INTERCEPT CELL RESEARCH / HOOKED SCAMS · CASE 001
Case 001: coin-front.io
An X follower, a $700K humblebrag, and a Lithuanian-hosted PHP kit dressed up as a trading platform.
This case has two reads: a plain-language version for people who may have been contacted by the scam, and a technical readout for investigators and analysts.
This is a case file about a fake crypto trading site called coin-front.io. It's still online as I write this. A man calling himself Cory Bates messaged me on X (Twitter) and tried to walk me through depositing $5,000 onto it. I went along with the conversation on purpose, took notes, took screenshots, and then went and looked at the site itself.
Two reads on this page:
- What happened is the plain-language version. Read this if you got messaged by someone like Cory, or if a friend or family member did, or if you just want to know how this kind of scam works.
- Technical breakdown is for analysts and researchers. Same case, deeper dive, with infrastructure indicators, the platform's leaked admin API, and attribution to the kit vendor selling this thing as a turnkey product.
Either tab works as a complete read on its own.
Victim Readout
someone followed me on X. Then they DM'd me. Now they want me to send money to a "trading platform."
If that's the shape of what happened to you, what follows is what was probably going on.
the setup
A stranger named "Cory Bates" followed me on X. His profile looked normal: an aged account from 2011, a clean-cut headshot, a bio that mentioned "Bitcoin," a "Memento mori" header graphic. He had a few hundred followers and was following thousands of people. I followed him back.

The reason he followed me first matters. On X, if a stranger DMs you without you following them back, the message lands in a hidden "message requests" folder almost no one checks. By following first and waiting for a follow-back, he could DM me directly and the message would land in my main inbox. Following first is the entry fee. After that, he had a clear channel to me.
the slow conversation
He didn't pitch me anything for days.
- Saturday: "Hello."
- Sunday: "How is your trading going? Hope you are wining your trades?"
- Monday: "From a scale of 1-10 how would you rate your trading skills?"

That's not a sales pitch. It's a friendly check-in over a long weekend. The slowness is the point. Real con artists know that pitching too fast feels like a pitch. By stretching the conversation across days, they train you to expect a casual relationship instead of a sale. By the time the money question comes up, it doesn't feel like a sale, it feels like a friend giving you a tip.
The Monday question, "rate your skills 1 to 10, do you buy and hold or trade actively," looks like small talk. It isn't. He's bucketing me. People who say "I'm a beginner" get one script. People who say "I've been doing this for years" get a different one. He needed the answer before he could pick which version of the pitch to send.
the pitch
On Tuesday, here it came.
"I've found success with stocks trading and that helped me generate more than $700,000 in trading profits during the months of 2025. Recently, I'm Working on daily trading crypto and making simple earnings as low as $60k after a week of trading."
That's the pitch. Three things to notice:
- Big specific numbers from nowhere. $700,000 in 2025. $60,000 a week. There is no source. There is no audit. There are no screenshots from a real broker. Just the numbers, dropped into a friendly chat. Specific numbers feel real. They are designed to.
- The "you make money in any direction" line. This is a classic lie of investing scams. It's true that you can technically make money on the way down (by short-selling), but it is not easier than making money on the way up. Anyone telling you otherwise is selling you something. In real markets, more than half of active day-traders lose money. You don't hear that on Cory's pitch.
- A grammar that's almost-right. "I advice my followers." "You loss when the market is going down." "Wining your trades." Not bad enough to be a robot, just bad enough to be the actual person on the other end, somewhere, typing on a phone. That's important: there is a real human running this. Probably running thirty of you at the same time.
I told him I might want to start with $5,000. He immediately quoted me back "$5,000 turns into $20,000 in 3 weeks." A 4x return in 21 days.

No real investment does that. Anyone who says so is lying. If a real money manager could quadruple your money in three weeks, they would not be DMing strangers on X. They would be running a hedge fund and turning away clients.
the link
After he had the amount ($5,000), the exchange ($Coinbase), and a confident-sounding investor on the line, he sent the link:
"Firstly register with Coin-Front.io to get an account all setup and then get back to me so I can direct you through."
coin-front.io is the fake platform. It's the whole point of the conversation. Everything before it (the follow, the slow chats, the $700K humblebrag, the bucketing question) was scaffolding to get you to type that URL into your browser.
what the platform looks like
If you go to coin-front.io, you'll see a clean landing page. Nice photo of a guy at a TradingView desk. Live ticker scrolling at the bottom showing real Bitcoin and Ethereum prices. A button that says "Start Investing." It looks legitimate. It is not.
Here is how I know:
- No regulator. Real brokers in the US have to be registered with the SEC, FINRA, or the CFTC. In Canada, the IIROC. In the UK, the FCA. They show that registration in the footer with a real license number you can look up. CoinFront has none of that. There is nothing to look them up as.
- A "Skip" button on identity verification. When the site asks you to upload your driver's license, there is a "Skip" button right there. Real brokers cannot let you skip ID verification, it's against the law. Only fake ones do.

- A signup form that asks for everything. Email, password, full name, mobile number, date of birth, full home address, country. A real broker collecting all of that has a privacy policy and a regulator who will take their license away if they misuse it. CoinFront has neither.
- A "your account is pending verification" wall the moment you sign up. The point of this wall is to send you back to Cory, who will warmly walk you through "funding your account" so trading can begin.
the dashboard is a video game
This is the part most people miss, so I want to spell it out plainly.
When you "deposit money" on a site like CoinFront, the money is gone the second it leaves your wallet. It does not sit on the platform. It does not get traded. It is not invested in anything. It moved straight to a Bitcoin or Ethereum address the operator controls, and the operator immediately moved it again to keep you from clawing it back. There is no pool of customer funds anywhere. There is no broker. There are no "trades." All of that ended at the moment your transfer confirmed.
What you see after that is a website the scammers entirely control. They are the ones who decide what number shows up on your dashboard. They type those numbers in. So the very first thing they do, after pocketing your money, is edit the dashboard to show you that the money is still there, and start adding fake gains on top of it. Day 1: your $5,000 turned into $5,400. Day 4: $6,200. Week 2: $9,800. Week 3: $14,000. None of it is real. The operator is sitting in front of an admin panel typing those numbers in, the same way a kid would edit their score in a video game. The graph going up, the trades you "won," the green percentages, all of it is screen paint. You can refresh the page and watch it move, and it still won't be real.
The reason they do this is not to amuse themselves. It is to make you put more money in. Once you see your "$5,000 turned into $14,000" on the screen, the operator reaches back out: "see, I told you my signals work. Imagine if you had started with $25,000 instead. Why don't you put more in for the next cycle? You're missing out on the bigger gains."
This is when the pressure tactics escalate. They will:
- Push you up to a higher "tier" or "VIP plan" that needs a bigger deposit.
- Tell you a one-time "rare opportunity" is happening this week and you have hours to fund.
- Suggest taking out a personal loan, a HELOC, or even draining a 401(k), framed as "low-risk because you can pay it back from the next round of profits."
- Bring on a "manager" who messages you with a more authoritative tone to seal the bigger deposit.
- If you push back, get hostile, then warm again, then guilt-trip you ("I spent so much time on you and now you are second-guessing me?").
People go bankrupt at this stage. Real, well-documented case studies have victims liquidating retirement accounts, mortgaging homes, and borrowing from friends and family because the dashboard says they are about to be rich. They are not. The dashboard is a screen the scammer paints. The "tier upgrades" are nothing but a bigger deposit address.
The final stage of the scam, when you finally try to take any of it out, the withdrawal will fail. The site will ask you for a "verification fee" or "tax payment" or "anti-money-laundering deposit" in Bitcoin to release your balance. The fee will look small next to the (fake) balance on your screen, so it will feel reasonable. Pay it and the next withdrawal will fail for a different reason. Pay that one and another fee will appear. You will never see any of the money back. Not the deposits you made trying to invest, not the "fees" you paid trying to withdraw, none of it.
If this mechanic is unfamiliar to you, the term to look up is "pig butchering scam" (the criminals call it that themselves; the analogy is fattening up a victim before slaughter). The FBI's IC3 publishes annual reports on it, ProPublica and the New York Times have done long-form investigations, and the pattern is identical across thousands of victims. I am describing it from the operator's side because I have now seen it dozens of times, but the public record on this is enormous and consistent.
what I think actually happens to people
I want to be specific because vagueness is how this kind of advice fails.
A typical full run of this scam, on someone who isn't suspicious enough to bail out, ends in $15,000 to $50,000 in losses. The losses come in two waves. First the deposit (the $5,000 in my case). Then the "fees" they invent to block the fake withdrawal, those usually grow because the operators escalate as the target gets desperate. Once the target stops paying, the operators ghost. A few weeks later, a different person reaches out claiming to be a "recovery specialist" who can get the money back, for an upfront fee. That's the same scammer, the same network, on round two.
If you uploaded a copy of your driver's license to the site before this happened, the situation is worse than the cash. Your ID is now on a server in Lithuania, in the hands of people who lied about everything else. That ID can be sold, used to open accounts at real exchanges in your name, used to bypass identity checks at services where they want to launder. The cash loss is recoverable, in principle, with insurance and time. The identity damage outlives it.
who I was actually talking to
After I went silent on Cory for two weeks, I came back with a story (a "family emergency") to see what would happen. He picked up the conversation like nothing was wrong, asked if my account was verified yet, and asked for my phone number so we could "communicate better."

