News > Investigations
Investigation • 5—7 min read

$100K Returned — Malvertising Scam Foiled

Russian scammers impersonated a crypto project via malvertising and stealer malware. We detected the operation, restored wallet access, and returned over $100K. The extra recovered funds were donated to @_SEAL_Org. Below: breakdown, IOCs, and lessons.

$100K funds returned banner

Summary

  • Type: Malvertising + Twitter trust-bait + stealer malware
  • Action: Detection ➜ key steps ➜ wallet access restored
  • Impact: $100K+ returned to the victim project
  • Donation: 100% of extra recovered funds sent to @_SEAL_Org (https://twitter.com/_SEAL_Org)
Note: Certain project details and timeline are withheld to avoid tipping off the attacker and to protect potential legal actions.

Attack Breakdown

  1. Impersonation: fake ads and landing pages posed as the project (malvertising).
  2. Traffic: sponsored links + social trust-bait drove victims to the payload.
  3. Payload: stealer exfiltrated sessions, seeds, and wallet data.
  4. Abuse: attempted blackmail with personal data post-theft.
  5. Outcome: wallet access restored; funds returned; further loss prevented.

What We Did

  • Correlated distribution channels and artifacts across ad networks and X/Twitter.
  • Performed stealer malware analysis on loader behavior and network IOCs.
  • Executed wallet recovery steps (operational details redacted).
  • Coordinated notifications with involved parties and partners.

Donation Decision

We've stayed independent for years. From the paid stack, the only thing we wanted was URLScan Pro — but after 6+ months without a reply or a path to purchase, it's clear we don't need external funding to keep operating. Therefore, the entire donation was passed to @_SEAL_Org (https://twitter.com/_SEAL_Org), a team we collaborate with and share threat intel with, who have supported multiple high-risk cases.

Indicators (IOCs)

  • Domains/URLs: Destroylist (auto-updated) — https://github.com/phishdestroy/destroylist
  • Samples/Hashes: section malvertising-2025-08 — https://github.com/phishdestroy/destroylist
  • Related ASN/infra snapshots — https://urlscan.io/

Lessons Learned

  • Malvertising remains a primary entry to the scam funnel. Our threat detection and response workflow identified the malvertising IOCs within hours of deployment.
  • Trust-bait on social platforms boosts stealer install conversion.
  • Rapid wallet recovery is critical within the first hours for successful threat detection and response.
Important: Never follow sponsored links to wallets/bridges/airdrops. Verify domains and certificates, use browser isolation, and prefer hardware wallets.

Credits

Thanks to @_SEAL_Org for ongoing support and intel sharing. Together, we burn scam infrastructure faster than they build it.

#OSINT #Malvertising #CryptoSecurity #ThreatIntel #PhishDestroy
Back to News

Related Research

DeFi Hack Explorer
Track major DeFi hacks, exploits, and stolen funds across all chains with real-time data.
Crypto Security Essentials
Essential protection against drainers, fake support, and common wallet traps.
TON Scam Network Exposure
Exposing the largest Russian TON scammer group with 4,000+ members and operator identities.

Related Investigations

Investigation

Enemy #1 Report

Thousands of phishing domains taken down at $0 cost

 Investigation

150+ Fake Mozilla Extensions

Malicious extensions sharing one C2 backend exposed

 Investigation

4 Scam Backends Dissected

Amateur scam backends cracked open and analyzed
Transparency notice. PhishDestroy is a non-commercial, volunteer-driven project. Our research may reflect an inherent bias against scam infrastructure and the services that enable it. We encourage readers to evaluate all material critically and independently. Read our full transparency statement →