Cryptocurrency Drain Conspiracy: Single Alibaba Server Hosts Multi-Vector Scams, Hijacking Wallets via Fake Trust Wallet and MobileConfig

DomainTools Threat Intelligence has exposed a sprawling cybercrime operation that uses a single infrastructure to power multiple cryptocurrency theft schemes, blending fake AI-powered investment platforms, phishing browser extensions, and fraudulent mobile apps to drain victims’ wallets.

The investigation connects websites such as medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com, all hosted on the same IP address: 8.221.100[.]222 — an Alibaba Cloud server in Asia that served as a “one-stop hosting hub” for cryptocurrency scams.

The campaign, which DomainTools calls a “Cryptocurrency Drain Conspiracy,” operates through a cluster of scam websites sharing infrastructure, registrar, and design patterns.

Each site poses as a legitimate tech startup or trading platform but hides code that tricks users into connecting their crypto wallets, installing malicious profiles, or submitting exchange credentials — all leading to instant asset theft.

“These scams range from browser extension popups and iPhone configuration profile traps to fraudulent web trading apps, all of which are backed by clever social engineering.”

One of the campaign’s most deceptive fronts is medaigenesis[.]cc, a fake healthcare DAO project calling itself “MedAI Genesis.” The site claims to combine blockchain, NFTs, and AI 5.0 for “personalized health management” and “on-chain biometric governance.”

But beneath its futuristic design, MedAI Genesis is a wallet drainer in disguise.

Crypto Drain Conspiracy, Malicious MobileConfig — MedAI Genesis | Image: DomainTools

“Styled as ‘MedAI Genesis,’ the site promotes itself as the future of personalized health management… But under the hood, this is a scam in a lab coat.”

The page mimics Trust Wallet’s Chrome extension (ID: egjidjbpglichdcondbcbdnbeeppgdph) by copying its CSS, fonts, and UI to present a fake “Connect Wallet” popup. Clicking “Connect” triggers malicious JavaScript that authorizes the attacker to drain tokens directly from the user’s wallet.

“Clicking ‘Connect’ does not trigger a secure wallet handshake… the site can hide code that makes your wallet approve a dangerous transaction. It may look like you are just connecting, but if you click approve, the scammer could get permission to take your money.”

Even more insidious, the phishing site uses chrome-extension:// URLs to load Binance-style fonts and Trust Wallet branding, further fooling users into believing the connection request is legitimate.

“Once a victim signs the malicious transaction, the attacker has the permissions needed to siphon cryptocurrency assets at will. This is a classic wallet drain; a convincing façade powered by copied CSS and branding, but with the theft executed entirely by malicious JavaScript.”

Another arm of the operation targets iPhone users with a malicious Apple configuration profile (.mobileconfig) distributed from novacrypt[.]net — a site posing as a new “Novacrypt Crypto Trading App.”

“Another facet of this scam nexus targets mobile users, especially iPhone owners, by distributing a malicious Apple configuration profile (.mobileconfig) that masquerades as a new cryptocurrency trading app called Novacrypt.”

Instead of installing a real app, victims add a WebClip shortcut labeled “Novacrypt” that opens h5.novacryptmax[.]com, a phishing site mimicking a crypto exchange login page.

The .mobileconfig payload is carefully designed to appear legitimate — complete with a base64-encoded app icon and Let’s Encrypt-style digital signature, which makes the installation look “verified.”

“The profile includes a base64-encoded icon image to make the WebClip resemble a legitimate app logo… It was digitally signed, likely with a self-issued certificate, showing the lengths to which the scammers go to make the profile appear verified.”

Once users enter their credentials, the information is immediately sent to the attacker, who can then drain funds from connected wallets or exchange accounts.

The third component of the operation is zzztd[.]com, which presents itself as a web-based cryptocurrency trading platform but secretly contains malicious JavaScript linked to known Android Trojans.

“At first glance, zzztd[.]com appears to be a cryptocurrency trading web application. However, buried in its code are suspicious scripts that suggest it may be stealing data or loading malware in the background.”

Researchers found that the page loads two scripts — chunk-vendors.f0dabee900057778.js and app.46e5246269e54881.js — with deferred execution. While the code appeared clean to antivirus scanners, behavioral analysis revealed connections to an external C2 domain: anedhaude[.]xyz, which was also linked to a malicious APK sample (“ioeai.apk”).

“A VirusTotal scan… revealed that this script tried to contact a suspicious domain, anedhaude[.]xyz. Further investigation uncovered an Android Trojan sample that also communicated with anedhaude[.]xyz.”

This indicates that zzztd[.]com and the Trojan share infrastructure, making it likely that users interacting with the fake trading dashboard were either phished or served malware masquerading as mobile apps.

All three scam domains — medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com — are tied to the same IP address (8.221.100[.]222) hosted on Alibaba Cloud.
This infrastructure also hosted additional domains like ewnai[.]com (a fake AI startup) and n58[.]bet (a fraudulent gaming site), all registered via Gname.com Pte. Ltd.

“The investigation found that all these seemingly disparate scams were hosted on a single IP address… Most of these domains were registered through the same registrar, reinforcing that they are controlled by the same actor or group.”

DomainTools’ passive DNS data shows the cluster has been active since at least April 2025, with activity continuing into August 2025, demonstrating an ongoing multi-themed, multi-vector fraud network.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply