{ "id": "55e0d908-42a0-4905-bda4-89a396cc5530", "created_at": "2026-04-06T00:19:02.16641Z", "updated_at": "2026-04-10T03:36:22.960002Z", "deleted_at": null, "sha1_hash": "5d95d4772027d47a96eda3a55540bcd87f20455a", "title": "CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 976888, "plain_text": "CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack\r\nBy Lookout\r\nPublished: 2024-02-29 · Archived: 2026-04-05 14:05:09 UTC\r\nSummary:\r\nLookout recently discovered an advanced phishing kit exhibiting novel tactics to target cryptocurrency platforms\r\nas well as the Federal Communications Commission (FCC) via mobile devices. Following the tactics of groups\r\nlike Scattered Spider, this kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a\r\ncombination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password\r\nreset URLs and even photo IDs from hundreds of victims, mostly in the United States.\r\nEmployees targeted at\r\nFederal Communications Commission (FCC)\r\nBinance\r\nCoinbase\r\nCryptocurrency users at\r\nBinance\r\nCoinbase\r\nGemini\r\nKraken\r\nShakePay\r\nCaleb \u0026 Brown\r\nTrezor\r\nEmail, Password management, and Single sign-on services\r\nLastPass\r\nAOL\r\nGmail\r\niCloud\r\nOkta\r\nOutlook\r\nTwitter\r\nYahoo\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 1 of 32\n\nTactics and Flow of the FCC Phishing Site\r\nLookout first flagged this phishing kit when our automated analysis discovered a suspicious new domain\r\nregistration that matched a common format used by Scattered Spider, as mentioned in a recent warning by CISA. \r\nThe domain in question was fcc-okta[.]com, which is only a single character different from the legitimate FCC\r\nOkta Single Sign On (SSO) page.\r\nThis phishing kit first asks the victim to complete a captcha using hCaptcha. This is a novel tactic that prevents\r\nautomated analysis tools from crawling and identifying the phishing site. It may also give the illusion of\r\ncredibility to the victim, as typically only legitimate sites use captcha.\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 2 of 32\n\nUpon visiting the site, the user is asked to confirm they are human.\r\nOnce the captcha is completed, the login page mimics the FCC’s legitimate Okta page.\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 3 of 32\n\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 4 of 32\n\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 5 of 32\n\nA very good replica of the official Okta page for the targeted organization.\r\nUpon providing their credentials, the victim can be sent to wait, sign in, or ask for the MFA token.\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 6 of 32\n\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 7 of 32\n\nThe victim is sent to a “loading” page to wait after entering their credentials.\r\nUnlike typical phishing kits, which attempt to harvest credentials as quickly as possible, this one seems to be\r\naware of modern security controls organizations have put in place such as MFA. \r\nLookout researchers saw that there is an administrative console that the operator uses to monitor the phishing\r\npage. While we were unable to directly access this console, we were able to access its javascript and css and piece\r\ntogether much of its functionality.  Each time a victim visited the page and entered information, we observed that\r\na new row was populated on a table. Once the victim enters their username and password, the admin is able to\r\nselect from a long list of options of where to send them next. \r\nThe attacker likely attempts to log in using these credentials in real time, then redirects the victim to the\r\nappropriate page depending on what additional information is requested by the MFA service the attacker is trying\r\nto access, For example, they can be redirected to a page that asks for their MFA token from their authenticator app\r\nor a page requesting an SMS-based token.  \r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 8 of 32\n\nThe operator can choose various customizable pages to send the victim to next.\r\nIn some cases, when selecting an option, the operator will be prompted to provide more detailed information back\r\nto the victim. For example, when sending an SMS-based MFA token, the operator can provide the last digits of the\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 9 of 32\n\nvictim’s actual phone number and customize whether the page should ask the victim for a 6 digit or 7 digit code to\r\nmake it feel more legitimate.\r\nThe operator is prompted to customize the phishing page in real time by providing the last 2 digits\r\nof the phone number and selecting whether the victim should be asked for a 6 or 7 digit token.\r\nNext, the operator would attempt to log in using the one-time password (OTP) token provided.  At that point, the\r\noperator can direct the victim to any page, such as the real Okta sign in page, or a specific page with messages\r\ncustomized to different scenarios. For example, we found a page that tells the victim that their account is under\r\nreview and to try to log in later at a time specified by the operator.\r\nThe operator would be asked to select a date when sending the victim to a page telling them their\r\naccount was being reviewed.\r\nWhile we were tinkering with the FCC Okta phishing site, the site was taken down and replaced with a racial slur.\r\nBroader Phishing Kit Analysis\r\nWe were also able to investigate the phishing kit, which gave us additional insight into targets and tactics used.\r\nThe kit contains numerous references to cryptocurrency platforms and SSO services. While the version of the kit\r\ntargeted at the FCC impersonates the FCC’s specific Okta page by default, the kit is able to impersonate many\r\ndifferent company’s brands.\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 10 of 32\n\nThe screenshot above displays this phishing kit’s ability to impersonate Coinbase\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 11 of 32\n\nBased on the phishing site characteristics, Lookout researchers were able to identify other websites using this\r\nphishing kit. Most of the websites use a subdomain of official-server[.]com as their C2, in addition to others listed\r\nat the bottom of this report. We also found Okta impersonation pages targeting employees of Binance and\r\nCoinbase, but the majority of the sites seemed targeted at users of cryptocurrency and SSO services.  Coinbase is\r\nthe most-frequently targeted service. Since February 21, some of the newly registered phishing domains use\r\nsubdomains of a new C2 original-backend[.]com\r\nLookout researchers have also been able to gain ephemeral access to the backend logs, where we noted \r\nconsistently high quality of the stolen credentials. Typically, when accessing a phishing site’s data, it is filled with\r\njunk data that is obviously not someone’s real email address or password. However, a high percentage of the\r\ncredentials collected by these sites look like legitimate email addresses, passwords, OTP tokens, password reset\r\nURLs, photos of driver’s licenses and more. The sites seem to have successfully phished more than 100 victims,\r\nbased on the logs observed. Many of the sites are still active and continue to phish  for more credentials each\r\nhour. \r\nSome noteworthy files in the phishing kit include:\r\n/js/consts.js contains the URL for the command and control (C2) server\r\n/js/init.js contains the client-side logic for redirecting the victim and collecting the phished data\r\n/css/ contains the style sheets for impersonating the sites\r\nThe phishing websites have been deployed on various hosting networks. In November and December of 2023,\r\nHostwinds and Hostinger were the cybercriminals’ main choice of networks. However in January and February of\r\n2024, most of the sites were hosted on RetnNet in Russia on IP 213.178.155[.]194. In general, it looks like sites\r\nhosted on RetnNet remain online longer compared to other hosting networks. This IP was active until February 17,\r\nafter which the cybercriminals moved to new IP 185.12.127[.]233 on QWARTA LLC hosting services. On\r\nFebruary 22, the cybercriminals moved to another IP 81.94.159[.]46 on OOO Westcall Ltd \r\nDelivery Mechanisms Observed\r\nWe were also able to speak directly with some victims, and in doing so we were able to ascertain that a\r\ncombination of phone calls and text messages were used to encourage the victim to complete the process.  In one\r\nscenario, a victim received an unsolicited phone call that spoofed a real company’s customer support line. The\r\nperson on the other end of the line was the threat actor, but sounded like a member of the support team from that\r\ncompany. They informed the victim that their account had been hacked, but that they would help them recover the\r\naccount.  While the victim was on the phone with the threat actor, they were sent a text message that linked them\r\nto the phishing page.\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 12 of 32\n\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 13 of 32\n\nA text message provided by a victim, where they were alerted their account had been hacked (it had\r\nnot) and to click on a phishing link to recover it.\r\nWhile still on the phone with the victim, the threat actor encouraged them and helped them complete the steps. As\r\na way to build credibility and trust, the actor consistently noted that the allegedly unauthorized device accessing\r\nthe account was in Salt Lake City, Utah. This was mentioned in the text message, the phone call and on the\r\nphishing page itself (which is customizable to display different device types or locations). \r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 14 of 32\n\nThe phishing kit contains specific references to the story being told to the victim on the phone and\r\nvia text messages.\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 15 of 32\n\nWhen directing the victim to the page above, the operator can select the device type and location to\r\nbe displayed on the page.\r\nWhen we asked victims to describe the person on the other end of the line they characterize them as sounding\r\n“American”, “well spoken”, and “had professional call-center communication skills”.\r\nWe believe that the combination of high quality phishing URLs, login pages that perfectly match the look and feel\r\nof the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has\r\ngiven the threat actors so much success stealing high quality data.\r\nSifting through the logs, the majority of victim data that looks legitimate comes from iOS and Android devices,\r\nwhich indicates the attack is primarily targeted at mobile devices. The vast majority of the victims are in the US.\r\nAttribution\r\nThis attack follows similar techniques as Scattered Spider – in particular impersonation of Okta, registration of\r\ndomains using companyname-okta.com, and homoglyph swapping. An example of homoglyph swapping would be\r\nswitching capital Is and lowercase Ls to make AcmeInc.com (with a capital I) look identical to Acmelnc.com\r\n(with a lowercase L substituted for the capital I). One domain that is used (binance-okta[..]com) has been known\r\nin the past to be affiliated with Scattered Spider .