{
	"id": "a4a7af52-6f76-4baa-8221-2def8fb24565",
	"created_at": "2026-04-06T00:14:04.131834Z",
	"updated_at": "2026-04-10T13:12:21.560235Z",
	"deleted_at": null,
	"sha1_hash": "ea1eba30f6a36c6a42792cbf334a0b2caa5a43c0",
	"title": "Silent Push Unwraps the AIZ—Aggressive Inventory Zombies—Retail \u0026 Crypto Phishing Network Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9418388,
	"plain_text": "Silent Push Unwraps the AIZ—Aggressive Inventory Zombies—Retail \u0026\r\nCrypto Phishing Network Campaign\r\nBy Peggy Kelly\r\nPublished: 2024-12-11 · Archived: 2026-04-05 14:25:20 UTC\r\nKey Findings\r\nExecutive Summary\r\nSign up for a free Silent Push Community account\r\nBackground on AIZ Retail Targeting\r\nInitial Intelligence Gathering\r\nExpanding Beyond “Etsy” Sites into Other Brands\r\nTargeting Multiple Retailers\r\nSearching 1,300 Brand Names\r\nAmateur Monetization Efforts Across the “Aggressive Inventory Zombies” Network – Phishing Chats with Out-of-Office Sellers\r\n“AML Check” Cryptocurrency Phishing from AIZ Threat Actor\r\n“Input Pass Code” Phishing Sites\r\n“MBN” Crypto Phishing Sites\r\nPantera Exchange Crypto Phishing Campaign\r\n“Exness” Crypto Phishing\r\n“Moomoo Financial” Phishing Campaign\r\nAliexpress Targeting Pivots into Larger Retail Phishing\r\nBitcoin Targeting Pivots into Larger Crypto Phishing Campaign\r\nContinuing to Track the AIZ Retail and Crypto Phishing Campaigns\r\nAdditional information\r\nMitigation\r\nRegister for Community Edition\r\nIndicators of Future Attacks (IOFAs)\r\nKey Findings\r\nSilent Push Threat Analysts have been tracking the activity of a threat actor we’ve dubbed “Aggressive Inventory Zombies”\r\n(AIZ) throughout 2024, which has been noticeably ramping up over the past few months.\r\nOur observations of a few suspicious domains impersonating Etsy led to the discovery of a large-scale phishing and pig-butchering network targeting retail brands and a crypto phishing campaign.\r\nThe retail phishing campaign extends beyond Etsy – taking aim at major retailers and marketplaces, including but not\r\nlimited to Amazon, BestBuy, eBay, Wayfair, and more.\r\nThe threat actor has been building phishing websites using a popular website template and integrating chat services\r\nfor its phishing activities.\r\nThe threat actor behind this retail campaign is also targeting crypto audiences, and the scale of the sites in this\r\nnetwork proves it is a substantial effort.\r\nSilent Push Threat Analysts received a substantial source of pivots for this network by collaborating on takedown\r\nefforts of some related campaign infrastructure with Stark Industries. They shared several dozen other IPs with us\r\nthat the threat actor had been using, which helped us flesh out the full extent of these malicious campaigns.\r\nOur research can confirm the threat actor has some financial ties to India.\r\nExecutive Summary\r\nSilent Push Threat Analysts recently observed a few suspicious domains appearing to impersonate the e-commerce company\r\nEtsy—something we initially thought was timely for the 2024 holiday season. Further investigation, however, led us to\r\nuncover a large-scale phishing campaign and a crypto phishing network.\r\nWe found that the retail phishing campaign extends beyond Etsy and targets major retailers, including, but not limited to,\r\nAmazon, BestBuy, eBay, Rakuten, Wayfair, and more.\r\nThe threat actor has been using a popular website template to build phishing websites and appears to primarily conduct\r\nphishing activities over chat services integrated into the sites. Based on some sensitive details acquired when testing the\r\nphishing process on retail sites, our team can confirm that the threat actor has some financial ties to India.\r\nIt’s clear that the threat actor behind this AIZ retail campaign is also targeting crypto audiences, and the scale of the sites in\r\nthis network proves this is a substantial effort.\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 1 of 20\n\nThis blog’s research will begin with our understanding of the AIZ retail network and then provide additional context about\r\nthe crypto sites and other infrastructure we found.\r\nSilent Push Enterprise users have access to two dedicated IOFA Feeds containing all the true positive domains and IPs we\r\ngathered during our research.