezordevices.io
trezordevicesupport.comtargets Trezor Wallet (trezor.io)- VirusTotal: 18 detections - https://www.virustotal.com/gui/domain/trezordevicesupport.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=trezordevicesupport.com
helpwithledgerdevice.comtargets Ledger (ledger.com)- VirusTotal: 16 detections - https://www.virustotal.com/gui/domain/helpwithledgerdevice.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=helpwithledgerdevice.com
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=helpwithledgerdevice.com
scanledgerapi.comtargets Ledger (ledger.com)- VirusTotal: 10 detections - https://www.virustotal.com/gui/domain/scanledgerapi.com/detection
- Listed on Spamhaus - https://check.spamhaus.org/results/?query=scanledgerapi.com
- Listed on APVA - https://api.antiphish.org/v1/lookup?host=scanledgerapi.com
Diagrams
Phishing Campaign Mindmap Overview
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#f97316', 'primaryTextColor': '#ffffff', 'primaryBorderColor': '#ea580c', 'lineColor': '#fb923c', 'secondaryColor': '#fed7aa', 'tertiaryColor': '#fff7ed'}}}%%
mindmap
root((Phishing Campaign<br/>15 domains))
))TARGETS((
["Yupoo"]
(yupoo.biz)
(yupooshoes.org)
(yupooclothing.com)
["Ledger"]
(legderhealth.com)
(helpwithledgerdevice.com)
(scanledgerapi.com)
["FixedFloat"]
(ff-excharge.cyou)
(ff-excharge.icu)
["Trezor Wallet"]
(trezordevices.io)
(trezordevicesupport.com)
["Kraken"]
(kraken-exchange.com)
["Phantom Wallet"]
(phnto.com)
["NodeGoAI"]
(nodego.network)
["BitBox (bitbox.swiss)"]
(insurebitbox.com)
))INFRASTRUCTURE((
{{AS24429 Zhejiang Taobao Network Co.}}
47.246.48.183
47.246.48.184
47.246.48.179
47.246.48.181
47.246.48.180
47.246.48.178
47.246.48.185
47.246.48.182
{{AS13335 Cloudflare}}
172.67.148.186
104.21.29.95
188.114.96.3
188.114.97.3
{{AS45102 Alibaba (US) Technology Co.}}
8.210.183.25
116.203.12.30
{{AS214351 FEMO IT SOLUTIONS LIMITED}}
62.60.226.213
{{AS214943 Railnet}}
158.94.210.251
{{AS396982 Google}}
34.111.179.208
))REGISTRARS((
("NICENIC INTERNATIONAL GROUP CO., LIMITED")
("Web Commerce Communications Ltd")
("OwnRegistrar, Inc.")
("Dynadot Inc")
("PDR Ltd. d/b/a PublicDomainRegistry.com")
("MAT BAO CORPORATION")
("GoDaddy.com, LLC")
("Name.com, Inc.")
Phishing Campaign Full Overview (v1)
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'primaryTextColor': '#ffffff', 'primaryBorderColor': '#4f46e5', 'lineColor': '#a5b4fc', 'secondaryColor': '#e0e7ff', 'tertiaryColor': '#eef2ff'}}}%%
flowchart LR
subgraph BRANDS["TARGET BRANDS"]
direction TB
B1["Yupoo"]
B2["Ledger"]
B3["FixedFloat"]
B4["Trezor Wallet"]
B5["Kraken"]
B6["Phantom Wallet"]
B7["NodeGoAI"]
B8["BitBox (bitbox.swiss)"]
end
subgraph DOMAINS["PHISHING DOMAINS"]
direction TB
D1([yupoo.biz])
D2([ff-excharge.cyou])
D3([io-kly.com])
D4([legderhealth.com])
D5([ff-excharge.icu])
D6([kraken-exchange.com])
D7([phnto.com])
D8([nodego.network])
D9([yupooshoes.org])
D10([yupooclothing.com])
D11([insurebitbox.com])
D12([trezordevices.io])
D13([trezordevicesupport.com])
D14([helpwithledgerdevice.com])
D15([scanledgerapi.com])
end
subgraph SPACER1[" "]
direction TB
S1[ ]
S2[ ]
end
subgraph HOSTING["HOSTING INFRASTRUCTURE"]
direction TB
subgraph CF["AS24429 Zhejiang Taobao Network Co."]