\r\nDespite the similarities to Scattered Spider, there are enough differences to indicate that this is likely not being\r\noperated by that group. For example, despite the URLs and spoofed pages looking similar to what Scattered\r\nSpider might create, there are significantly different capabilities and C2 infrastructure within the phishing kit. This\r\ntype of copycatting is common amongst threat actor groups, especially when a series of tactics and procedures\r\nhave had so much public success.\r\nIt is unknown whether this is a single threat actor or a common tool being used by many different groups. \r\nHowever, there are many similarities in the backend C2 servers and test data our team found across the various\r\nphishing sites. \r\nProtection\r\nBased on similarities and similar infrastructure of previous attacks, Lookout customers have been protected\r\nagainst these phishing sites since before we identified this threat actor in January 2024. We have continued to\r\ntrack the general behaviors and techniques used to ensure protection against additional sites that use this kit and\r\nwill continue to update protections through automated means as necessary. \r\nIndicators of Compromise\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 16 of 32\n\nCommand and Control servers\r\ncommandandcontrolserver[.]com\r\nlookoutstop[.]com\r\nofficialbackupserver[.]com\r\noriginal-backend[.]com\r\nthebackendserver[.]com\r\nlookoutsucks[.]com\r\nofficial-server[.]com\r\nserver694590423[.]tech\r\nisland-placid-bromine.glitch[.]me\r\ncircular-noon-farmhouse.glitch[.]me\r\ntalented-friendly-price.glitch[.]me\r\ndflfmgsdokasdcpl[.]com\r\noriginal-backend[.]com\r\nPhishing websites\r\n147253-exodus[.]com\r\n156253-gemini[.]com\r\n157253-kucoin[.]com\r\n158253-kraken[.]com\r\n113712-coinbase[.]com\r\n12518234-coinbase[.]com\r\n125194-coinbase[.]com\r\n12595-gemini[.]com\r\n125980-binance[.]com\r\n127253-ledger[.]com\r\n128594-gemini[.]com\r\n129581-coinbase[.]com\r\n129645-coinbase[.]com\r\n142685-coinbase[.]com\r\n142724-coinbase[.]com\r\n142746-coinbase[.]com\r\n142786-coinbase[.]com\r\n143516-coinbase[.]com\r\n143784-coinbase[.]com\r\n145126-coinbase[.]com\r\n14522564-coinbase[.]com\r\n14572176-coinbase[.]com\r\n146784-coinbase[.]com\r\n147852-kraken[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 17 of 32\n\n148942-coinbase[.]com\r\n149024-google[.]com\r\n149253-coinbase[.]com\r\n1502759-ledger[.]com\r\n151294-kraken[.]com\r\n151924-coinbase[.]com\r\n1519845-kraken[.]com\r\n152674-coinbase[.]com\r\n154236-coinbase[.]com\r\n156283-coinbase[.]com\r\n157142-kraken[.]com\r\n157192-uphold[.]com\r\n157194-gemini[.]com\r\n1581932-coinbase[.]com\r\n158248-gemini[.]com\r\n158712-coinbase[.]com\r\n159120-coinbase[.]com\r\n159823-coinbase[.]com\r\n16159867-coinbase[.]com\r\n1645079-coinbase[.]com\r\n167243-coinbase[.]com\r\n167253-binance[.]com\r\n17224652-coinbase[.]com\r\n17384624-coinbase[.]com\r\n173912-coinbase[.]com\r\n17412627-coinbase[.]com\r\n17503-apple[.]com\r\n1750314-apple[.]com\r\n17512657-coinbase[.]com\r\n1751654-coinbase[.]com\r\n17591024-coinbase[.]com\r\n1759654-coinbase[.]com\r\n17612416-coinbase[.]com\r\n17612418-gemini[.]com\r\n17612486-coinbase[.]com\r\n17618412-coinbase[.]com\r\n176425-coinbase[.]com\r\n17682192-coinbase[.]com\r\n176822-coinbase[.]com\r\n176823-coinbase[.]com\r\n17691-coinbase[.]com\r\n177250-cb[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 18 of 32\n\n177250-kraken[.]com\r\n177253-coinbase[.]com\r\n17825-coinbase[.]com\r\n178492-coinbase[.]com\r\n178526-coinbase[.]com\r\n17913-coinbase[.]com\r\n17916-cb[.]com\r\n17916-cbwallet[.]com\r\n17916-coinbase[.]com\r\n17919-coinbase[.]com\r\n179325-coinbase[.]com\r\n17943564-coinbase[.]com\r\n1827235-coinbase[.]com\r\n1835246-coinbase[.]com\r\n18364712-coinbase[.]com\r\n184124-coinbase[.]com\r\n184625-trezor[.]com\r\n1847039-coinbase[.]com\r\n185126-coinbase[.]com\r\n18532063-coinbase[.]com\r\n185417-coinbase[.]com\r\n185421-coinbase[.]com\r\n18547-coinbase[.]com\r\n185614-coinbase[.]com\r\n185617-coinbase[.]com\r\n185914-coinbase[.]com\r\n185924-uphold[.]com\r\n187253-uphold[.]com\r\n187421-coinbase[.]com\r\n18925-coinbase[.]com\r\n19045-coinbase[.]com\r\n191284-coinbase[.]com\r\n191284-gemini[.]com\r\n19175234-coinbase[.]com\r\n19243652-coinbase[.]com\r\n1925876-coinbase[.]com\r\n19265-coinbase[.]com\r\n19453264-coinbase[.]com\r\n19463752-coinbase[.]com\r\n1947245-google[.]com\r\n194857-kraken[.]com\r\n195024-coinbase[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 