\r\nFor operational security reasons, we are unable to share the exact specifics of each query and pivot utilized. Silent Push\r\nEnterprise customers have access to a dedicated AIZ Retail \u0026 Crypto Phishing Network TLP: Amber report, which\r\ncontains all the relevant data types and pivot points we used to track the infrastructure referenced in this blog.\r\nRegister for our free Community Edition to use all of the tools and queries mentioned in this blog.\r\nBackground on AIZ Retail Targeting\r\nSilent Push Threat Analysts have been tracking a threat actor’s activity throughout 2024 that has been noticeably ramping up\r\nover the past few months. Our discovery of its large-scale phishing campaign began with our researchers observing\r\nsuspicious domains appearing to impersonate Etsy.\r\nExtending beyond Etsy, the phishing campaign targets major retailers and marketplaces, including, but not limited to,\r\nAmazon, BestBuy, Costco, eBay, Rakuten, and Wayfair.\r\nThe threat actor has been using a popular website template with nearly 9,000 sales, available for purchase publicly on\r\nEnvato, to build its retail phishing sites. These sites feature dozens to hundreds of products that appear to have been scraped\r\nfrom other sites. Searching the exact title of products in popular search engines exposed additional websites in the threat\r\nactor’s network.\r\nThe threat actor appears to be primarily conducting its phishing activity over chat services integrated into the websites, with\r\nsome sites not having working checkout systems. Based on some sensitive details acquired when testing the phishing\r\nprocess, our team can confirm this threat actor has financial ties to India.\r\nAs the Silent Push Threat Analyst Team dug deeper into the activities of the AIZ retail phishing network, we discovered the\r\nthreat actor is also targeting crypto audiences. We researched reused metadata to find a huge pool of crypto phishing sites\r\ntargeting Binance, Kraken, and a variety of other generic crypto brands.\r\nAfter completing our initial research and starting the process of alerting impacted organizations, we requested a takedown of\r\nsome domains hosted on Stark Industries (AS44477). Within half an hour, Stark had not only taken down the offending host\r\nbut was also able to connect the account that had registered that IP to 34 other IPs, some of which hosted similar retail\r\nphishing websites but also several new groupings of crypto phishing websites. This Stark lead also allowed us to pivot into\r\neven more of their infrastructure.\r\nTargeted brands include:\r\nEtsy\r\nAllegro\r\nAliExpress\r\nAmazon\r\nASOS\r\nBestBuy\r\neBay\r\nCostco\r\nFlipkart\r\nRakuten\r\nShopee\r\nTemu\r\nTikTok\r\nWayfair\r\nWish\r\nInitial Intelligence Gathering\r\nWhile reviewing recently registered domains, Silent Push Threat Analysts found a few appearing to impersonate the official\r\nEtsy store, a popular e-commerce company that specializes in the sale of handmade/vintage goods and craft supplies.\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 2 of 20\n\nEtsy impersonations registered in early November 2024\r\nWe found a short list of six domains, all targeting Etsy:\r\netsyappstoreglobal[.].com (live page – 13Nov)\r\netsyappstoreglobal[.]xyz (live page – 13Nov)\r\netsyshopinr[.]com (live page – 13Nov)\r\netsyvipinr[.]com (live page – 13Nov)\r\netsyclubvip[.]xyz\r\netsyappstorevip[.]xyz\r\nThe Silent Push app found a live site, etsyappstoreglobal[.]com, targeting Etsy\r\nThe six domains appearing to target Etsy were mapped to 2.56.178[.]87 – and four live sites all utilize the same theme:\r\nLive site: etsyvipinr[.]com, targeting Etsy\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 3 of 20\n\nLive site: etsyappstoreglobal[.]com, targeting Etsy\r\nLive site: etsyappstoreglobal[.]xyz, targeting Etsy\r\nExpanding Beyond “Etsy” Sites into Other Brands\r\nWhile doing the initial investigation, Silent Push Threat Analysts realized the Etsy-targeted sites all shared a website theme\r\nand some common code. We began to look for potential pivots.