News Tools & Services GitHub Live
News > Investigations
Investigation • 5–7 min read

$100K Returned — Malvertising Scam Foiled

Russian scammers impersonated a crypto project via malvertising and stealer malware. We detected the operation, restored wallet access, and returned over $100K. The extra recovered funds were donated to @_SEAL_Org. Below: breakdown, IOCs, and lessons.

$100K funds returned banner

Summary

  • Type: Malvertising + Twitter trust-bait + stealer malware
  • Action: Detection ➜ key steps ➜ wallet access restored
  • Impact: $100K+ returned to the victim project
  • Donation: 100% of extra recovered funds sent to @_SEAL_Org (https://twitter.com/_SEAL_Org)
Note: Certain project details and timeline are withheld to avoid tipping off the attacker and to protect potential legal actions.

Attack Breakdown

  1. Impersonation: fake ads and landing pages posed as the project (malvertising).
  2. Traffic: sponsored links + social trust-bait drove victims to the payload.
  3. Payload: stealer exfiltrated sessions, seeds, and wallet data.
  4. Abuse: attempted blackmail with personal data post-theft.
  5. Outcome: wallet access restored; funds returned; further loss prevented.

What We Did

  • Correlated distribution channels and artifacts across ad networks and X/Twitter.
  • Analyzed loader/stealer behavior and network IOCs.
  • Executed wallet recovery steps (operational details redacted).
  • Coordinated notifications with involved parties and partners.

Donation Decision

We’ve stayed independent for years. From the paid stack, the only thing we wanted was URLScan Pro — but after 6+ months without a reply or a path to purchase, it’s clear we don’t need external funding to keep operating. Therefore, the entire donation was passed to @_SEAL_Org (https://twitter.com/_SEAL_Org), a team we collaborate with and share threat intel with, who have supported multiple high-risk cases.

Indicators (IOCs)

  • Domains/URLs: Destroylist (auto-updated) — https://github.com/phishdestroy/destroylist
  • Samples/Hashes: section malvertising-2025-08 — https://github.com/phishdestroy/destroylist
  • Related ASN/infra snapshots — https://urlscan.io/

Lessons Learned

  • Malvertising remains a primary entry to the scam funnel.
  • Trust-bait on social platforms boosts stealer install conversion.
  • Rapid wallet access recovery is critical within the first hours.
Important: Never follow sponsored links to wallets/bridges/airdrops. Verify domains and certificates, use browser isolation, and prefer hardware wallets.

Credits

Thanks to @_SEAL_Org for ongoing support and intel sharing. Together, we burn scam infrastructure faster than they build it.

#OSINT #Malvertising #CryptoSecurity #ThreatIntel #PhishDestroy
Back to News