Scam clusters.
Forensically mapped.

A diversified fraud network operating sportsbooks, crypto exchanges, and trading platforms across regional domains. Uses consistent build hashes and DOM structural fingerprints to mask ownership of high-volume gambling and investment scams.

2,299

domains

166

signals

Network operating mixed cryptocurrency exchanges and wealth advisory scams using shared content fingerprints. Operations leverage duplicated backend infrastructure across multiple branded fronts to process fraudulent trading and investment solicitations.

36

domains

1

signals

Network operating mixed cryptocurrency, forex, and mining investment scams across multiple top-level domains. Operations leverage common DOM structural patterns and tracking identifiers to distribute phishing pages and fake trading platforms.

27

domains

2

signals

Network operates multi-domain financial and investment tracking scams, primarily targeting retail traders and cryptocurrency investors. Distinguishing feature: extensive use of generic finance terminology (.top, .pro, .info TLDs) paired with plausible regional or institutional naming conventions to establish false credibility.

24

domains

1

signals

Network of fraudulent AI-powered trading and investment platforms using localized domains across European regions. Operations share identical DOM structure and content hashing, indicating centralized backend infrastructure masked by regional branding variations.

17

domains

4

signals

Network operating fraudulent brokerage and cryptocurrency trading platforms using typosquatting and lookalike domains. Shares common DOM structural fingerprints indicating unified backend infrastructure across multiple brand personas.

15

domains

1

signals

Network operating CFD and forex scam sites using cloned trading platforms and loyalty-themed landing pages to solicit deposits from retail traders. Sites share identical DOM structure signatures indicating shared backend infrastructure.

13

domains

1

signals

Network operating fake cryptocurrency exchanges and token swap platforms targeting retail investors. Operations utilize rapidly rotating domains and tracking_id-based user profiling to maintain phishing infrastructure.

12

domains

1

signals

Network of spoofed financial institutions (banks, credit unions, insurance entities) offering CFD and forex trading services. Domains use generic financial branding with structural similarity indicating shared hosting and code infrastructure.

12

domains

1

signals

Network operating mixed fraudulent financial and trading platforms using short-domain parking and spoofed exchange interfaces. Distinguishing operational pattern includes deployment across multiple TLDs (.cc, .vip, .com) with consistent DOM structural fingerprints indicating shared hosting infrastructure or templated phishing framework.

11

domains

3

signals

Network of phishing and investment fraud sites masquerading as legitimate trading platforms and financial services. Unified through consistent DOM structure signatures indicating shared operational infrastructure.

11

domains

1

signals

Network of fraudulent CFD and forex brokerages impersonating legitimate trading platforms. Clusters use shared tracking_id and build_hash signatures to coordinate phishing campaigns and fund siphoning operations.

11

domains

2

signals

CFD and forex scam network operating under the NEQD brand across multiple domain variations. Uses deceptive subdomain structures (inspect, overview, wealth, caution, circle, reviews, scam) to target retail traders.

10

domains

1

signals

Network of fraudulent forex and cryptocurrency investment platforms offering high-yield returns through spoofed trading interfaces. Operates using shared DOM structure fingerprints across multiple brand fronts to obscure common infrastructure.

10

domains

1

signals

Network operating mixed investment and trading scams under branded financial personas, linked by consistent DOM structural patterns. Operates across multiple TLDs with rotating brand identities to evade detection.

10

domains

2

signals

Network of fraudulent cryptocurrency trading platforms and exchanges using consistent DOM structural patterns. Operates under spoofed brand names (Benacoin, Bitnare, Nocadex, Ranedex) to solicit deposits and execute exit scams.

10

domains

2

signals