\r\nTargeting Multiple Retailers\r\nWe experimented with our research by performing Silent Push Web Scanner queries on Amazon, BestBuy, and eBay in the\r\nfollowing examples:\r\nAmazon:\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 4 of 20\n\namazon-ecommerce-shop[.]com\r\namazon-ecommerce-shop[.]com\r\nBestBuy:\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 5 of 20\n\nvnbestbuy[.]store\r\neBay:\r\nebay-i[.]shop\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 6 of 20\n\nebaymerchant[.]xyz\r\nSearching 1,300 Brand Names\r\nAfter spot-checking approximately 1,300 brands, starting with Etsy and then searching Amazon, BestBuy, eBay, and many\r\nmore, we gathered a list of true positive hits in this phishing network, including but not limited to Etsy, Allegro, AliExpress,\r\nAmazon, ASOS, BestBuy, eBay, Costco, Flipkart, Rakuten, Shopee, Temu, TikTok, Wayfair, and Wish.\r\ncross-borderstore[.]com – TK-Store (TikTok store)\r\nAmateur Monetization Efforts Across the “Aggressive Inventory Zombies” Network –\r\nPhishing Chats with Out-of-Office Sellers\r\nThe threat actor’s malicious websites feature products that appear to have been scraped from other sites. Searching for the\r\nexact title of products in popular search engines exposes more websites in the network. These websites feature dozens (to\r\nhundreds) of products that could show up on specific search results.\r\nOne example is a Google shopping search for the term “Fashion Women’s PU Leather Handbags Tote Purse Crossbody\r\nMessenger Satchel Bags” that results in:\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 7 of 20\n\nSearch for “Fashion Women’s PU Leather Handbags Tote Purse Crossbody Messenger Satchel Bags”\r\nThe “Contact Info” on the Etsy sites includes a real Etsy phone number but a fake email address such as\r\n“etsys6151@gmail[.]com.”\r\nAdditional emails used by this network include:\r\ncskhEbay8686@gmail[.]com\r\nmiravia88888@gmail[.]com\r\naisellemall@gmail[.]com\r\nPayment methods on the sites include crypto and methods of payment not accepted at Etsy:\r\nMethods of payment are not those actually accepted by Etsy\r\nOn some sites in the network, navigating to a product and then adding it to the cart starts the purchase process, which leads\r\nto a checkout page with three payment options: PayPal, “Cash on Delivery,” or Tether/(USDT) cryptocurrency:\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 8 of 20\n\nPurchase checkout flow on etsyappstoreglobal[.]com\r\nWhen attempting to test this purchase flow on etsyappstoreglobal[.]com, the PayPal option wasn’t available, the “Cash on\r\nDelivery” option provided no details, and the Tether option didn’t have a wallet ID to send the money. The website was\r\nusing a chat widget from crisp[.]chat, a French company founded in 2015.\r\nWhen we reviewed another store in the network, ai-tiktok[.]top, we uncovered different purchase options. The “Customer\r\nService” option includes what appears to be an effort to obtain a bank account number and routing details—essentially a\r\nchecking account phishing effort.\r\nai-tiktok[.]top checkout page with a checking account phishing effort\r\nThe same site, ai-tiktok[.]top, has an option for “USDT” (Tether) that appears to have a wallet address of\r\n“THNjjnCzxyiMrzhm6mrn36wLhUe2raoS4k” which appears to be a wallet containing only about $30. It’s unclear if this is\r\nthe real threat actor’s wallet or if a generic one was embedded here.\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 9 of 20\n\nai-tiktok[.]top checkout page\r\nThe menu bar on this ai-tiktok[.]top TikTok site features a prominent “Online Customer Service” link that redirects to\r\nchat.ssrchat[.]com/service and a unique chat session ID.\r\nOnline Customer Service tab highlighted on ai-tiktok[.]top\r\nOn the TikTok Shop ai-tiktok[.]top, the site’s “Online Customer Service” redirected our researchers to\r\nchat.ssrchat[.]com/service, and this is where customer support finally chimed in:\r\nChat via chat.ssrchat[.]com\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 10 of 20\n\nChat via chat.ssrchat[.]com (continued)\r\nChat via chat.ssrchat[.]com (continued)\r\nThe support staff asked us, “When you are browsing the product, do you see the store information about the merchant?”\r\nThis was alluding to a subtle “Contact the Merchant” link that can be easily overlooked:\r\n“Contact Merchant” link on ai-tiktok[.]top\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 11 of 20\n\nClicking the “Contact the merchant” button opens a chat widget to communicate with the “seller account” – as seen in this\r\nshort video (click the “Play” icon in the lower left corner to view):\r\nai-tiktok[.]top features a video on how to “Contact the Merchant”\r\nWhile hosting a seemingly inefficient phishing process on at least some of the websites, this network seems to operate like a\r\ncommon e-commerce phishing network.