Scam clusters.
Forensically mapped.

Large network of cloned forex/CFD broker sites built from one shared 'Trade Global Markets' marketing template.

550

domains

28

signals

Crypto-casino scam network built on one shared 'blockchain casino / take your free reward' platform.

286

domains

20

signals

Large fake-investment and fake-trading affiliate network of about 204 domains unified by one operator through shared Google Analytics and Google Tag Manager IDs. Shares operator tracking IDs with the Veltrix Markets cluster, marking it as the same operator's broader network; member alphastockinvestment.com carries a UK FCA warning.

205

domains

12

signals

TXEX is a Ponzi-style fake crypto exchange promoted through WhatsApp and Telegram 'mentor', 'coach' and 'crypto adviser' groups that drip daily 'trading signals' and promise ~100% returns. Victims fund an account they can never cash out: withdrawals are blocked behind a so-called 'release fee' that recovers nothing. New Zealand's FMA warned in April 2025 and tied 30 corporate entities and 813 duplicate websites to it — TXEX is the flagship brand of the ~$150M TXEX–DSJ scam-compound network (276 arrests).

159

domains

2

signals

Network posing as a Roblox 'scan / free Robux' service — rebuilt from a former fake 'world-class open source' crypto exchange.

103

domains

8

signals

DSJ Exchange (DSJEX) and its sister brand BG Wealth Sharing ran a $150M+ crypto Ponzi that promised 1.3–2.6% daily returns from fake 'AI trading signals', paying small early withdrawals to build trust. It faked a US SEC licence and, just before collapsing in April 2026, demanded a 12% 'tax' on balances — the classic Ponzi exit scam. It was named by 13 regulators across five continents (Philippines SEC, Australia's ASIC, Utah, Washington DFI, Tonga, Samoa…) and is the core of the TXEX–DSJ network.

63

domains

2

signals

Fake exchanges built on the 'buy crypto, sell & invest — pioneered the concept of seamless trading' template.

55

domains

8

signals

UICEX (operated by CR Group LLC / CRGLOBAL) is a fake crypto exchange built on viral recruitment, simulated trading returns to early users and even meal reimbursements for recruiters — a textbook Ponzi where the 'trading' exists only to build trust before withdrawals are frozen. The NZ FMA warned on 7 July 2025; after exposure the operators rebranded it as 'Signal Raiders'. Part of the TXEX fraud-exchange network.

45

domains

0

signals

Forex/CFD scam sites all built on the commercial 'Cirro – Forex and Finance' website template (its shared asset/js signature across all 4 homepage designs). Using the same off-the-shelf kit ties the network together; combine with scam indicators before flagging.

43

domains

2

signals

GROKR Exchange poses as an automated 'AI trading bot' platform promising 2–3% daily returns, recruiting victims through fake Facebook, Instagram and TikTok ads and profiles. Behind the facade it is a Ponzi (linked to the Wealth Win-Win Fund / W3F) that pays early users with new deposits, then blocks withdrawals and disappears in a sudden exit scam. It is unregistered and has drawn warnings across multiple jurisdictions.

39

domains

0

signals

Multilingual network of fake 'AI-powered trading platforms' posing as official sites (EN/IT/FR/ES/NL/JA). Umbrella for the 'official website' copy beyond the four exact dom variants.

37

domains

2

signals

UZEX (uzex.com) is a fake crypto exchange the NZ FMA blacklisted on 25 April 2025 for operating unlicensed, market manipulation (pump-and-dump and wash trades) and fraud. Users report accounts banned for fabricated 'malicious activity' even after full KYC, and withdrawal requests that are never processed. It is named among the TXEX / League of Whalefall associated exchanges.

33

domains

0

signals

TPBit (tpbitax.com) is a crypto Ponzi pushed through WhatsApp referral groups advertising 'guaranteed', stable profits, where a small initial withdrawal is allowed to build confidence before deposits are frozen and 'fees' are demanded. New Zealand's FMA added it to its blacklist on 1 August 2025 as an unregistered, fraudulent entity, and victims report losses of $30,000+. It is one of the TXEX-linked exchanges.