Asking for a phone number is not friendliness. It is moving the conversation off the platform that can ban him. X can suspend a scam account; X cannot suspend your text messages. The moment he had my number, he texted me and tried to keep the same conversation going, with the same script, on a channel where he was no longer accountable to a moderation team.

Then he asked me to send him a screenshot of my account verification page. That was an opportunity I had been waiting for. I made him a tracking link.
There is a free service called Grabify that lets you wrap any link in a tracker. When the recipient's device fetches the page, the service logs the IP address, location, and device information of whoever opened it. I uploaded a real verification screenshot to a public image host, then wrapped that image's URL in a Grabify link with a domain (screenshare.pics) chosen to look ordinary. To Cory, it looked like I sent him a screenshot. To me, it was a doorbell.

Within seconds, his phone fetched the link to render the message preview. The log told me everything.

He is in Lagos, Nigeria, on Starlink. Not Los Angeles. Not anywhere in the United States. The "+1 (213)" phone number was a US-based VoIP relay he rented to look local. The aged X account was bought or stolen. The "Cory Bates" headshot was somebody else, probably scraped from someone's real profile years ago. Every visible part of his identity, from the name to the area code to the timezone of his messages, was wrong on purpose.
Lagos is where a large share of these scams originate. The shorthand is "Yahoo Boys", a long-running West African online-fraud subculture that started with romance scams and Nigerian-prince emails in the 2000s and now does crypto-investment pig-butchering at industrial scale. They run dozens of personas in parallel, off scripts, with offshore-staffed call centers and ESL-grade English. The poor grammar in Cory's messages ("you loss," "wining your trades," "I advice my followers") is not a bug; it is the dialect, and once you have seen one of these, you start noticing it in every other one.
The reason this matters for you, if it's happening to you or someone you love right now: the person on the other end of the chat has no relationship to anything they claim. They are not a trader. They are not American. They do not live in your country. They are running a script from an apartment in Lagos and they have several other targets going at the same time. Nothing they say about themselves is true, and nothing the platform shows you is real, and there is no version of "if I just play along a little longer the money I deposited will come back." It will not.
what to do if this happened to you
Do these in order, today if you can:
- Stop talking to Cory or whoever your version of Cory is. Don't argue, don't explain. Block. The longer the conversation continues, the more they know about you and the more pressure they apply.
- Don't pay any "fee" or "tax" they ask for to release a withdrawal. It is fake. The money on the dashboard does not exist. There is no withdrawal coming. Every dollar you send to "release" it is gone.
- File a report with IC3.gov. That's the FBI's intake for cyber-enabled fraud in the United States. You do not have to have lost money to file. They aggregate reports and use them to prioritize takedowns. The earlier you file, especially within 72 hours of contact, the higher your chances of help.
- If you're outside the US, file with your equivalent: Action Fraud (UK), CAFC (Canada), Scamwatch (Australia), Europol Reporting Center (EU).
- If you uploaded ID, freeze your credit at the three US bureaus (Equifax, Experian, TransUnion) and put a fraud alert on file. In other countries, freeze with whichever bureaus your banks check. This is free. Do it the same day.
- If you wired money or sent crypto, file with your bank within 24 hours and request a recall. After 72 hours, recall on a wire is much harder. Crypto is harder still, but file the IC3 report regardless because the addresses get flagged across exchanges and sometimes funds are frozen at the cash-out point.
- Tell one person in your life. A friend, an adult child, a sibling. The hardest part of recovering from one of these is the shame, and the shame is what the operators rely on to keep you from telling anyone until it's too late. Tell someone. They will not think less of you. These pipelines are built to work on smart people.
what to look for in someone else
If a friend, parent, or co-worker is in the early stages of this, they have been chatting for two weeks with someone they "met online" who is "good at trading," they recently mentioned a name like CoinFront or any other platform you've never heard of, they are excited about a new opportunity that pays out a percentage every week, those are the warning signs:
- The relationship started with a friendly DM from a stranger they did not seek out.
- The stranger has a full life on social media but zero overlap with anyone they actually know.
- The conversation has been long, slow, and warm.
- A "platform" was mentioned, with a name that sounds like a real broker but isn't one anyone they know uses.
- The platform "promises" returns measured in weeks. Or "signals." Or "copy trading."
- They are about to make a deposit, or have just made one, or are talking about making a bigger one.
Don't accuse the operator and don't shame your person. Just ask three questions, in this order:
- "How did you meet this person?"
- "Do they have any mutual friends with you that you can ask about them?"
- "Have you actually withdrawn any money yet, or have you only seen the number go up on a website?"
That third question is the one. If they cannot withdraw, the money is not real. If they have a story about how the withdrawal "is delayed" or "needs a fee", you are watching the second stage of the scam land in real time.
this is not just one website
If your person mentioned a different site, it might still be the same scam. CoinFront is one of dozens of near-identical sites built from the same template by the same vendor and run by different criminal teams. Same fake dashboard, same Skip button on ID verification, same "withdrawal fee" trick at the end, just a different name on the homepage. Other names I have personally confirmed are running this same template, as of this writing: Parsonex Market, CapitalTechPip, CryptoPalmsMarket, DeluxePlusWealth, SynergyTrades, VeltrixCapitalPro, QuorixTrading, FidexExpert, RocketStake, BizzyEarners, CrestMarkets, FortuneLivex, Solvex Capital Limited, SignalSurge, Tillid FX, TradeSphere. There are at least thirty more pre-registered domains waiting to be turned on.
If your person's site is not in that list, that does not mean it's legitimate. It means it is not in this list. The pattern is what matters: a stranger DM, a slow chat, a "platform" with a fake dashboard, a "withdrawal fee" right when you try to take money out. If that's the pattern, it's the same scam.
For scale: across the sites I confirmed, I tracked at least $526,000 in cryptocurrency deposits going into the wallet addresses these sites were collecting from in the last several months alone. One single wallet on one of these sites took in $426,000 from 29 deposits in a single 30-day window, with the largest single deposit being about $128,000. The "median" deposit was about $7,900. Those are real people losing real money to this template, right now, today. The average victim gave up enough to wreck their year.
why this site exists
The CoinFront site, the Cory account, the slow conversation, and the platform with a Skip button on KYC all exist because this works. It works on retired engineers, on doctors, on lawyers, on day-traders, on people who absolutely know that crypto scams exist. The reason it works is that it never feels like a pitch until it's already too late. The Cory persona feels like a friend. The platform feels professional. The dashboard feels real. By the time the withdrawal fails, the operator has already had the deposit for weeks.
Telling people "watch out for crypto scams" doesn't help, because every person who falls for this thinks they were watching. What helps is showing the inside of one, in order, with screenshots, so the next person who sees the same play in their own DMs can stop on the second message instead of the second deposit.
That's why this site is here.
If something like this is happening to you or someone you love, report it. The next person to see the same script in their DMs deserves a faster warning than you got.
Investigator Readout
TL;DR
coin-front.io is a turnkey scam-platform deployment, sold by prowebsitesamples.com as "broker template BB" (db=DB3) and operated against a marketing pipeline of aged X accounts. The platform leaks its full admin-shaped data envelope via /api/graph, including all deposit-wallet addresses and operator settings. On-chain, the snapshot of currently-advertised wallets across the kit's deployed fronts has received at least $526,881 in confirmed crypto inflows, with one single BTC wallet on crestmarkets.org receiving $426,128 across 29 deposits in a single 30-day window. That number is a lower bound; rotated/retired wallets are not visible in this snapshot. Operator attribution is hard: Grabify canary fired on 2026-04-30 21:37:49 UTC returned IP 98.97.77.181, AS14593 SpaceX, hostname customer.lgosnga1.isp.starlink.com, geolocating to Lagos, Nigeria. The "Cory Bates" persona is a Lagos-operator running a Yahoo-Boy-class crypto-investment funnel through a US-VoIP relay and an aged X handle. The vendor publishes a live catalog of 45 pre-registered scam-front domains at probrokerapis3.com/api/domains categorized as broker (43) and banking (2), with new domains added as recently as the day before this writeup. Pivoting on the kit's verbatim string IOCs and on its operator backends surfaced at least 12 additional kit-confirmed fronts in the wild, clustered across two operator backends (probrokerapis3.com and probrokerapis2.com) and a long tail of self-hosted deployments. Frontend is on bacloud.com (Lithuania), backend REST is on probrokerapis3.com (Render.com), websocket is on Render.com (probrokersockets-com-god8.onrender.com), email host is the same domain. Withdrawal verification is operator-typed in real time; the "withdrawal code" is a UX prop for the verification-fee follow-on cash grab. The vendor (prowebsitesamples.com) is therefore not a single-criminal operation but a scam-front-as-a-service vendor with multiple criminal customers, which sets the takedown leverage at the vendor and backend layer rather than at any individual front.
Vector and persona
The lead infrastructure is @cory_bates1895, an X account aged 2011, 405 followers, 3,221 following, low effort engagement-farming follow ratio. Bio "Freedom · Jiu Jitsu · #Bitcoin" is a calibration: explains why a stranger DMs about crypto without raising flags. Display photo is a stock-style headshot, header is a "Memento mori" graphic.