19 of 32\n\n195102-coinbase[.]com\r\n195127-coinbase[.]com\r\n19513657-coinbase[.]com\r\n19524624-coinbase[.]com\r\n195824-swanbtc[.]com\r\n195827-binance[.]com\r\n19584-coinbase[.]com\r\n19642-coinbase[.]com\r\n197253-trezor[.]io\r\n197287-coinbase[.]com\r\n19783221-coinbase[.]com\r\n19784-coinbase[.]com\r\n1985204-coinbase[.]com\r\n19854-coinbase[.]com\r\n229123-coinbase[.]com\r\n235252-cb[.]com\r\n27954383-coinbase[.]com\r\n283272-coinbase[.]com\r\n298193-coinbase[.]com\r\n391215-coinbase[.]com\r\n421424-cb[.]com\r\n421424-cbwallet[.]com\r\n489912-coinbase[.]com\r\n53201-coinbase[.]com\r\n592013-apple[.]com\r\n7226119-coinbase[.]com\r\n783927-coinbase[.]com\r\n83730493-coinbase[.]com\r\n848312-coinbase[.]com\r\n85439-cb[.]com\r\n884394-coinbase[.]com\r\n90251-gmail[.]com\r\n90251-icloud[.]com\r\n917260-coinbase[.]com\r\n923852-coinbase[.]com\r\n96329-coinbase[.]com\r\naccount-help-icloud[.]com\r\nadfs-seic[.]com\r\nadministration-icloud[.]com\r\nadsupport-google[.]com\r\nappie-pay[.]com\r\nappleassist[.]org\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 20 of 32\n\napplepayhelp[.]net\r\napplepayhelp[.]org\r\nauthorize-okta[.]com\r\nauthorizing-coinbase[.]com\r\nbinancesecurity[.]com\r\nbinancetickets[.]com\r\nblocked-cb[.]com\r\nblocked-coinbase[.]com\r\ncancel-google[.]com\r\ncoinbase-login[.]com\r\ncoinbasehelpdesk[.]com\r\ncoinbasetickets[.]com\r\ncom-ticket[.]info\r\ncompensate-cb[.]com\r\ncompensation-coinbase[.]com\r\ndashboard-cbwallet[.]com\r\ndashboard-kraken[.]com\r\ndashboard-kucoin[.]com\r\ndefend-cb[.]com\r\ndefend-cbwallet[.]com\r\ndeposit-coinbase[.]com\r\nfinance-coinbase[.]com\r\nfirewall-cb[.]com\r\nfirewall-coinbase[.]com\r\ngamdomrewards[.]com\r\ngamdomsecurity[.]com\r\ngoogie[.]support\r\ngooglehelpdesk[.]com\r\nguard-cbwallet[.]com\r\nhandle-coinbase[.]com\r\nhelp-applecare[.]com\r\nhelp-cbwallet[.]com\r\nhelp-coinbasesupport[.]com\r\nhelp-lastpass[.]com\r\nhelp-swanbtc[.]com\r\nhelpdesk-google[.]com\r\nhelpdesk-microsoftonline[.]com\r\nicloudtickets[.]com\r\nidmsac-apple[.]com\r\nidmsac1-apple[.]com\r\nidmsac2-apple[.]com\r\nidsmac-apple[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 21 of 32\n\nindentity-coinbase[.]com\r\niticket-apple[.]com\r\nlastpasshelp[.]com\r\nlinkedin-okta[.]com\r\nlockdown-coinbase[.]com\r\nlockup-coinbase[.]com\r\nlogin-swanbitcoin[.]com\r\nmsfthelpdesk[.]com\r\nmypasskey[.]info\r\nnexotickets[.]com\r\npasskeysetup[.]com\r\nportal-cb[.]com\r\nportal-exodus[.]com\r\nportal-trezor[.]io\r\nprivacy-cb[.]com\r\nprotect-cbwallet[.]com\r\nprotection-cb[.]com\r\nprotection-kraken[.]com\r\nreceipt-coinbase[.]com\r\nrecovery-cb[.]com\r\nrecoveryportal-kraken[.]com\r\nrefund-cb[.]com\r\nrevert-kraken[.]com\r\nreverts-coinbase[.]com\r\ns-binance[.]com\r\ns-gemini[.]com\r\ns-kraken[.]com\r\ns-kucoin[.]com\r\nsecureaccess-coinbase[.]com\r\nsecureunlock-coinbase[.]com\r\nsecuring-coinbase[.]com\r\nshield-cb[.]com\r\nshield-cbwallet[.]com\r\nsignin-swanbitcoin[.]com\r\nswan-bitcoin[.]com\r\nswan-help[.]com\r\nswap-coinbase[.]com\r\ntickets-lastpass[.]com\r\nticketsupport-coinbase[.]com\r\ntrezor-recovery[.]io\r\nunlink-ledger[.]com\r\nunlink-trezor[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 22 of 