32

domains

2

signals

OPT Coin (optcoin.com) is a fake crypto-exchange network that fabricates account balances and live 'profits', then blocks every withdrawal behind invented 'fees' and 'taxes'. It recruits through chat groups and influencers using fake testimonials and promises of guaranteed, unusually high returns, with no link to any licensed financial provider. NZ FMA-warned and unregulated; part of the TXEX fraud-exchange network.

32

domains

0

signals

Crypto exchange clones with a 'buy & sell bitcoin, ethereum' headline and a swap / spot / margin / tournament / futures nav.

31

domains

4

signals

Multi-language crypto futures exchange ('Dobibo*' brand family) — futures, perpetuals and 'liquidity mining'; from a regulator fraud-platform list, now mostly defunct or phishing-flagged.

30

domains

0

signals

XUEX (xuex21.com) is a 'pig-butchering' fake crypto exchange that releases small early withdrawals to make victims feel safe, then blocks larger ones behind surprise 'fees' and 'taxes'. It carries an NZ FMA blacklist listing and shares the exact site template as PCEX and LWEX, marking it as part of the same scam network. Victims report missing BTC, ETH and USDT.

28

domains

0

signals

PCEX is a coordinated network of fake crypto exchanges that fabricate trading results and account balances, then block every withdrawal behind 'fees', 'taxes' or demands for further deposits. New Zealand's FMA blacklisted it on 25 April 2025, and it shares the same layout as XUEX and LWEX. The PCEX-branded pages have no affiliation with any licensed provider.

25

domains

0

signals

LWEX (lwex4.com) is a pyramid/Ponzi-style fake crypto exchange promoted across Telegram, WhatsApp, Facebook and Reddit with outsized profit claims, that secures an initial deposit then stalls withdrawals indefinitely. It has been flagged by New Zealand's FMA, France's AMF (June 2025) and Lithuania's central bank (April 2025), which called out its pyramid-scheme traits. It shares the PCEX/XUEX template.

25

domains

1

signals

ZZCOIN was the 'migration' brand of the TXEX / League of Whalefall Ponzi: investors were told to move their balance to ZZCOIN because of a fake 'government investigation', then charged a $400 'verification fee' under threat of losing their account. Its app was distributed outside the official stores (potential malware), and no investor is known to have withdrawn funds after paying. Part of the TXEX network.

24

domains

0

signals

IJEX (ijex.com) is a 'pig-butchering' fake crypto exchange with no regulator, a fake stock-photo 'team', empty company details and a 10/100 trust score. Scammers first build a fake romance or friendship over weeks via social media, dating apps or random texts, then steer the victim onto IJEX — a platform they fully control — where withdrawals are delayed or denied outright.

23

domains

0

signals

HelloBit is a 'click-a-button' crypto Ponzi: victims execute trades on bogus signals fed through the 'TSQ Investment Group' Telegram channel, while the operators domain-hop (hellobit.cc, hellobit8, hellobitese) to dodge takedowns. It was warned by New Zealand's FMA (April 2025) and Spain's CNMV (twice in 2025, as unauthorised to provide investment services). It is one of the TXEX-linked exchanges.

21

domains

0

signals

Network of fake online banks and credit unions (e.g. globalinsurancebank, moderncreditunionplc, secured MCU, liberty-trustunion, biscreditgroup) sharing one banking template. Used in advance-fee / fund-recovery scams: victims are shown a balance 'held' in an account, then pressured to pay fees or 'taxes' to release funds that never arrive.

18

domains

1

signals

CBEX (Crypto Bridge Exchange) was an AI-hyped crypto Ponzi that defrauded 250,000+ mostly Nigerian and Kenyan investors of an estimated $800M. It faked a decade of history and guaranteed 'AI trading' profits while quietly routing deposits out via the TRON network and laundering them cross-chain. It collapsed in April 2025 after Nigeria's SEC warning; the EFCC has since made arrests and issued further warrants.