\r\n0:00 / 0:36\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 12 of 20\n\nOn this same TikTok site, the option to “Register Your Shop” includes a request for the front/back of an ID card, which\r\ncould be part of an effort to acquire credentials:\r\n“Register Your Shop” option on ai-tiktok[.]top\r\nCustomer Support on Malicious TikTok Shop via Chinese Chat Tool\r\nThe menu bar on the ai-tiktok[.]top TikTok site features a prominent “Online Customer Service” link that redirects to\r\nchat.ssrchat[.]com/service and a unique chat session ID.\r\nIn this support portal, the threat actors communicated with website visitors, directing them on how to continue (in the scam).\r\nWhenever Silent Push Analysts find a service like this, we always work to confirm whether the threat actors have built a\r\ncustomer support tool or if they are using a third-party resource.\r\nAfter a brief investigation, our analysts confirmed ssrchat[.]com is a Chinese customer support tool called “SaleSmartly.”\r\nssrchat[.]com is a Chinese customer support tool called “SaleSmartly”\r\nThe ssrchat[.]com website lists numerous Chinese companies using the platform, which appears to be a popular choice for\r\ncertain Chinese organizations. In the footer of the website is a Chinese ID known as an “ICP license”—this “Internet\r\nContent Provider license” is required for most Chinese businesses on the mainland that send data through the Great Firewall.\r\nThe ICP license number for ssrchat[.]com is listed in their footer as “20046039”:\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 13 of 20\n\nssrchat[.]com ICP license\r\nTo learn about vendors this network is using, we used the Silent Push Web Scanner to find other organizations with the same\r\nICP license number.\r\nWe found 21 unique hosts with matching data. The results include one domain standard-software[.]cn, that claims to own\r\nSaleSmartly and several other products, including adspower[.]net.\r\nIt appears the threat actor creating countless e-commerce phishing sites is using a Chinese “chat widget” product from a\r\ncompany with a product called AdsPower, which is a browser for ban evasion and managing multiple social media accounts.\r\nWe could spend time requesting takedowns of these likely phishing accounts abusing the ssrchat[.]com service, but knowing\r\nmore about the parent company and confirming they don’t have any clear way to report abuse helps us save time. We\r\nchanged our focus from takedown efforts to hosts, registrars, and third-party products being used that are more likely to\r\nsupport takedowns.\r\nBulk Pricing on Product Phishing Sites – Potential Business Targeting\r\nAcross this network, there are some sites spoofing Amazon, such as amazonprime[.]id, designed to offer products only via\r\nbulk purchase with a minimum of 500 units, so the minimum purchase price is nearly $75,000 – this could be a mistake and\r\npotential way to find more of their sites:\r\nExample of bulk product purchase requirements on amazonprime[.]id\r\nAIZ Websites Heavily Featuring “Live Chat” Widgets for Phishing\r\nWhile analyzing the initial pools of domains, along with additional domains found via the pivots below, it’s clear this\r\nnetwork heavily uses “Live Chat” widgets. Most of the sites appear to use “Message Seller” and “Contact the Merchant”\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 14 of 20\n\nlinks on product pages, and many of them also have additional chat widgets from third-party companies embedded into the\r\npages.\r\nOutside of the sites using the Chinese chat widget from SaleSmartly, many appear to be using “Crisp” chat from\r\ncrisp[.]chat.\r\nAnother grouping of sites from this network, like wayfairmy[.]cc, which targets Wayfair, uses livechat[.]com.\r\nOur team reached out to Crisp Chat and Live Chat to share details and encourage them to investigate and potentially ban\r\nthese clients.