The funnel is a 14-day slow-roll. Saturday-Sunday-Monday were rapport, no pitch. Tuesday was the qualification pitch ("$700K profit in 2025") with a built-in branch on response. The pitch text uses consistent ESL artifacts ("I advice my followers," "you loss," "wining your trades") that are textbook for offshore-staffed pig-butchering operations. Grammar is poor enough to indicate non-native English but coherent enough to read as a busy human typing on a phone, which is the right calibration for a target who doesn't know to look. Operators running this funnel are running dozens of conversations in parallel and the pacing is chosen to match a rate they can sustain across a queue without breaking character on any single thread.


The qualifier extracts four data points before the link drop: stated investment amount, stated exchange, wallet posture (custodial vs self-custody), and investment narrative. I gave $5,000 / Coinbase / no self-custody / "diamond hands", boilerplate retail-bag-holder profile, which selects the standard crypto-investment script with a $5K minimum.

The drop is coin-front.io. It came at 11:24 AM and was edited shortly after, operators editing the drop message is a tell that they typo'd the domain (likely from running a prior script with a different front), which is itself useful intel that this is templated. The drop is followed within 24h by a chase ("what's the status on your account") and then a next-day off-platform pivot attempt ("what's your number, so we can communicate better"). When I went silent, a re-engagement attempt arrived two weeks later ("Hello?").

Re-engagement and SMS pivot
After ~2 weeks of silence on my end, I returned the conversation with a "family emergency" cover and watched the funnel re-open immediately. The operator has no script branch for "target ghosted, then came back": the response was a verbatim continuation of the deposit-walkthrough flow with no acknowledgment of the gap. That's diagnostic of a queue-driven funnel where the conversation state is just "did they fund yet (y/n)" and conversational continuity is faked from short context windows by the operator scrolling back.

The off-platform pivot was the second ask in the same message. He did not wait for a response on account status before requesting a phone number; the move-off-X step is unconditional in the script. Within an hour of giving him a number, he texted from +1 (213) 397-6550 over RCS:

The number is a US-VoIP relay, not a real American mobile. 213 (Los Angeles) is the area code; libphonenumber returns it as FIXED_LINE_OR_MOBILE with a blank carrier, which is the canonical fingerprint of a Bandwidth/TextNow/TextFree-class US VoIP block. RCS-capable (the screenshot shows the "Text Message · RCS" header), which TextNow and TextFree both support. None of that is unusual; offshore operators rent these in bulk for $1-2/month per number, then burn them after a campaign.
Operator attribution (canary capture)
Once on SMS, he asked for a screenshot of my "verification page." I uploaded a real screenshot to imgur, then wrapped that imgur URL in a Grabify tracking link with a friendly-looking domain (screenshare.pics) so the message preview would parse as an image share rather than a tracker.

The first hit on the Grabify log fired within seconds of the message landing, almost certainly his Google Messages app fetching the link to render the preview thumbnail (which is why the reported user-agent is the chimeric GoogleMessages/20.2 facebookexternalhit/1.1 Facebot Twitterbot/1.0 string, with referer meta.com; that's not a real browser, it's the in-app preview-fetcher chain). Crucially, in-app preview fetches on RCS are made from the user's device, not from a centralized Google datacenter, so the source IP is the operator's actual residential connection.