32\n\nunlock-kraken[.]com\r\nverification-gemini[.]com\r\nverification-trezor[.]com\r\nverify-gemini[.]com\r\nverify-ledger[.]com\r\nverify-trezor[.]io\r\nwww-cb-wallet[.]com\r\nwww-cbwallet[.]com\r\nwww-help-apple[.]com\r\nx-okta[.]com\r\nyahoohelpdesk[.]com\r\nyourapplecare[.]com\r\nhelp-lastpass[.]com\r\n113712-coinbase[.]com\r\n113912-coinbase[.]com\r\n129045-coinbase[.]com\r\n142724-coinbase[.]com\r\n142746-coinbase[.]com\r\n142764-coinbase[.]com\r\n142786-coinbase[.]com\r\n145126-coinbase[.]com\r\n146282-coinbase[.]com\r\n146784-coinbase[.]com\r\n148942-coinbase[.]com\r\n1502759-ledger[.]com\r\n1519845-kraken[.]com\r\n157192-uphold[.]com\r\n157194-gemini[.]com\r\n16159867-coinbase[.]com\r\n16275-coinbase[.]com\r\n167243-coinbase[.]com\r\n17224652-coinbase[.]com\r\n17384624-coinbase[.]com\r\n173912-coinbase[.]com\r\n17412627-coinbase[.]com\r\n17512457-coinbase[.]com\r\n17512657-coinbase[.]com\r\n1751654-coinbase[.]com\r\n1751854-coinbase[.]com\r\n1751954-coinbase[.]com\r\n17591024-coinbase[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 23 of 32\n\n1759654-coinbase[.]com\r\n17612416-coinbase[.]com\r\n17612418-gemini[.]com\r\n17612412-coinbase[.]com\r\n17612486-coinbase[.]com\r\n17618412-coinbase[.]com\r\n17625-coinbase[.]com\r\n17682192-coinbase[.]com\r\n176822-coinbase[.]com\r\n176823-coinbase[.]com\r\n176824-coinbase[.]com\r\n17691-coinbase[.]com\r\n17825-coinbase[.]com\r\n17913-coinbase[.]com\r\n17916-coinbase[.]com\r\n185417-coinbase[.]com\r\n185421-coinbase[.]com\r\n18547-coinbase[.]com\r\n185614-coinbase[.]com\r\n185617-coinbase[.]com\r\n185914-coinbase[.]com\r\n185924-uphold[.]com\r\n187421-coinbase[.]com\r\n18925-coinbase[.]com\r\n191284-coinbase[.]com\r\n192854-gemini[.]com\r\n192856-coinbase[.]com\r\n195102-coinbase[.]com\r\n195127-coinbase[.]com\r\n19524624-coinbase[.]com\r\n19562-coinbase[.]com\r\n19582-coinbase[.]com\r\n195827-binance[.]com\r\n197287-coinbase[.]com\r\n83730493-coinbase[.]com\r\n90251-gmail[.]com\r\n90251-icloud[.]com\r\naccount-help-icloud[.]com\r\nappie-pay[.]com\r\nappleassist[.]org\r\napplepayhelp[.]net\r\napplepayhelp[.]org\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 24 of 32\n\nblocked-coinbase[.]com\r\nbofa-help[.]com\r\ncoinbase-login[.]com\r\ncoinbase-ticketsupport[.]com\r\ncoinbaseticketsupport[.]com\r\ncom-175691[.]help\r\ncom-83730493[.]help\r\ncom-fraud[.]management\r\ncom-ticket[.]info\r\ncompensation-coinbase[.]com\r\ndeposit-coinbase[.]com\r\nfinance-coinbase[.]com\r\nfirewall-coinbase[.]com\r\nhandle-coinbase[.]com\r\nhelp-lastpass[.]com\r\nindentity-coinbase[.]com\r\nlockdown-coinbase[.]com\r\nlockup-coinbase[.]com\r\nlogin-nexo[.]com\r\nnexotickets[.]com\r\nofficialbackupserver[.]com\r\noriginal-backend[.]com\r\nprotection-kraken[.]com\r\nreceipt-coinbase[.]com\r\nrefunding-coinbase[.]com\r\nreimburse-coinbase[.]com\r\nreverts-coinbase[.]com\r\nsecureunlock-coinbase[.]com\r\nsecuring-coinbase[.]com\r\nswap-coinbase[.]com\r\nticketsupport-coinbase[.]com\r\ntransfers-kraken[.]com\r\nunlock-kraken[.]com\r\nverify-trezor[.]io\r\nwww-cb-wallet[.]com\r\nwww-cbwallet[.]com\r\nwww-coinbasewallet[.]com\r\nwww-help-apple[.]com\r\nwww-help-coinbase[.]com\r\nbofa-help[.]com\r\nsuite-trezor[.]io\r\ncompensate-coinbase[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 25 of 32\n\n142784-coinbase[.]com\r\nss-icloud[.]com07159889-coinbase[.]com\r\n10195-coinbase[.]com\r\n11246-coinbase[.]com\r\n11247-coinbase[.]com\r\n11248-coinbase[.]com\r\n11258-coinbase[.]com\r\n11259-coinbase[.]com\r\n113912-coinbase[.]com\r\n11472-coinbase[.]com\r\n11923-coinbase[.]com\r\n11957-coinbase[.]com\r\n128147-coinbase[.]com\r\n12958-coinbase[.]com\r\n12984-okta[.]com\r\n12985-coinbase[.]com\r\n13130-coinbase[.]com\r\n13247-coinbase[.]com\r\n13247-icloud[.]com\r\n13267-coinbase[.]com\r\n146271510-coinbase[.]com\r\n146282-coinbase[.]com\r\n146284-coinbase[.]com\r\n147260-coinbase[.]com\r\n14765-coinbase[.]com\r\n14817582-coinbase[.]com\r\n14871904-coinbase[.]com\r\n14891902-coinbase[.]com\r\n1492864-coinbase[.]com\r\n158312-coinbase[.]com\r\n158372-coinbase[.]com\r\n158702-coinbase[.]com\r\n16171675-coinbase[.]com\r\n16171832-coinbase[.]com\r\n16178234-coinbase[.]com\r\n16178237-coinbase[.]com\r\n16178434-coinbase[.]com\r\n162178-coinbase[.]com\r\n162478-coinbase[.]com\r\n162782-coinbase[.]com\r\n162812-coinbase[.]com\r\n162814-coinbase[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 