\r\nWithin hours of our report, Crisp Chat significantly escalated the research, banned the client, and took additional steps to\r\nlook for any other sites where the threat actors were using their service. Our team at Silent Push thanks the Crisp Chat team\r\nfor their prompt and serious response.\r\nWe are still waiting for feedback from Live Chat and will update the report if/when it arrives.\r\nStark Industries / PQ Hosting Takedown Uncovers More Infrastructure from this Threat Actor\r\nAs part of the Silent Push commitment to collaborating with hosts, our team sent an initial lead to Stark Industries (stark-industries[.]solutions) about one of the IPs in this network hosting these domains, which was registered through the Stark\r\nIndustries service.\r\nOur initial IP shared with Stark Industries was taken down in less than half an hour, and they were able to conduct an\r\ninvestigation and take down even more infrastructure associated with this same account and threat actor – sending us a total\r\nof 34 new IPs, which provided deeper insight into the AIZ threat actor infrastructure.\r\n“AML Check” Cryptocurrency Phishing from AIZ Threat Actor\r\nThrough our reporting process to web host Stark Industries, we were given an IP used by this threat actor, 45.144.30[.]184,\r\nto which the domain mapped to aml-check-wallet[.]com.\r\nPerforming a Web Scanner query confirmed that this domain used consistent metadata, which allowed us to pivot into\r\nseveral dozen other domains/hosts with the same content as the original source. \r\nThe cryptocurrency phishing sites in this network look like the example below:\r\nExample of cryptocurrency phishing sites in this network: amlguards[.]com\r\n“Input Pass Code” Phishing Sites\r\nOne of the IP ranges shared by Stark Industries included 45.144.31[.]235 which has an odd grouping of sites hosted on it –\r\nseveral have the classic “shopping” structure like vipmydealshopgo[.]xyz, but others such as store-joo[.]org, group-joo[.]org,\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 15 of 20\n\nand global-joom[.]org have hosted pages that may have led to unique phishing or pig-butchering experiences. One site had a\r\n“Please Input Pass Code” message, which raises questions about the purpose of these sites:\r\nOne site, group-joo[.]org displayed a “Please Input Pass Code” message\r\n“MBN” Crypto Phishing Sites\r\nOne of the IPs shared by Stark Industries that this threat actor was using briefly hosted a site, “haiwaidemosite[.]com,” with\r\nthe HTML title “MBN” in October 2024.\r\nA huge pool of these crypto phishing sites can be found via reused metadata on the sites – targeting Binance, Kraken, and a\r\nvariety of other generic crypto brands.\r\nExample site in the network: exchangeaaa[.]xyz\r\nPantera Exchange Crypto Phishing Campaign\r\nOn an IP shared with us by Stark Industries, there are domains such as “pantera-exchange[.]com” with the HTML title\r\n“Pantera-Exchange.”\r\nThese sites look nearly identical to the “MBN” phishing sites, and there are hundreds of unique results with the same\r\nmetadata targeting crypto audiences:\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 16 of 20\n\nAnother example of a nearly-identical site in the phishing network: pammvip[.]com\r\n“Exness” Crypto Phishing\r\nFrom another IP shared by Stark Industries, we can pivot into a small grouping of domains, such as klo-ok[.]cc.\r\nThis website had similar metadata to other new sites in the network, and by creating a proprietary query, we can pivot into\r\nabout a dozen unique hosts. The results include an IP that has a live “crypto investment” website in Mandarin, albeit with\r\nsomewhat broken functionality.\r\nThis IP has a live “crypto investment” website in Mandarin\r\n“Moomoo Financial” Phishing Campaign\r\nAnother IP shared by Stark Industries used by this threat actor is connected to a grouping of websites that look similar,\r\nincluding:\r\nm2stock[.]net\r\nmioiocapitald[.]com\r\nmoomoccapital[.]com\r\nWhile these sites now all appear to be down, at one point, they looked like this example:\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 17 of 20\n\nThe sites looked similar to msostock[.]net in the phishing network\r\nAliexpress Targeting Pivots into Larger Retail Phishing\r\nAnother IP taken down by Stark used by this threat actor is connected to domains like spsailexpsess[.]com, which appear to\r\nbe targeting Aliexpress.