textoperator pivot data IP: 98.97.77.181 rDNS: customer.lgosnga1.isp.starlink.com ASN: AS14593 SpaceX (Starlink) geo: 6.4541, 3.3947 (Lagos, NG) ISP: SPACEX-STARLINK timezone: Africa/Lagos captured: 2026-04-30 21:37:49 UTC via: Grabify image-link, fired by Google Messages preview fetch on operator handset
Independently confirmed via ipinfo.io and reverse DNS. The Starlink-Lagos POP is the residential-grade satellite broadband hub for southern Nigeria, operators use it specifically because it bypasses the major Nigerian terrestrial ISPs (MTN, Airtel, Glo, 9mobile), which historically respond to LE requests faster than SpaceX does. Starlink's Nigerian launch in 2024 created a noticeable shift in this attribution pattern; before that, Yahoo Boy clusters were geolocatable to Lekki / Ikeja / Festac via MTN-Naijawap or Airtel residential.
The composite fingerprint is now hard:
| layer | claim | reality |
|---|---|---|
| name | "Cory Bates" | unknown; headshot is a stock-style portrait, almost certainly stolen |
| account | @cory_bates1895, joined 2011 |
aged X handle, bought or compromised |
| location (claimed) | implied US (213 area code, English fluency) | Lagos, Nigeria |
| phone | +1 (213) 397-6550 |
US-VoIP relay (Bandwidth/TextNow class), not a real LA line |
| ISP | n/a | SpaceX Starlink, Lagos POP lgosnga1 |
| IP | n/a | 98.97.77.181, AS14593 |
| timezone of messages | UTC-8 implied (LA) | actually UTC+1, observable in his hour-of-day reply pattern |
| device | n/a | RCS-capable, Google Messages app (Android with Messages 20.2) |
The funnel is Lagos-operator → US-VoIP relay → US-aged X persona → Lithuanian-hosted PHP kit → Render.com backend. None of those layers stand alone; cutting any one of them just nudges the operator to a substitute. Cutting the Lithuanian hosting kills the platform front. Cutting the Render backend kills 9 platform fronts. Cutting the operator's Lagos Starlink connection (or his VoIP carrier) kills this persona but not the operator headcount, since they have many.
This is the first case file where I have a hard (IP, ISP, geo, hour-of-day, device class) pivot on the operator, not just on the kit. That's significant for follow-on cases: any subsequent pig-butchering case file with customer.lgosnga{1..N}.isp.starlink.com in a canary log can be inferred to share the same operator pool, even if the kit, persona, and platform front rotate.
Site fingerprinting
Surface-level enumeration gave the standard trade-dress signals:

- Generic AI-flavored hero image (man + TradingView holograms), reused across many clones since at least 2024.
- Real TradingView widget pulling live BTC/ETH/MATIC/SOL prices for ambient legitimacy.
- Meta description says "Forex, Stocks, ETFs and Options," scammer pitched it as crypto.
- Browser-push notification request on first visit (used for cross-tab re-engagement / cross-scam funnel handoff).

- Signup form collects email, password, name, phone, DOB, full address. Country dropdown defaults to "Afghanistan", alphabetical first entry, never localized.

- KYC step has a Skip button (not legal for any regulated broker; this is the funnel keeping itself open for skeptical targets). IDs land in
/uploads/images/on the production webroot.

- Dashboard sidebar pattern is the diagnostic fingerprint:
Plans / Trading / Holding / Staking / Account / Deposits / Withdrawals / Copy Trading. This exact string and order is the kit's signature.