17

domains

0

signals

HHHE (hhhexp.com) is a multi-language crypto-futures exchange — futures, perpetuals, 'convert' and 'liquidity mining' — from the same regulator-warned, TXEX-style fraud-platform network. Like its siblings it fabricates balances and live profits, then blocks withdrawals behind fees. The sites are now defunct or flagged by browsers as phishing/malware.

17

domains

3

signals

Fake crypto exchanges built on the 'simplifies trading for a seamless, rapid and dependable experience' template.

16

domains

2

signals

Trading scam kit built on the 'revolutionizing your digital trading experience' template.

15

domains

3

signals

Multi-asset broker scam kit pitching regulated-looking trust pages — 'who we are · licenses · security · solvency · affiliate program' — across currencies, commodities, metals, stocks and indices. English-language sibling of the Russian 'Bilusevi' broker template; recruits through an affiliate program and blocks withdrawals once funded.

15

domains

1

signals

BG Wealth Sharing LTD — fake investment group calling itself 'the world's largest hedge fund', the front for the DSJ Exchange crypto platform. A 'click-a-button' app Ponzi that pays early members from new deposits; it ran ~12 months and collapsed in May 2026 after defrauding users of $150M+. Warned by 13 regulators across five continents (Canada, New Zealand, Tonga, Samoa, UK, Philippines, Utah, Washington) before the collapse; the operators rebranded the same machinery as Swift Wave and HQI. Operates many bg* / bgwealth* domains plus its own 'is it a scam?' alert sites. Other business names used: BG Wealth Group Inc., BGRE Capital Corporation, BG Wealth Group Growth Fund LP, BG Wealth Holdings Corporation, BG Wealth GP Inc., BG Wealth Properties Inc., BG Property Holdings Inc. (all found at bgwealthgroup.com) and Blackthorn Investment Group Inc.

13

domains

2

signals

Crypto futures-exchange scam family using the yepbit* naming pattern.

11

domains

2

signals

Crypto scam kit built on a 'USDT storage center — anniversary' high-yield deposit theme.

11

domains

3

signals

68EA (68eaidn.com / 68ea-idn.com) is an advance-fee crypto-exchange scam that advertises high, 'risk-free' returns and aggressive referral incentives, then demands 'fees' or 'taxes' that never unlock a withdrawal. It appears on IOSCO's international I-SCAN alert list, having raised flags with securities regulators in several countries. The domains are now largely dead (parking / 'access denied').

11

domains

0

signals

Riscoin (aka 'League of Seagulls' / League of Seagull Ltd) is a copy-trading crypto Ponzi where fake 'crypto managers' promise unusually high, guaranteed daily returns through Telegram and Bonchat, while operators impersonate New Zealand banks and licensed firms to build trust. The Philippines SEC issued an advisory (12 Feb) and the NZ FMA warned; withdrawals are blocked behind extra 'fees' and 'taxes'.

11

domains

1

signals

Crypto exchange clones built on a 'buy crypto · markets · exchange · finance' template.

10

domains

2

signals

Investment scam brand (neqd*) that also operates its OWN fake review / 'is it a scam?' sites (.wiki 'tier S 4.9', -overview, -caution, -scam.com) to launder its reputation in search — the scam and its self-vouching review network share one operator.

9

domains

1

signals

Crypto scam family built on a '[brand]coin codes — transfer assets quickly and for free' template (*coin naming).

9

domains

2

signals

Italian-language fake AI trading platforms ('piattaforma di trading opera in modo più intelligente').

9

domains

2

signals

Typosquatting network impersonating Hong Kong crypto exchanges (hkee / hkeex / hkitb / ganggujiao naming). Currently anti-bot-blocking scanners (403) — template pending a reachable rescan.

8

domains

2

signals

Network of fake Valorant 'free skins / skin giveaway' sites impersonating pro player TenZ (valoskins, tenzworld, tenzvalor, valodex…). Lures players with non-existent free skins to phish Riot credentials and hijack Valorant accounts. Sites are short-lived and rotate domains (.pro/.top/.com).