26 of 32\n\n16442580-coinbase[.]com\r\n16450107-coinbase[.]com\r\n16450207-coinbase[.]com\r\n16458207-coinbase[.]com\r\n16478202-coinbase[.]com\r\n164872942-coinbase[.]com\r\n16590-coinbase[.]com\r\n16594373-coinbase[.]com\r\n16624831-coinbase[.]com\r\n16642124-coinbase[.]com\r\n16642172-coinbase[.]com\r\n16642580-coinbase[.]com\r\n16642721-coinbase[.]com\r\n16642724-coinbase[.]com\r\n16642871-coinbase[.]com\r\n16642872-coinbase[.]com\r\n16712942-coinbase[.]com\r\n16718672-coinbase[.]com\r\n16728342-coinbase[.]com\r\n16728348-coinbase[.]com\r\n16728442-coinbase[.]com\r\n16728472-coinbase[.]com\r\n167285-coinbase[.]com\r\n16729042-coinbase[.]com\r\n16748272-coinbase[.]com\r\n16782942-coinbase[.]com\r\n16827420-coinbase[.]com\r\n16827423-coinbase[.]com\r\n16847145-coinbase[.]com\r\n16893924-coinbase[.]com\r\n17182-coinbase[.]com\r\n17255030-coinbase[.]com\r\n17259-kraken[.]com\r\n172486-coinbase[.]com\r\n17284652-coinbase[.]com\r\n17286-coinbase[.]com\r\n17334522-coinbase[.]com\r\n17334522-kraken[.]com\r\n17384522-coinbase[.]com\r\n173912-coinbase[.]com\r\n17494976-coinbase[.]com\r\n17512854-coinbase[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 27 of 32\n\n17512857-coinbase[.]com\r\n1751954-coinbase[.]com\r\n17525030-coinbase[.]com\r\n17529580-coinbase[.]com\r\n17614-coinbase[.]com\r\n17618412-coinbase[.]com\r\n17619-coinbase[.]com\r\n176284-coinbase[.]com\r\n17823920-coinbase[.]com\r\n178253-coinbase[.]com\r\n178294-coinbase[.]com\r\n17912-coinbase[.]com\r\n17914-coinbase[.]com\r\n17917-coinbase[.]com\r\n17954-coinbase[.]com\r\n17958-coinbase[.]com\r\n182043-coinbase[.]com\r\n18275-gemini[.]com\r\n18276-coinbase[.]com\r\n18290185-coinbase[.]com\r\n182967-coinbase[.]com\r\n18560-coinbase[.]com\r\n18571-coinbase[.]com\r\n185912-coinbase[.]com\r\n185914-coinbase[.]com\r\n18592176-coinbase[.]com\r\n18594162-coinbase[.]com\r\n18594962-coinbase[.]com\r\n18597162-coinbase[.]com\r\n18719562-coinbase[.]com\r\n1875290-coinbase[.]com\r\n1882730-coinbase[.]com\r\n18902-coinbase[.]com\r\n18903-coinbase[.]com\r\n189126-coinbase[.]com\r\n18952-coinbase[.]com\r\n192854-coinbase[.]com\r\n192856-coinbase[.]com\r\n19287-binance[.]com\r\n19572-coinbase[.]com\r\n195812-coinbase[.]com\r\n195826-coinbase[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 28 of 32\n\n1958262-coinbase[.]com\r\n195827-binance[.]com\r\n1958297-coinbase[.]com\r\n19582970-coinbase[.]com\r\n19582971-coinbase[.]com\r\n19583-coinbase[.]com\r\n19592653-coinbase[.]com\r\n197304-coinbase[.]com\r\n19730492-coinbase[.]com\r\n19764162-coinbase[.]com\r\n19803-coinbase[.]com\r\n201784289-coinbase[.]com\r\n210823644-coinbase[.]com\r\n21158-coinbase[.]com\r\n21509-coinbase[.]com\r\n25985-coinbase[.]com\r\n27699-coinbase[.]com\r\n28367-coinbase[.]com\r\n28676-coinbase[.]com\r\n29185-coinbase[.]com\r\n29195-coinbase[.]com\r\n2a-coinbase[.]com\r\n2b-coinbase[.]com\r\n2c-coinbase[.]com\r\n2f-coinbase[.]com\r\n2fas-coinbase[.]com\r\n2o-coinbase[.]com\r\n2r-coinbase[.]com\r\n2s-coinbase[.]com\r\n2sv-coinbase[.]com\r\n352134951-coinbase[.]com\r\n38468-coinbase[.]com\r\n39590-coinbase[.]com\r\n41260-coinbase[.]com\r\n427883-coinbase[.]com\r\n43017-coinbase[.]com\r\n47562-coinbase[.]com\r\n50195-coinbase[.]com\r\n5247-coinbase[.]com\r\n54765-coinbase[.]com\r\n57197-coinbase[.]com\r\n58176-coinbase[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 29 of 