Infrastructure (initial pass)
| Property | Value |
|---|---|
| Domain | coin-front.io, registered 2025-05-15 at PDR Ltd. (PublicDomainRegistry.com) |
| WHOIS update | 2026-04-29 21:49:49Z, status renewPeriod (renewed mid-engagement) |
| Wayback | 3 captures: 2025-07-16 placeholder, 2025-08-06 placeholder, 2026-04-30 live |
| Cert | Let's Encrypt R12, *.coin-front.io, valid 2026-03-16 to 2026-06-14 |
| A | 85.206.242.4 (BACloud, AS61272, Šiauliai LT) |
| AAAA | 2a04:2180:dc05:c108::4 |
| rDNS | cl08.bacloud.online (BACloud shared cluster #8) |
| Stack | LiteSpeed PHP behind an OpenResty WAF |
| Web3 | web3.js and @walletconnect/web3-provider loaded, direct browser-wallet drain path supported |
| Live chat | Smartsupp embed (key visible in settings.chat_code) |
The OpenResty WAF blanket-415s non-browser user-agents and serves a five-second JS challenge to anything that looks vaguely automated. Roughly an hour of polite probing got my egress IP firewalled at the BACloud edge. The site stayed up from probes in BR/TR/UK/US the whole time. The block lifted ~6 hours later. The block itself is the data point: this is not a forgotten box, it's a kit with active monitoring.
/api/graph leak (post-authentication)
The user-side dashboard fetches /api/graph after login. The endpoint requires only a session cookie, returns a Laravel paginator envelope, and ignores its own admin: false field, the response includes the entire admin-panel data shape regardless of role. Captured 2026-04-30 from a real (non-paying) user account:
texttop-level keys returned to a non-admin session: user (114 fields) wallets (8 entries) settings (1 entry, 80+ keys) staffs (2 entries) payouts (21 entries) plans (14 entries) reviews (10 entries) pages (16 entries) faqs (10 entries) news (4 entries) links / images / directions / posts (empty for this deployment)
Highlights extracted:
Deposit wallets (8 in the public list):
textBTC bc1q9nyvdjr2jyxxhx0ea9tf69y6j20ea4l83fd269 ETH 0x0a5659BAf2cF27DC19ea87ddAAbEb651ad3E117e USDT 0x0a5659BAf2cF27DC19ea87ddAAbEb651ad3E117e (ERC20, same hot wallet as ETH) USDC 0x0a5659BAf2cF27DC19ea87ddAAbEb651ad3E117e (ERC20, same hot wallet as ETH) SOL Azy4rkMjEtipK2mDFiBCdYq8cXM4dvw8bLPZ1qm6vYAS TRX TYcGojypFj6BwtqYGV7PWmZX8KiH4xakvA XRP r4uHqWeEFHKKqiqQaGNYKr37UiijUWA4ez DOGE DMdqGNV4qKFsgshRdX75tPCFsWp9Y5hhXJ
Three additional wallets appear only in /api/deposits (not in the public wallet list), suggesting a rotation pool:
text0xF172c996598fdd558BB21D5312B2da99c6844120 (ETH) bc1ql8hlfymt889wnxgxvf75rexehktc4fakv34kfg (BTC) TCJAJ6wVhABtxZfJmFFaCGSzxHA8CpfAJh (Tron)
Staff page lists "Sabrina Deckow (CFO)" and "Angelo Rogahn (CEO)" with stock photos named Reviewer2.jpeg and Reviewer3.jpeg. Both surnames are part of the stock Faker library. Reviews and payouts tables are likewise faker-generated (Klocko, Hickle, Boehm).
Settings revealed:
smtp_server: mail.coin-front.io(port 465, SMTPS), operator's outbound email is on the same domain.withdrawal_code: 'manual',website_withdrawal_code: '', see "Withdrawal-fee mechanism" below.api_https: 'probrokerapis3.com', the JS bundle proxies live data through this hostname.api_wss: 'probrokersockets-com-god8.onrender.com', websocket layer is on Render.com.chat_codefield embeds a Smartsupp script with a key (9d1d3...).
The admin: false field in the response is decorative. Adjacent endpoints /api/users, /api/trades, /api/withdrawals correctly return 401 to a non-admin session, so the auth gate exists; it just wasn't applied to /api/graph. The bug is single-route, not class-wide.
Kit attribution
coinfront.js (the page bundle) references https://probrokerapis2.com as a sibling backend host. The probrokerapis3.com hostname (used in production by coin-front) returns a SPA whose title is "ProBrokerApis3", same SPA framework, served as the operator's API origin.
probrokerapis3.com/api/domains requires no auth and returns a Laravel-paginated catalog of pre-registered domains:
texttotal: 45 categories: { broker: 43, banking: 2 } [broker] sample of 43: federalsecurenet.com, cryptometaedge.com, toptracepointco.com, smartearncapital.com, vtmarketpro.com, fxcapitalnexus.com, fleetpathlogistics.com, topchoicedelivery.com, corepathdelivery.com, logistavaexpress.com, urbandeliverygroup.com, citylinedelivery.com, crestgateinvestment.com, hashtradehub.com, pipsparadise.com, prop-pulsecapitals.com, prop-pulsecapital.com, humilisinvest.com, hannahlewismarkets.com, profitpulsepeak.com, parsonexbase.com, parsonexclimax.com, parsonexmarket.com, parsonexmarkets.com, arbitragebrokerage.com, corebulltrade.com, finestmarkets.com, eversteadoptions.com, pipsgainhub.com, crestdynamo.com, bullishpeak.com, aitradeteam.com, pipstradelab.com, pipsoptionstrade.com, livingtrades.com, fortunelivemarkets.com, oakvestpro.com, aceofbulls.com, bullishace.com, bullvestpro.com, metawealthwatch.com, betamarketwatch.com, bullishclimax.com [banking]: strativuscapital.com, zyoracapital.com
These are pre-registered domains the vendor offers as turnkey scam fronts paired with the broker template. The coin-front.io domain isn't in the catalog because it's already in operator use.
The vendor's storefront is prowebsitesamples.com. Properties:
- Registered 2025-08-07 at Hostinger UAB, NS at
dns-parking.com. 8-month-old domain. - No terms, license, pricing, contact, about, or privacy pages, every URL except live iframe demos returns the same SPA fallback (md5
fd5bb47ff610eedaa6c60b06acf21826). - Only contact channel is
info@prowebsitesamples.com, which is also the demo admin login on every demo. - Sells a
/custom-emailsadd-on: $50/yr Titan Mail + $20/yr domain = $70/yr per scam-front identity. - Recommended registrars: bacloud (Lithuania, same as the coin-front frontend host) and Namecheap.
- Catalog of 30 broker UI templates:
AD AP BB BI CRY CS DS EX FP GL HE HT IQ LI LQB LQO M2 OL OM OP PMS PMV RW RW2 TR1 TR2 TR3 TX UT XT. - 4 courier templates:
BR GR MA RD(delivery-redelivery-fee scam style). - 2 banking templates:
BK BV.
coin-front.io is the BB template. The demo login bb.prowebsitesamples.com/signin?db=DB3&email=sample@gmail.com&password=samplepassword returns the same /api/graph data envelope, confirming kit identity.
The vendor's published demo creds for the operator panel are info@prowebsitesamples.com / samplepassword against <template>.prowebsitesamples.com/cp/. The same path exists on coin-front.io (<title>Admin - CoinFront</title> confirms the SPA resolves), but the operator changed the production password, so the kit's default admin cred didn't work against the live deployment.
Withdrawal-fee mechanism
The kit supports three modes for withdrawal_code:
jsoptions: [
{value: "email"}, // server emails OTP to user
{value: "manual"}, // operator types a code at withdraw time
{value: "disabled"} // no code required
]
coin-front.io runs in manual mode with website_withdrawal_code: '' empty. The manual flow is the entire premise of the verification-fee follow-on scam: the operator can synthesize whatever "verification code" they want, demand the target pay them a Bitcoin "verification tax" to "release" it, and then either move the goalposts to a second fee or tell the target their code was wrong. There is no third-party verification anywhere in the flow. The entire withdrawal-blocking mechanic is operator UI theater backed by an unconstrained server-side string compare.
The kit also supports email mode (a real server-generated OTP), but the operator chose manual. That's the scam-tell: legitimate-looking operators wouldn't bypass the OTP option, because it's strictly more secure and the kit ships it for free. Operators choose manual because they need the pretext for the verification fee.
Kit fingerprinting (file-level IOCs)