IP1{{47.246.48.183}}
IP2{{47.246.48.184}}
IP3{{47.246.48.179}}
IP4{{47.246.48.181}}
IP5{{47.246.48.180}}
IP6{{47.246.48.178}}
IP7{{47.246.48.185}}
IP8{{47.246.48.182}}
end
subgraph NC["AS13335 Cloudflare"]
IP9{{172.67.148.186}}
IP10{{104.21.29.95}}
IP11{{188.114.96.3}}
IP12{{188.114.97.3}}
end
subgraph LN["AS45102 Alibaba (US) Technology Co."]
IP13{{8.210.183.25}}
IP14{{116.203.12.30}}
end
subgraph HO["AS214351 FEMO IT SOLUTIONS LIMITED"]
IP15{{62.60.226.213}}
end
subgraph MR["AS214943 Railnet"]
IP16{{158.94.210.251}}
end
subgraph GC["AS396982 Google"]
IP17{{34.111.179.208}}
end
end
subgraph SPACER2[" "]
direction TB
S3[ ]
S4[ ]
end
subgraph REGISTRARS["REGISTRARS"]
direction TB
R1[("NICENIC INTERNATIONAL GROUP CO., LIMITED")]
R2[("Web Commerce Communications Ltd")]
R3[("OwnRegistrar, Inc.")]
R4[("Dynadot Inc")]
R5[("PDR Ltd. d/b/a PublicDomainRegistry.com")]
R6[("MAT BAO CORPORATION")]
R7[("GoDaddy.com, LLC")]
R8[("Name.com, Inc.")]
end
B1 -.-> D1
B3 -.-> D2
B2 -.-> D4
B3 -.-> D5
B5 -.-> D6
B6 -.-> D7
B7 -.-> D8
B1 -.-> D9
B1 -.-> D10
B8 -.-> D11
B4 -.-> D12
B4 -.-> D13
B2 -.-> D14
B2 -.-> D15
D1 --> S1
S1 --> IP1
D2 --> S2
S2 --> IP2
D1 --> IP13
D2 --> IP15
D3 --> IP16
D4 --> IP16
D5 --> IP15
D6 --> IP17
D7 --> IP9
D7 --> IP10
D8 --> IP11
D8 --> IP12
D9 --> IP1
D9 --> IP2
D9 --> IP3
D9 --> IP4
D9 --> IP5
D9 --> IP6
D9 --> IP7
D9 --> IP8
D10 --> IP13
D10 --> IP14
D11 --> IP16
D12 --> IP16
D13 --> IP16
D14 --> IP16
D15 --> IP16
IP1 --> S3
S3 --> R1
IP17 --> S4
S4 --> R1
D1 --- R4
D2 --- R2
D3 --- R3
D4 --- R3
D5 --- R2
D6 --- R8
D7 --- R6
D8 --- R5
D9 --- R4
D10 --- R7
D11 --- R1
D12 --- R1
D13 --- R1
D14 --- R1
D15 --- R1
classDef brandStyle fill:#dc2626,stroke:#991b1b,stroke-width:2px,color:#fff
classDef domainStyle fill:#7c3aed,stroke:#5b21b6,stroke-width:2px,color:#fff
classDef ipStyle fill:#0891b2,stroke:#0e7490,stroke-width:2px,color:#fff
classDef registrarStyle fill:#d97706,stroke:#b45309,stroke-width:2px,color:#fff
classDef invisible fill:none,stroke:none,color:transparent
classDef invisibleSubgraph fill:none,stroke:none
class B1,B2,B3,B4,B5,B6,B7,B8 brandStyle
class D1,D2,D3,D4,D5,D6,D7,D8,D9,D10,D11,D12,D13,D14,D15 domainStyle
class IP1,IP2,IP3,IP4,IP5,IP6,IP7,IP8,IP9,IP10,IP11,IP12,IP13,IP14,IP15,IP16,IP17 ipStyle
class R1,R2,R3,R4,R5,R6,R7,R8 registrarStyle
class S1,S2,S3,S4 invisible
class SPACER1,SPACER2 invisibleSubgraph
linkStyle 14,15,16,17,43,44,45,46 stroke:none
Phishing Campaign Registrars Pie Chart
