Back to Home

Phishing investigation begini.ltd with Nmap FFUF

Security researcher dissected phishing scheme begini.ltd: from Pig Butchering with Infinite Approval to Nmap/FFUF scanning. Discovered PHP endpoints, non-standard ports and Cloudflare. Abuse-report led to infrastructure blocking.

Phishing exposure: from Reddit to Cloudflare blocking
Advertisement 728x90

Investigating a Phishing Scheme Disguised as a Trading Academy: From Reddit to Abuse Reports

A Junior Security Researcher came across a Reddit post about a suspicious 'trading education' scheme, where victims were lured into making small swaps before attempts were made to drain their funds. The investigation's goal: to audit the site begini.ltd, gather evidence of its infrastructure, and initiate takedown procedures. Tools used included Kali Linux (Nmap, FFUF), OSINT, and Revoke.cash.

The scheme is a classic Pig Butchering scam:

  • The Bait: Fake job offers or 'free training'.
  • The Warm-up: Transferring small amounts to simulate profits.
  • The Trap: Displaying a screen requesting an Infinite Approval (ERC-20 Approve), granting scammers unlimited access to the wallet's tokens.

Frontend Analysis: Phishing for Data

In the website's source code, a registration form was discovered:

Google AdInline article slot
<form class="register-form" action="send.php" method="POST">

The form sends full name, phone number, and Telegram handle to send.php via POST in plain text. The server responds with a 302 status and an instant redirect, minimizing the victim's time on the page.

In the Network Tab (F12), headers like cf-cache-status and cf-ray indicate the use of Cloudflare. Data is collected without encryption—a classic Data Harvester.

Active Reconnaissance: Nmap and FFUF on Kali Linux

Moving to Kali Linux tools for port scanning and directory fuzzing.

Google AdInline article slot

Nmap: Ports and Services

The nmap command revealed:

  • Ports 80 (HTTP) and 443 (HTTPS) are open.
  • Certificate issued by Cloudflare Inc ECC CA-3 in February 2026.
  • Anomalies on ports 8080 and 8443—possible admin panels or proxies.

Banner grabbing showed 'Crypto Trading Academy 2025'—an outdated template in 2026.

FFUF: Directory Fuzzing

The ffuf fuzzer found:

Google AdInline article slot
  • success.php (200, ~5KB)—a 'terminal' with JS scripts for redirection.
  • PHP endpoints, confirming a PHP backend.
  • Blocked /admin/ and /config/ directories (403 from Cloudflare).

The infrastructure is a standard PHP phishing kit behind Cloudflare, with non-standard ports and signs of hasty setup.

Filing an Abuse Report and Takedown

A dossier was compiled: screenshots, Network logs, Nmap/FFUF results. A report was submitted to Cloudflare (Report ID: 6d27e144bc7f8061). Incident confirmation was received, and the infrastructure began to be taken down.

Key Takeaways:

  • Infinite Approval in ERC-20 is the primary vector for token theft; check permissions via Revoke.cash.
  • Cloudflare does not automatically block phishing—Abuse reports are effective.
  • Unusual ports (8080/8443) often reveal admin panels in phishing kits.
  • FFUF and Nmap are a basic stack for reversing scam infrastructure.
  • Outdated templates (years in banners) are a marker of mass campaigns.

Recommendations for Middle/Senior Specialists

When auditing similar schemes:

  • Use FFUF with a wordlist like common.txt for directories.
  • Use Nmap with -sC -sV for scripts and versions.
  • Check Network for plaintext traffic.
  • Record cf-ray for tracking in Abuse reports.

The total evidence exceeded 10 MB of screenshots and logs, speeding up the provider's response.

— Editorial Team

Advertisement 728x90

Read Next