The vendor template (bb.prowebsitesamples.com, sold as "broker template BB", db=DB3) ships static assets that are byte-identical across deployments unless the operator manually re-skins them. Three high-quality file fingerprints captured from the vendor's live demo:
textzpwa-favicon.ico (33310 bytes) sha256: 6beb02b513f811da0ad2a837f203feffbc6900a552ad23f024e019da3c2526b3 md5: 8abbbfe54ff466d05dff7d5ec2ae215c mmh3 (Shodan/Censys b64): -1032583768 broker-bb-2026-04-06.js (1100631 bytes, dated bundle filename rotates each rebuild) sha256: 3f76ad861342405b5f0a5059de35bfb2fc880e9748975929083f5cfe2d5a385a md5: 427b0c476fa99fa037d026c4549fb124 broker-bb-2026-04-06.css (90636 bytes) sha256: d952ca796a5c973e632bc7cdf841343a3d845c54061b14639097f0eb836e475d
Verbatim, grep-able strings:
text"Forex, Stocks, ETFs and Options - Online Trading Platform" (default <meta description>) "/assets/images/zpwa/" (PWA icon directory, kit-unique prefix) "Plans / Trading / Holding / Staking / Account / Deposits / Withdrawals / Copy Trading" (post-login sidebar string) "/api/graph" (settings-leak endpoint, often unauthenticated) "withdrawal_code: 'manual'" (operator-typed verification gate) "<title>Sample BB</title>" / "Sample PMS" / "Sample WWW" (kit demo titles, occasionally left in production)
The favicon hash is the cleanest single-query pivot: one Shodan or Censys search on http.favicon.hash:-1032583768 should enumerate every public host serving a default-skinned instance of this kit.
Confirmed kit deployments in the wild
Pivoting from the vendor catalog (probrokerapis3.com/api/domains, 45 pre-registered domains, 4 added in the last 18 days, newest 2026-04-29) and from urlscan.io scans on the operator backends, I directly probed every responsive candidate. 12 fronts beyond coin-front.io returned the kit's <meta description> and exposed an open /api/graph that leaked deposit wallets and operator settings. Captured 2026-04-30:
| front | backend (api_https) |
min deposit | wallets leaked |
|---|---|---|---|
parsonexmarket.com |
probrokerapis3.com |
$100 | 4 (BTC, ETH ERC20, USDT TRC20, XRP) |
capitaltechpip.net |
probrokerapis3.com |
$10 | 6 (BTC, ETH, USDT ETH, BCH, LTC, PIX) |
cryptopalmsmarket.com |
probrokerapis3.com |
$100 | 6 (BTC, ETH, USDT ERC20, USDT TRC20, XRP, SOL) |
deluxepluswealth.com |
probrokerapis3.com |
$10 | 2 (XRP, BTC) |
synergytrades.live |
probrokerapis3.com |
$10 | 6 (BTC, SOL, ETH, USDC, BNB, USDT) |
veltrixcapitalpro.com |
probrokerapis3.com |
$100 | 1 (BTC) |
quorixtrading.com |
probrokerapis3.com |
$10 | 4 (BTC, ETH, BNB, XRP) |
fidexexpert.com |
probrokerapis3.com |
$1000 | 3 (BTC, TRON, ETH) |
rocketstake.net |
probrokerapis3.com |
(kit) | (kit) |
bizzyearners.net |
probrokerapis2.com |
(kit) | (kit) |
crestmarkets.org |
probrokerapis2.com |
$100 | 3 (BTC, XRP, ETH) |
fortunelivex.com |
probrokerapis2.com |
(kit) | (kit) |
solvexcapitallimited.io |
probrokerapis2.com |
$100 | 4 (BTC, ETH, SOL, USDT) |
signalsurge.net |
probrokerapis2.com |
$1 | 8 (BTC, ETH, USDT TRC, USDT BEP, USDT ERC, SOL ×2 entries) |
tillidfx.net |
(own backend, same kit) | $50 | 8 (BCH, USDT TRC, ADA, BTC, USDT ETH, DOGE, BNB, ETH) |
tradesphere.pro |
(own backend, same kit) | $100 | 6 (USDT, XRP, USDT SOL, USDC BSC, LTC, BTC) |
Three operator clusters jump out:
probrokerapis3.comcluster: at least 9 fronts share this single backend (andcoin-front.iobelongs to it). One operator, many brand fronts. Backend is on Render.com216.24.57.1.probrokerapis2.comcluster: at least 5 fronts share this backend. Older deployment (catalog history goes back to Sep 2025). Backend is on Namecheap shared192.64.117.192.- Independent kit deployments:
tillidfx.net,tradesphere.prouse the same kit but their own backend hosts, likely a customer who bought the kit standalone and self-hosted, rather than paying for the operator-as-a-service tier.
The vendor (prowebsitesamples.com) is therefore not a single-criminal operation; it's a scam-front-as-a-service vendor with multiple criminal customers, each running their own brand-front portfolios pointed at vendor- or self-hosted backends. That changes the takedown calculus: cutting any one front does nothing; cutting any one backend kills 5–9 fronts; cutting the vendor itself kills the pipeline.
Cross-deployment artifacts (not just URLs)
The same /api/graph settings dumps surfaced operator-side artifacts that pivot further:
- Smartsupp chat key (parsonexmarket.com):
4aeb1fdb9a261fa98524e37134fd905a4ef8e7ce. Smartsupp accounts can be mapped across sites running the same key. - VAPID public key (parsonexmarket.com):
BKt9tSMCKnDEjraPoYp-MpP_th8ivocl9AwuM8-xB550Zl9DPi9au9uFwLQvOSGU8yBkRADsCSboGwBEj-iZkfU. The browser-push subscriber list is reusable across deployments running the same VAPID pair. - Fake-staff schema: every front publishes 2 fake C-suite entries with stock photos at
/uploads/images/staff-male.jpgand/uploads/images/staff-female.jpg. Names look auto-generated (e.g. "Osvaldo Weimann CEO / Esta Schiller CFO" on parsonex). Those exact filenames are kit-default, operators almost never replace them. - Fake-payouts schema: 21 entries with
name + from + amount + currency + colorcolumns, names like "Ernie Will from Greenland", "Tressa Farrell from Turkey". The exact field set (colorfor stripe rendering, integer-EUR amounts) is the kit's signature. - Reviewer images:
/uploads/images/Reviewer1.jpegthroughReviewer9.jpegare the kit defaults. - News post titles: kit ships with 4 default Bitcoin / Satoshi news posts (slugs
bitcoin-inventor,bicoin-research,uk-legislators). Many operators leave them as-is.
These are filesystem-shaped IOCs: any Wayback / urlscan / Common Crawl pull that surfaces Reviewer{1-9}.jpeg, staff-male.jpg + staff-female.jpg, or the news-post slugs above is almost certainly another deployment.
On-chain inflows (snapshot)
Every kit-confirmed front exposed its current deposit-wallet roster via /api/graph. I pulled total-received from public block explorers across BTC, EVM (ETH-native + ERC20), TRON (TRX + TRC20), XRP, Solana, LTC, BCH, DOGE, BCH, and Cardano on 2026-05-01. 61 unique addresses across 11 chains, USD-converted at spot.
text=== aggregate (kit-confirmed fronts only, addresses currently advertised in /api/graph) === total on-chain USD-equivalent received: $526,881.81
Per-front (split evenly when an address is shared across fronts):
| front | total received | most active wallet |
|---|---|---|
crestmarkets.org |
$429,762 | bc1q6tay...yrpc (BTC, 29 deposits) |
fidexexpert.com |
$39,623 | bc1qzgs...rfju (BTC) + TUNqd...ndoB (TRON) |
capitaltechpip.net |
$26,022 | spread across BTC, BCH, ETH, USDT-ERC20 |
parsonexmarket.com |
$8,147 | TYJPh...SqBHNV (USDT-TRC20, 6 deposits) |
coin-front.io |
$8,099 | TCJAJ...pfAJh (TRX rotation) |
synergytrades.live |
$5,001 | TRC20-USDT |
signalsurge.net |
$3,901 | BTC + USDT-TRC20 |
tillidfx.net |
$2,448 | BTC + USDT-TRC20 |
cryptopalmsmarket.com |
$2,400 | BTC |
solvexcapitallimited.io |
$975 | BTC |
deluxepluswealth.com |
$504 | BTC |
tradesphere.pro |
$0 (snapshot) | , |
veltrixcapitalpro.com |
$0 (snapshot) | , |
quorixtrading.com |
$0 (snapshot) | , |
This is a strict lower bound on lifetime victim losses, for several reasons that should temper the headline number:
- We only see currently-advertised wallets. The kit makes it trivial to rotate deposit addresses, operators commonly swap to a fresh wallet after each victim funds, so most lifetime inflows are sitting on retired addresses we never captured. The $526K is what's reachable from the snapshot taken 2026-04-30.
- Some wallets we recovered are functionally cold. 14 of the 16 EVM addresses returned $0, almost all the SOL/XRP addresses returned $0, all DOGE and LTC addresses returned $0. Several of those are placeholders the operator never pointed traffic at; the kit always populates a full token roster on the dashboard regardless of whether a given chain is in active rotation.