8

domains

1

signals

Italian mobile-themed scam kit ('5G 100%').

8

domains

1

signals

Greluna Exchange is an unregulated crypto-exchange scam (trust 1/100, no FCA licence) run as an advance-fee / pig-butchering scheme — fabricated balances and profits, then a 'withdrawal tax' to release funds that never arrive. Like the Neqd and Alithia networks, the SAME operator also runs Greluna's OWN fake review / 'is it a scam?' sites (greluna-scam.review, -caution, -reviews, -overview, -inspect, .wiki) to flood search results and vouch for itself. Reported as part of the NEOD Wealth scam network.

8

domains

2

signals

AI-investment scam brand (alithia*) using the same reputation-laundering kit as Neqd: the scam site plus self-run fake-review sites (.wiki 'tier S', -overview, -scam.com 'together against scams') that vouch for it.

8

domains

0

signals

GoldBS Exchange (GoldBS Group Limited) is a fake crypto-investment platform run as a Ponzi: it lures victims with 5–10% 'guaranteed' returns, pays the first ones from new deposits to build trust, then blocks withdrawals once funded. Unregistered and unauthorised — the British Columbia Securities Commission added GoldBS Group Limited to its Investment Caution List (March 2026) and it appears on IOSCO's international investor-warning network; investors (notably in Pakistan) report failed withdrawals. The operator keeps spinning up new goldbs* domains as old ones get flagged or go offline.

8

domains

0

signals

Crypto exchange clones with *dex / *bit naming (benadex, celibit, lopebit, niledex…).

8

domains

1

signals

Cluster of cryptocurrency and auto-trading scam sites unified by a shared Google Tag Manager ID (GTM-5795BG4G), indicating one operator. Includes typosquats of legitimate brands and copycat auto-trading platforms that harvest deposits with promises of automated high returns.

8

domains

3

signals

Fake crypto-exchange scam using the u6ex* naming family (u6ex.com/.net/.pro/.one/.today/.vip). An unregulated 'exchange' that fabricates account balances and profits, then blocks withdrawals behind advance-fee / 'tax' demands — flagged 1/100 trust by scanners and documented as a withdrawal-blocking crypto scam. Rotates TLDs as domains get flagged.

8

domains

1

signals

PU Prime (Pacific Union, Seychelles) — offshore forex/CFD broker network carrying multiple regulator warnings (UK FCA, Philippines SEC cease-and-desist, Danish FSA, IOSCO I-SCAN) despite an Australian ASIC entity. Operates puprime* domains plus the sister brand gxgfx (shared GTM container); blocked-withdrawal complaints.

7

domains

0

signals

Trading scam kit with a 20-language switcher and a 'home · quiz · faqs' nav.

7

domains

3

signals

Fake exchanges impersonating the real TradeOgre ('the original trusted crypto exchange' tagline).

7

domains

0

signals

Network of fake forex/CFD broker sites built on one shared 'Login to Webtrader — Welcome to the webtrader · your simple way to trade and learn' login template, fronted by invented brand names (ORBISOLYX, Pendoxa, Genesis Arbit, Grumblinion-Radiex, Possares-Renoyx, Quantiumax). Several are flagged as phishing; a classic fake-webtrader scam where a fabricated balance is shown but deposits can never be withdrawn.

7

domains

3

signals

Clones built on the 'global cryptocurrency exchange making crypto trading easier' template.

7

domains

2

signals

Russian-language broker scam kit ('о компании · лицензии · рынки').

7

domains

1

signals

Crypto exchanges (coin* naming) fronted by a live BTC/USDT price ticker.

7

domains

2

signals

Crypto-exchange scam kit fronted by a live multi-pair price ticker (BTC/ETH/LTC alongside football fan tokens like PSG, Juventus, Atletico Madrid and Chiliz). Uses short random-code .it/.top domains and hides behind Cloudflare, which flags them as phishing.

7

domains

3

signals

Cluster of forex and CFD trading scam sites linked by a shared Google Analytics 4 ID (G-P6QBGXDK3N), pointing to one operator. The sites pose as regulated brokers and hedge-style investment platforms to solicit deposits with promises of guaranteed returns.