32\n\n58297-coinbase[.]com\r\n61250-coinbase[.]com\r\n61835-coinbase[.]com\r\n61851-coinbase[.]com\r\n61937-coinbase[.]com\r\n71925-coinbase[.]com\r\n72957-coinbase[.]com\r\n72985-coinbase[.]com\r\n74651-coinbase[.]com\r\n754668948-coinbase[.]com\r\n76159869-coinbase[.]com\r\n76153-coinbase[.]com\r\n81758-coinbase[.]com\r\n81920-coinbase[.]com\r\n81926-coinbase[.]com\r\n81958-coinbase[.]com\r\n826298-coinbase[.]com\r\n83216-coinbase[.]com\r\n837613-coinbase[.]com\r\n83956-coinbase[.]com\r\n87157-coinbase[.]com\r\n87312-coinbase[.]com\r\n89304-coinbase[.]com\r\n89375-coinbase[.]com\r\n91723-gemini[.]com\r\n91752-coinbase[.]com\r\n91756-coinbase[.]com\r\n91782-coinbase[.]com\r\n91835-coinbase[.]com\r\n91845-coinbase[.]com\r\n91923-coinbase[.]com\r\n92758-coinbase[.]com\r\n948122061-coinbase[.]com\r\n978941-coinbase[.]com\r\naccountrecovery-coinbase[.]com\r\naction-shakepay[.]com\r\nadjust-coinbase[.]com\r\nadmin-kraken[.]com\r\napplechargebacks[.]com\r\nauthenticate-gemini[.]com\r\nauthorize-gmail[.]com\r\nbinance-okta[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 30 of 32\n\ncaptcha-coinbase[.]com\r\ncd-coinbase[.]com\r\ncoinbase-heip[.]com\r\ncoinbase-live[.]support\r\ncoinbase-reject[.]com\r\ncoinbase-ticket[.]com\r\ncoinbaseheip[.]com\r\ncom-2fa[.]help\r\ncom-2fa[.]support\r\ncom-3845[.]support\r\ncom-connect[.]help\r\ncom-fraud[.]support\r\ncom-help[.]support\r\ncom-reset[.]help\r\ncom-reset[.]net\r\ncom-ticket[.]live\r\ncom-ticket[.]support\r\ncontact-nexo[.]com\r\nconvert-coinbase[.]com\r\ncustomerservice-coinbase[.]com\r\ndefault-coinbase[.]com\r\ndefend-coinbase[.]com\r\ndeny-coinbase[.]com\r\ndisconnect-coinbase[.]com\r\nescalate-coinbase[.]com\r\nestablish-coinbase[.]com\r\nfcc-okta[.]com\r\nfraudulent-coinbase[.]com\r\nguard-apple[.]com\r\nguard-icloud[.]com\r\nguardian-coinbase[.]com\r\nguide-gemini[.]com\r\nhelp-bitfinex[.]com\r\nhelp-shakepay[.]com\r\nhelpdesk-apple[.]com\r\nhelpdesk-gemini[.]com\r\nhelpdesk-icloud[.]com\r\nidentification-coinbase[.]com\r\nlockdown-coinbase[.]com\r\nlogin-nexo[.]com\r\nkeys-coinbase[.]com\r\nmessages-coinbase[.]com\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 31 of 32\n\nnewpassword-coinbase[.]com\r\nprompt-coinbase[.]com\r\nprotect-apple[.]com\r\nprotect-coinbase[.]com\r\nprotect-gmail[.]com\r\nprotect-kraken[.]com\r\nrecoverme-coinbase[.]com\r\nrecoveryportal-coinbase[.]com\r\nrefunds-coinbase[.]com\r\nreset-okta[.]com\r\nrestore-coinbase[.]com\r\nreturn-coinbase[.]com\r\nreverts-coinbase[.]com\r\nsecure-binance[.]us\r\nsecure-icloud[.]com\r\nsecure-nexo[.]com\r\nsecure-shakepay[.]com\r\nsecurity-umusic[.]com\r\nserver694590423[.]tech\r\nsession-coinbase[.]com\r\nstartrecovery-coinbase[.]com\r\nsignin-kraken[.]com\r\nsuite-trezor[.]io\r\nsupportportal-coinbase[.]com\r\ntech-icloud[.]com\r\nthreat-coinbase[.]com\r\nticket-apple[.]com\r\nticket-coinbase[.]com\r\ntickets-apple[.]com\r\ntokens-coinbase[.]com\r\nunblock-coinbase[.]com\r\nunlink-coinbase[.]com\r\nyour-coinbase[.]com\r\nwelcome-coinbase[.]com\r\nwww-coinbasewallet[.]com\r\nwww-help-coinbase[.]com\r\nwww-help-gemini[.]com\r\nSource: https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nhttps://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit\r\nPage 32 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit" ], "report_names": [ "cryptochameleon-fcc-phishing-kit" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "6355663f-1a27-4a08-879a-89bc3cf2cd63", "created_at": "2026-02-04T02:00:03.712015Z", "updated_at": "2026-04-10T02:00:03.953324Z", "deleted_at": null, "main_name": "CryptoChameleon", "aliases": [ "UNC5356" ], "source_name": "MISPGALAXY:CryptoChameleon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434742, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d95d4772027d47a96eda3a55540bcd87f20455a.pdf", "text": "https://archive.orkl.eu/5d95d4772027d47a96eda3a55540bcd87f20455a.txt", "img": "https://archive.orkl.eu/5d95d4772027d47a96eda3a55540bcd87f20455a.jpg" } }