- The $426K on
crestmarkets.org's BTC wallet is one wallet, 30 days of activity. It started receiving on 2026-03-14, peaked with a single 1.633 BTC (~$128K) deposit, and the median deposit was $7,933. The wallet was zeroed (swept fully out) by 2026-04-14, with the last hop landing on1HV2BNfCeaeQ9c1RsUnnZLLVE6uyQSZWXb(the operator's first consolidation address). That single 30-day window for that single wallet is most of the headline. It does not include any earlier wallets the same operator rotated through. - Anything that came in via
withdrawal_code: 'manual'"verification fees" hit the same wallets. The number is "victims that funded a deposit address" plus "victims that paid a fake withdrawal fee," with no way to disentangle on-chain.
Notable individual receivers
textbc1q6tayfjwdt44tmsruryc2ferry62fu5l8yayrpc crestmarkets.org BTC 29 deposits, 5.4316 BTC = $426,129 active 2026-03-14 to 2026-04-14 (30 days), then swept to zero biggest single deposit: 1.633 BTC ($128K) median deposit: 0.101 BTC ($7,933) next-hop consolidation addr: 1HV2BNfCeaeQ9c1RsUnnZLLVE6uyQSZWXb bc1qzgsxlhq65l3m8lc5yzkrmevtp0qh90vqvkrfju fidexexpert.com BTC 1 deposit, 0.297 BTC = $23,282 one-shot 2025-07-04, dormant since Either a single high-value victim or an operator self-fund TUNqd7gyhx6noMetAZLu4ZtrhqBke7ndoB fidexexpert.com USDT-TRC20 $16,340 received in USDT, multiple deposits TCJAJ6wVhABtxZfJmFFaCGSzxHA8CpfAJh coin-front.io TRX (advertised as the rotation wallet) $5,779 in TRX-native, swept 1P9wocCxnF1QGX71Xa5eWohuba4dr58jYD capitaltechpip.net BTC 20 deposits, 0.062 BTC = $4,870 active 2025-07-07 to 2026-04-05 (271 days) median $86, biggest $1,037, small-ticket pattern, possibly the kit's "demo deposit" walkthrough rather than the main scam wallet bc1qn228waxytzugvm322unp0dyz97t9kzkkx5eg9l signalsurge.net BTC 37 deposits, 0.047 BTC = $3,656 active 2024-12-26 to 2026-04-12 (471 days), median $73 Long-running tiny-ticket, almost certainly walkthrough/demo flows, not victim deposits
The crestmarkets.org wallet is the loudest fact in this dataset: one front, one wallet, $426K in 30 days. That single-wallet 30-day burst is what scaled-up "scam-front-as-a-service" looks like at a moment of operator success. Multiply it by the 9 fronts in the probrokerapis3.com cluster, the 5 in the probrokerapis2.com cluster, the 30+ catalog domains awaiting deployment, and the unknown count of retired wallets, and the kit's lifetime take is unambiguously into seven figures.
Indicators
Compiled IOC list, organized by selector type. Inclusion bar: every value here is uniquely or near-uniquely tied to scam infrastructure I personally observed or extracted from operator-controlled systems. Shared-cloud edge IPs, kit-default strings (page titles, sidebar enumeration, settings field names, default meta descriptions), URL paths, and shared nameservers are intentionally NOT listed, any of them would generate false positives against legitimate third parties on a public IOC pivot. They live in case-file prose where the surrounding context makes their meaning unambiguous. The full structured corpus is also on the aggregate indicators page and as JSON at /indicators.json.
textdomains (kit-confirmed fronts, probrokerapis3 cluster): coin-front.io parsonexmarket.com capitaltechpip.net cryptopalmsmarket.com deluxepluswealth.com synergytrades.live veltrixcapitalpro.com quorixtrading.com fidexexpert.com rocketstake.net domains (kit-confirmed fronts, probrokerapis2 cluster): bizzyearners.net crestmarkets.org fortunelivex.com solvexcapitallimited.io signalsurge.net domains (kit-confirmed fronts, self-hosted): tillidfx.net (own backend, BB kit fingerprint match) tradesphere.pro (own backend, BB kit fingerprint match) domains (operator-controlled API and mail infrastructure): probrokerapis3.com (REST origin, on Render.com) probrokerapis2.com (REST origin, on Namecheap shared) probrokerapis6.com (REST origin, on Cloudflare; configured but gated) probrokersockets-com-god8.onrender.com (websocket, kit-shared) mail.coin-front.io (SMTP, operator outbound mail) mail.parsonexmarket.com (SMTP) mail.veltrixcapitalpro.com (SMTP) domains (kit vendor): prowebsitesamples.com (scam-front-as-a-service shop) bb.prowebsitesamples.com (BB demo, default creds info@prowebsitesamples.com / samplepassword) pms.prowebsitesamples.com (PMS demo) domains (vendor catalog, registered but not yet deployed; full list pulled 2026-04-30): federalsecurenet.com, cryptometaedge.com, toptracepointco.com, smartearncapital.com, vtmarketpro.com, fxcapitalnexus.com, fleetpathlogistics.com, topchoicedelivery.com, corepathdelivery.com, logistavaexpress.com, urbandeliverygroup.com, citylinedelivery.com, crestgateinvestment.com, hashtradehub.com, pipsparadise.com, prop-pulsecapitals.com, prop-pulsecapital.com, humilisinvest.com, hannahlewismarkets.com, profitpulsepeak.com, parsonexbase.com, parsonexclimax.com, parsonexmarkets.com, arbitragebrokerage.com, corebulltrade.com, finestmarkets.com, eversteadoptions.com, pipsgainhub.com, crestdynamo.com, bullishpeak.com, aitradeteam.com, pipstradelab.com, pipsoptionstrade.com, livingtrades.com, fortunelivemarkets.com, oakvestpro.com, aceofbulls.com, bullishace.com, bullvestpro.com, strativuscapital.com (banking-categorized), zyoracapital.com (banking-categorized), metawealthwatch.com, betamarketwatch.com, bullishclimax.com Caveat: these are domains the vendor pre-registered and published in their own catalog API as candidates for the next round of deployments. They are NOT verified scam fronts at the time of writing, most are still parked. They become fronts when the operator skins them with the BB/PMS/WWW kit. hannahlewismarkets.com appears in this catalog and is currently resolving, but I have not personally confirmed kit-fingerprint match on it. ips: 98.97.77.181 operator real residential IP (AS14593 SpaceX Starlink, Lagos NG, captured via Grabify canary 2026-04-30 21:37:49 UTC, hostname customer.lgosnga1.isp.starlink.com) Note: shared-cloud edge IPs (Render.com 216.24.57.1, Namecheap 192.64.117.192, Cloudflare 172.239.57.117, BACloud 88.119.170.4) are intentionally NOT listed here, because they're shared with thousands of legitimate sites. They appear in case-file prose with their host-provider context. phones: +1 (213) 397-6550 operator SMS relay; US VoIP (TextNow/Bandwidth class), real source geolocates to Lagos NG emails: noreply@coin-front.io (SMTP user, operator outbound) noreply@parsonexmarket.com (SMTP user, operator outbound) usernames: @cory_bates1895 X handle, "Cory Bates", aged 2011, dropped coin-front.io, attributed via canary capture to Lagos NG operator Note: the fabricated "C-suite" names published on parsonexmarket.com (Osvaldo Weimann, Esta Schiller) are randomized output from the JS Faker library, not stable identifiers. They're discussed in prose above but not listed here as IOCs. wallets (coin-front.io itself, advertised on /api/graph): BTC bc1q9nyvdjr2jyxxhx0ea9tf69y6j20ea4l83fd269 (primary, swept) bc1ql8hlfymt889wnxgxvf75rexehktc4fakv34kfg (rotation) ETH 0x0a5659BAf2cF27DC19ea87ddAAbEb651ad3E117e (hot, ETH/USDT/USDC ERC20) 0xF172c996598fdd558BB21D5312B2da99c6844120 (rotation) TRX TYcGojypFj6BwtqYGV7PWmZX8KiH4xakvA (primary, swept) TCJAJ6wVhABtxZfJmFFaCGSzxHA8CpfAJh (rotation, $5,779 received) SOL Azy4rkMjEtipK2mDFiBCdYq8cXM4dvw8bLPZ1qm6vYAS XRP r4uHqWeEFHKKqiqQaGNYKr37UiijUWA4ez DOGE DMdqGNV4qKFsgshRdX75tPCFsWp9Y5hhXJ wallets (other kit-confirmed fronts; selected, full set in /api/graph dumps): crestmarkets.org bc1q6tayfjwdt44tmsruryc2ferry62fu5l8yayrpc (BTC, $426,129 received) 1HV2BNfCeaeQ9c1RsUnnZLLVE6uyQSZWXb (consolidation, next-hop