Investigating a Phishing Scheme Disguised as a Trading Academy: From Reddit to Abuse Reports
A Junior Security Researcher came across a Reddit post about a suspicious 'trading education' scheme, where victims were lured into making small swaps before attempts were made to drain their funds. The investigation's goal: to audit the site begini.ltd, gather evidence of its infrastructure, and initiate takedown procedures. Tools used included Kali Linux (Nmap, FFUF), OSINT, and Revoke.cash.
The scheme is a classic Pig Butchering scam:
- The Bait: Fake job offers or 'free training'.
- The Warm-up: Transferring small amounts to simulate profits.
- The Trap: Displaying a screen requesting an Infinite Approval (ERC-20 Approve), granting scammers unlimited access to the wallet's tokens.
Frontend Analysis: Phishing for Data
In the website's source code, a registration form was discovered:
<form class="register-form" action="send.php" method="POST">
The form sends full name, phone number, and Telegram handle to send.php via POST in plain text. The server responds with a 302 status and an instant redirect, minimizing the victim's time on the page.
In the Network Tab (F12), headers like cf-cache-status and cf-ray indicate the use of Cloudflare. Data is collected without encryption—a classic Data Harvester.
Active Reconnaissance: Nmap and FFUF on Kali Linux
Moving to Kali Linux tools for port scanning and directory fuzzing.
Nmap: Ports and Services
The nmap command revealed:
- Ports 80 (HTTP) and 443 (HTTPS) are open.
- Certificate issued by Cloudflare Inc ECC CA-3 in February 2026.
- Anomalies on ports 8080 and 8443—possible admin panels or proxies.
Banner grabbing showed 'Crypto Trading Academy 2025'—an outdated template in 2026.
FFUF: Directory Fuzzing
The ffuf fuzzer found:
- success.php (200, ~5KB)—a 'terminal' with JS scripts for redirection.
- PHP endpoints, confirming a PHP backend.
- Blocked /admin/ and /config/ directories (403 from Cloudflare).
The infrastructure is a standard PHP phishing kit behind Cloudflare, with non-standard ports and signs of hasty setup.
Filing an Abuse Report and Takedown
A dossier was compiled: screenshots, Network logs, Nmap/FFUF results. A report was submitted to Cloudflare (Report ID: 6d27e144bc7f8061). Incident confirmation was received, and the infrastructure began to be taken down.
Key Takeaways:
- Infinite Approval in ERC-20 is the primary vector for token theft; check permissions via Revoke.cash.
- Cloudflare does not automatically block phishing—Abuse reports are effective.
- Unusual ports (8080/8443) often reveal admin panels in phishing kits.
- FFUF and Nmap are a basic stack for reversing scam infrastructure.
- Outdated templates (years in banners) are a marker of mass campaigns.
Recommendations for Middle/Senior Specialists
When auditing similar schemes:
- Use FFUF with a wordlist like common.txt for directories.
- Use Nmap with -sC -sV for scripts and versions.
- Check Network for plaintext traffic.
- Record cf-ray for tracking in Abuse reports.
The total evidence exceeded 10 MB of screenshots and logs, speeding up the provider's response.
— Editorial Team
No comments yet.