7

domains

1

signals

Sisvida Exchange is a fake crypto-exchange scam posing as a 'leading global platform established 2019' (cold/hot-wallet separation, multi-signature, AI monitoring marketing). It shows fabricated balances and profits, then blocks withdrawals behind escalating fees and 'compliance' demands. Like the Greluna, Neqd and Alithia networks, the SAME operator also runs Sisvida's own fake review / 'is it a scam?' sites (sisvida-scam.com, -caution, -overview, -reviews, .wiki) to dominate search results and vouch for itself. Not yet on the FCA/DFPI/CFTC lists but carries the universal exchange-scam withdrawal-obstruction signature.

7

domains

1

signals

Crypto-exchange clone family using *bit / *crypt naming (bretebit, gardanbit, grantabit, malenbit, metbitex, portecrypt) built on one shared 'The most secure trading platform in the world' template with a fake mobile-app portfolio mockup and a staking / swap / P2P / buy-crypto nav. Markets competitive fees, then shows fabricated balances and blocks withdrawals.

6

domains

2

signals

Crypto exchanges built on a 'markets · swap quick conversion · zero trading fees' template.

6

domains

1

signals

Crypto scam kit using a 'scan the QR code to open' wallet gateway.

6

domains

2

signals

Gamified trading scam ('invite · spot · swap · option game').

6

domains

1

signals

Tofro Exchange is an unlicensed crypto-exchange/broker scam: victims report deposits they can never withdraw (ignored withdrawal requests, failed recovery) and a 1/100 trust score. It is blacklisted by the Bank of Lithuania (not authorised) and warned by the Netherlands' AFM (March 2025) as a likely boiler-room operation; it holds no top-tier licence (FCA, etc.). The operator keeps spinning up tofro* domains (.com/.me/.pro/.global/-usa) as older ones get flagged.

6

domains

0

signals

Multi-country (Spain / France / Italy) AI-trading scam network using 'AI' and 'invest' branding plus Elon-Musk celebrity-bait sites (e.g. elonmuskaitrading.com). It hypes automated AI profits, then blocks withdrawals; the sites hide behind Cloudflare's WAF.

6

domains

2

signals

Russian forex scam kit built on a '1 month, no commission' offer (.pro domains).

5

domains

2

signals

Crypto exchange clones built on a '[brand] exchange — secure crypto trading platform' template (*dex/*bit naming).

5

domains

1

signals

Fake 'AI-powered trading platform – official website' sites (EN/IT/FR/NL/JA dom variant #3 of the Cognivault family).

5

domains

1

signals

EU-focused scam kit built on a 'manage, analyze and optimize your crypto assets' template.

5

domains

0

signals

VSTSA is a 'click-a-button' app Ponzi: promoters feed bogus 'trading signals' into an app where clicking a button does nothing — it simply recycles new USDT deposits to pay earlier investors. No real product or service, only promoter membership. Same click-a-button family as Grokr, Orbis Exchange and MTS Foundation; the site's source code is in Chinese and a sister domain (99w.one) defaults to Vietnamese (China/Vietnam ties). Uses vstsa* domains.

5

domains

1

signals

Cluster of crypto earn and trading-signals scam sites tied together by a shared Google Analytics 4 ID (G-CNXTZD7B5S) and Google Tag Manager ID (GTM-M6CM29), indicating one operator. The sites lure victims with fake passive-income, signals, and high-yield crypto products.

5

domains

3

signals

Fake mining dapps prompting 'connect wallet' — wallet-drainer pattern.

5

domains

1

signals

Dutch/Belgian broker scam kit (shared 'contactgegevens · copyrights © alle rechten' footer).

5

domains

2

signals

Fake 'AI trading platform | official website' sites (EN/IT/NL/DE dom variant #2 of the Cognivault family).

5

domains

1

signals

Fake 'AI-powered trading platform | official website' sites (IT/EN/FR dom variant #1 of the Cognivault family).

5

domains

1

signals