sweep target) fidexexpert.com bc1qzgsxlhq65l3m8lc5yzkrmevtp0qh90vqvkrfju (BTC, $23,282) TUNqd7gyhx6noMetAZLu4ZtrhqBke7ndoB (USDT-TRC20, $16,340) capitaltechpip.net 1P9wocCxnF1QGX71Xa5eWohuba4dr58jYD (BTC, $4,870) 0xE9e02797772381527Fe35776a3871ec4FEE29d43 (ETH-native, $8,183) bitcoincash:qzqdykddz7kyd7eql4s2t3df0f2hsllhsyuqlwm7sw (BCH, $8,452) parsonexmarket.com TYJPhHqtnFv94gWqdWqwoFC9NxH9SqBHNV (USDT-TRC20, $8,147) signalsurge.net bc1qn228waxytzugvm322unp0dyz97t9kzkkx5eg9l (BTC, $3,656) (full corpus: 60+ addresses across 11 chains and 13 fronts, captured 2026-04-30) hashes (kit static-asset fingerprints, match means a host is running the BB kit): zpwa-favicon.ico (33,310 bytes) sha256 6beb02b513f811da0ad2a837f203feffbc6900a552ad23f024e019da3c2526b3 md5 8abbbfe54ff466d05dff7d5ec2ae215c mmh3 -1032583768 (use with `http.favicon.hash:` on Shodan/Censys) broker-bb-2026-04-06.js (1,100,631 bytes; filename rotates each rebuild) sha256 3f76ad861342405b5f0a5059de35bfb2fc880e9748975929083f5cfe2d5a385a md5 427b0c476fa99fa037d026c4549fb124 broker-bb-2026-04-06.css (90,636 bytes) sha256 d952ca796a5c973e632bc7cdf841343a3d845c54061b14639097f0eb836e475d keys (operator-bound 3rd-party service identifiers): 4aeb1fdb9a261fa98524e37134fd905a4ef8e7ce Smartsupp live-chat account ID (parsonexmarket.com, kit-shared) BKt9tSMCKnDEjraPoYp-MpP_th8ivocl9AwuM8-xB550Zl9DPi9au9uFwLQvOSGU8yBkRADsCSboGwBEj-iZkfU VAPID public key for browser-push subscribers (parsonexmarket.com, kit-shared) # kit-default strings (post-login sidebar enumeration, "Sample BB / PMS / WWW" # page titles, the broker-bb-* bundle filename pattern, the "withdrawal_code" # settings field, the kit-default <meta description> "Forex, Stocks, ETFs and # Options - Online Trading Platform", and the kit content-config JSON) are # intentionally NOT listed as stand-alone IOCs. Any of them could plausibly # appear on a legitimate platform and would generate false positives on a # public IOC pivot. They are discussed inline above (Why I am sure...) and # paired with the kit's distinctive hashes, where the combination is what # carries the signal.
I am holding back the BACloud reverse-IP neighbor list. The shared-host neighbors have nothing to do with this scam and burning their reputations would be unfair.
Disclosure trail
In flight as of 2026-04-30:
- X: report
@cory_bates1895for platform manipulation and financial fraud, DM transcript attached. Include the off-platform-pivot pattern (he asks for phone numbers within minutes of the deposit walkthrough) since that's the part X can act on most cleanly. With the Lagos / Starlink attribution captured, the X report becomes hard to dismiss as a borderline case. - VoIP carrier (number
+1 213-397-6550): a CNAM/HLR lookup will identify the upstream US-VoIP carrier (likely Bandwidth, TextNow, or TextFree). Once identified, an abuse complaint with the SMS transcript and the proven Lagos source IP forces the carrier to choose between killing the number and accepting a complicity record. These providers do respond to abuse, slowly. - Starlink: abuse report to
abuse@spacex.comwith the Grabify canary log. Starlink's published abuse policy covers fraud use; response time for residential subscribers is slow, but the report builds the LE-referral package and forces SpaceX to log the customer record for any subsequent subpoena. - IC3 supplemental: the operator-IP pivot is the kind of evidence that materially upgrades an IC3 complaint from a generic crypto-fraud filing to one with an actionable LE handoff. Re-file with the canary log attached.
- PDR Ltd. (registrar of coin-front.io): abuse complaint to
abuse@publicdomainregistry.com, with the cross-deployment IOC list as supporting evidence. - BACloud (frontend host of coin-front.io and several catalog fronts): abuse complaint to
noc@bacloud.com, with the kit-confirmed front list filtered to the BACloud IPs. - Hostinger UAB (registrar of prowebsitesamples.com): abuse complaint to
abuse-tracker@hostinger.com. The catalog itself is exhibit A, the vendor publishes 45 pre-registered scam-themed.comdomains with public categorization, and the API endpoint exposing the catalog (probrokerapis3.com/api/domains) is itself unauthenticated. Hostinger has clearer ToS leverage on the vendor than any registrar has on individual deployed fronts. - Render.com (host of
probrokerapis3.comREST andprobrokersockets-com-god8.onrender.comwebsocket): abuse report toabuse@render.com. Render is the highest-leverage single takedown, losing the REST and websocket layer disables 9+ deployed scam fronts simultaneously, including coin-front.io, parsonexmarket.com, capitaltechpip.net, cryptopalmsmarket.com, deluxepluswealth.com, synergytrades.live, veltrixcapitalpro.com, quorixtrading.com, fidexexpert.com, and rocketstake.net. - Namecheap (host of
probrokerapis2.com, the parallel operator backend): abuse report covering the parallel cluster (bizzyearners.net, crestmarkets.org, fortunelivex.com, solvexcapitallimited.io, signalsurge.net). - Smartsupp: abuse report against account key
4aeb1fdb9a261fa98524e37134fd905a4ef8e7ce(used by parsonexmarket.com and likely shared across the cluster) for chat-bot fraud facilitation. - Wayback Machine: snapshots of
coin-front.io,prowebsitesamples.com/,probrokerapis3.com/api/domains, and the/api/graphresponses from each kit-confirmed front saved. - IC3: a US complaint goes in with the case file attached, including the cross-deployment IOC list.
- Chainabuse / blockchain.com abuse: every leaked deposit address (48+ across 12 fronts) gets a tagging submission so that downstream wallets and exchanges have provenance when funds touch their on-ramps.
I'll update this section with response dates and outcomes; the status badge in the sidebar flips from "still live" to "taken down" when frontend or backend goes dark.
Score, with reasoning
| score | reasoning | |
|---|---|---|
| convincing | 4 / 10 | Aged X persona and patient pacing are good craft. ESL grammar and the 4x-in-3-weeks number wreck it for anyone with a casual prior. For a true beginner, push to a 6. After the canary capture, every claim layered on the Cory persona is now demonstrably fabricated (US area code → Lagos IP, "Cory Bates" headshot → unknown, 2011-aged X handle → bought/compromised), so a target with this case file in hand has zero remaining ambiguity. |
| sophistication | 3 / 10 | Off-the-shelf kit, shared host, no original infra. Interesting tradecraft is the social pacing on X, not the platform. The /api/graph leak is the vendor's mistake. The operator additionally compromised himself by clicking a link from a target's phone on his real residential IP rather than over a VPN, a basic OPSEC fail that is consistent with the Yahoo-Boy operator profile. |
| scalability | 9 / 10 | Adjusted up after the kit-pivot enumeration found at least 12 additional active deployments on at least three operator backends, plus 30+ pre-registered fronts in the vendor catalog awaiting deployment. The vendor sells the kit as a service; the bottleneck is operator headcount for DM funnels, not platform capacity. |
| danger | 8 / 10 | Adjusted up after the on-chain census. The crestmarkets.org BTC wallet alone took $426K in 30 days, single-deposit max $128K, median deposit $7,933, those are scaled household-savings-wipe-out numbers. KYC-IDs also land in /uploads/images/ on a Lithuanian shared host across most deployments. The cash loss recovers slowly and partially; the identity damage does not. The browser-push permission ask is a reinfection vector long after the target leaves the site, and the VAPID key is shared across kit instances. |
If the IC3 / Render / Hostinger reports land in the next 60 days, I'll publish a follow-up case file with the takedown timeline.