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'pieStrokeColor': '#1e1b4b', 'pieStrokeWidth': '2px', 'pieSectionTextColor': '#ffffff', 'pieLegendTextColor': '#1e1b4b', 'pieOuterStrokeColor': '#312e81'}}}%%
pie showData
title Domain Registrars Distribution
"NICENIC INTERNATIONAL GROUP CO., LIMITED" : 5
"Web Commerce Communications Ltd" : 2
"OwnRegistrar, Inc." : 2
"Dynadot Inc" : 2
"PDR Ltd. d/b/a PublicDomainRegistry.com" : 1
"MAT BAO CORPORATION" : 1
"GoDaddy.com, LLC" : 1
"Name.com, Inc." : 1
Phishing Campaign ASN Hosting Pie Chart
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'pieStrokeColor': '#1e1b4b', 'pieStrokeWidth': '2px', 'pieSectionTextColor': '#ffffff', 'pieLegendTextColor': '#1e1b4b', 'pieOuterStrokeColor': '#312e81'}}}%%
pie showData
title ASN Hosting Distribution
"AS214943 Railnet" : 7
"AS45102 Alibaba (US) Technology Co." : 2
"AS214351 FEMO IT SOLUTIONS LIMITED" : 2
"AS13335 Cloudflare" : 2
"AS396982 Google" : 1
"AS24429 Zhejiang Taobao Network Co." : 1
Screenshots
(Screenshots for some scans may not display or may not contain complete or correct content for various reasons, which can be seen on the specific scan page)
Screenshots
Scans
yupoo.biz- https://urlscan.io/result/019b0034-bad1-7153-8b2d-360c63d52ebd/ff-excharge.cyou- https://urlscan.io/result/019b0034-c54f-702b-8286-8250b1a25449/io-kly.com- https://urlscan.io/result/019b0035-ba97-75ed-a79b-b9ae6779b3b8/legderhealth.com- https://urlscan.io/result/019b0035-c963-713e-8833-61a68717bb91/ff-excharge.icu- https://urlscan.io/result/019b0036-c4b7-72e5-83e9-f566413271e8/kraken-exchange.com- https://urlscan.io/result/019b0036-ca03-7574-a01e-03f1f7d5a419/phnto.com- https://urlscan.io/result/019b0037-ba19-706b-b772-e6099d39bad9/nodego.network- https://urlscan.io/result/019b0037-bd73-7028-8de7-44a25cc94000/yupooshoes.org- https://urlscan.io/result/019b0034-b4c6-72ce-b221-fc751fa0ffc2/yupooclothing.com- https://urlscan.io/result/019b0034-c00b-755f-aa60-f0c8592c3c40/insurebitbox.com- https://urlscan.io/result/019b0034-cae6-75ed-bbb3-873bcb8ae8c5/trezordevices.io- https://urlscan.io/result/019b0035-bfd3-7299-82b7-5ac34c339b87/trezordevicesupport.com- https://urlscan.io/result/019b0035-c52b-729c-b59c-7e4d215a3090/helpwithledgerdevice.com- https://urlscan.io/result/019b0036-ba15-700f-baf0-24c51d9a3a30/scanledgerapi.com- https://urlscan.io/result/019b0036-bf6a-763c-93bf-faeef948411a/
Report Metadata
ID: f40b4884e425f23f0c5 | Timestamp: 08.12.2025 23:34:30 UTC | Domains: 15 | (Total) Detections: VT: 93 | Spamhaus: 10 | APVA: 14 | Attack Vector: Phishing