Independent · Public · Non-commercial · Since 2019
We are a volunteer threat‑intelligence group. For 5+ years we have disrupted phishing, drainers, and crypto fraud. We detect live threats first, preserve evidence, and coordinate takedowns with hosts, registrars, and AV vendors.
Our approach is simple: when we see an active threat, we move immediately. We don’t wait for victims, lawsuits, or publicity — we act so there are no victims at all. This is our story.
We started with Steam scammers and spammy ads; today our scope is global crypto phishing, drainer networks, and large‑scale fraud operations. We conduct end‑to‑end casework: tracing money on‑chain to real operators, mapping infrastructure, and linking campaigns to specific panels, keys, and code. Our unique insight comes from having seen scams from the inside — not as employees but with full root‑level access to their infrastructure. This gives us an unparalleled edge to preempt new variants quickly.
Our pipeline processes thousands of domains daily through automated scanning, multi-source intelligence, and expert review.
CT logs, DNS registrations, phishing feeds, community reports. Automated classifiers flag threats within minutes.
Search databaseVirusTotal (95 engines), WHOIS/DNS, SSL certs, screenshots, content analysis. Risk scores from 12+ signals.
Scoring methodologySimultaneous reports to registrars, hosts, AV vendors, browser safe-browsing, and community blocklists.
Anatomy of a TakedownTrack each domain until dead. Evidence in web archives. Registrar response varies from hours to weeks.
Impact metricsWe don't just find domains. We trace crypto on-chain, map infrastructure, and connect disparate campaigns to a single source, following the money to the operators.
We've seen scams from the inside. This unparalleled access to drainer panels, phishing kits, and operator infrastructure gives us a unique edge to preempt their next move.
Every site is archived. We preserve crucial artifacts—JS encryption keys, operator IDs—creating an evidence locker for law enforcement and victims to use, no questions asked.
We act so there are no victims. By reporting to over 50 vendors simultaneously, we create a network effect that dismantles scam campaigns before they fully launch. Learn more in our Anatomy of a Takedown guide.
A disproportionate number of crypto-scams originate from a handful of registrars. This is not a coincidence—it's a systemic failure in abuse handling.
When one registrar hosts thousands more malicious domains than competitors, it points to a tolerance for abuse, incompetence, or both. Scammers flock to platforms with the least resistance.
We provide clear evidence to these registrars, giving them the opportunity to meet their ICANN obligations. Our public logs create accountability when they fail to act.
Credibility comes from openness. Every process is documented and verifiable.
Every appeal reviewed within 48 hours. FP rate: <0.01%. No paid delistings.
Submit appealScreenshots, source code, WHOIS snapshots, Wayback archives for every domain.
PolicyWe never accept payment to remove a detection. Integrity is non-negotiable.
AppealsWhy Trust Us — independent, verifiable expertise built over years of frontline threat research.
Research-built, expert-driven defense backed by OSCP, GWAPT, and BTL2 expertise. Supported by 5+ years of active work identifying and tracking scam and phishing threats.
Every profile below is public and independently verifiable.
Open-source threat intelligence tools, blocklists, and investigation logs.
Active phishing URL reporter — thousands of verified submissions.
Community contributor to the PhishTank database.
Threat intelligence pulses shared with the global security community.
ML-ready dataset of 100K+ phishing domains for research and model training.
Real-time threat alerts and investigation updates.
In-depth writeups on phishing infrastructure, drainer panels, and scam economics.
Breaking threat intelligence, takedown announcements, and community engagement.
Do not stay silent. Do not hide what happened. By doing so, you are doing the scammers a favor. Your silence breeds their impunity. More money for them means more attacks, more victims.
For rapid response and professional help in any situation, contact the SEAL 911 team.
Contact SEAL 911The minimum you should do. Share information about the scammer with the world. It's a small step that can help others.
Report to ChainabuseReport the crime to your local police department. This can be done via email or their website. Not reporting is covering for them.
We are not your enemy. We are your free, expert abuse-triage service. Our reports are actionable intelligence, not accusations. We expect you to investigate and act as per your contractual obligations. If your abuse desk is unqualified, that is an internal issue. Requests for video proof or different file formats are intentional delays that help criminals steal more. Act on the comprehensive evidence we provide.
Keep reporting each other. It helps us cluster and neutralize your networks faster. In 5/5 large CIS groups we analyzed, revenue filters skimmed funds from you upstream; you don’t even see 5% of the total take. You are not kings; you are disposable, and victims of your own operators.
Use our data. Collaborate. Stop the next scam before it starts.
Deep-dive investigations into phishing infrastructure, drainer panels, and scam networks.
How a fake Monero wallet stole millions over 10 years through hijacked transactions.
Inside an $8.5M wallet drainer panel — leaked source code and 1,900 chat logs.
Unmasking one of the largest coordinated scam operations with hundreds of domains.
117,000+ domains tracked, 23,000+ reports filed, 72,000+ takedowns coordinated.
Step-by-step walkthrough of how we take down phishing infrastructure.
Tracking down one of the most persistent phishing operators on the internet.