\r\nThis site has unique indicators, resulting in hundreds of additional retail phishing sites being discovered.\r\nBitcoin Targeting Pivots into Larger Crypto Phishing Campaign\r\nOne IP taken down and shared by Stark connects to a pool of websites targeting Bitcoin and other crypto tokens – likely for\r\na phishing or pig-butchering scam.\r\nThese sites include:\r\nbitcoin-contract[.]vip\r\ncoinworld-online-exchange[.]cc\r\nLike many of this threat actor’s websites and campaigns, the site templates are unique and are being reused across the sites.\r\nAs a result, we can find hundreds of crypto phishing efforts targeting major brands and what appears to be made up of\r\ncrypto brands via this template.\r\nContinuing to Track the AIZ Retail and Crypto Phishing Campaigns\r\nSilent Push threat researchers will continue to observe and monitor changes to this actor’s infrastructure. New discoveries\r\nand TTP changes will be immediately reflected in our feeds.\r\nWe will also continue to share our research on threats like this with law enforcement. If you have any tips about this threat\r\nactor or other kinds of retail and crypto phishing scams, please consider sharing those details with our team.\r\nAdditional information\r\nWe’re continuing to track the AIZ Retail \u0026 Crypto Phishing Network’s activity and will report our findings to the security\r\ncommunity in a series of follow-up reports.\r\nWe’ve also published a TLP: Amber report for Enterprise users that contains links to the specific queries we’ve used to\r\nidentify and traverse the AIZ Retail \u0026 Crypto Phishing Network—including proprietary queries that we’ve omitted from\r\nthis blog for operational security reasons.\r\nMitigation\r\nSilent Push believes all AIZ Retail \u0026 Crypto Phishing Network domains offer some level of risk.\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 18 of 20\n\nOur analysts have constructed a Silent Push IOFA Feed that provides a partial list of AIZ Retail \u0026 Crypto Phishing\r\nNetworks Indicators of Future Attack domains focused on their scams, along with an IOFA Feed containing suspect AIZ\r\nRetail \u0026 Crypto Phishing Network IPs.\r\nSilent Push IOFA Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA Feed data\r\ninto their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent\r\nPush Console and Feed Analytics screen.\r\nSilent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced\r\noffensive and defensive lookups, web content queries, and enriched data types.\r\nClick here to sign up for a free account.\r\nIndicators of Future Attacks (IOFAs)\r\nHere is a sample list of AIZ Retail \u0026 Crypto Phishing Network IOFAs – our full list is available for enterprise users.\r\nSilent Push Enterprise clients have access to a domain and IP feed containing the AIZ Retail \u0026 Crypto Phishing Networks’\r\ninfrastructure:\r\nadspower[.]net\r\nai-tiktok[.]top\r\namazon-ecommerce-shop[.]com\r\namazonprime[.]id\r\naml-check-wallet[.]com\r\namlguards[.]com\r\nappstoreetsy[.]vip\r\nbitcoin-contract[.]vip\r\nchillivipstore[.]com\r\ncoinworld-online-exchange[.]cc\r\ncrisp[.]chat\r\ncross-borderstore[.]com\r\nebay-i[.]shop\r\nebaymerchant[.]xyz\r\ne-box[.]vip\r\netsy[.]one\r\netsyappstoreglobal[.]com\r\netsystore[.]org\r\netsyme[.]com\r\netsyoou[.]icu\r\netsyvipclub[.]xyz\r\nexchangeaaa[.]xyz\r\nglobal-joom[.]org\r\ngroup-joo[.]org\r\nhaiwaidemosite[.]com\r\nhaiwaisite666[.]com\r\ninretsyvipclubapp[.]com\r\njd-shopvnvip[.]top\r\njngfhjiu56u7[.]top\r\nklo-ok[.]cc\r\nlivechat[.]com\r\nluxury-collection[.]cc\r\nm2stock[.]net\r\nmgciscoin[.]co\r\nmidjornieyskilload[.]com\r\nmiravia88888@gmail[.]com\r\nmkgmailgo[.]com\r\nmoomoccapital[.]com\r\nmsostock[.]net\r\nofficialjunglee[.]com\r\nozatchenum[.]com\r\npammvip[.]com\r\npantera-exchange[.]com\r\nsnaspshopping[.]com\r\nspsailexpsess[.]com\r\nssrchat[.]com\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 19 of 20\n\nstandard-software[.]cn\r\nstore-joo[.]org\r\ntik-tokvnshop[.]net\r\nvipetsyappshop[.]cc\r\nvnbestbuy[.]store\r\nwayfairmy[.]cc\r\nxbtce-exchange[.]xyz\r\nSource: https://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nhttps://www.silentpush.com/blog/aiz-retail-crypto-phishing/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.silentpush.com/blog/aiz-retail-crypto-phishing/"
	],
	"report_names": [
		"aiz-retail-crypto-phishing"
	],
	"threat_actors": [
		{
			"id": "5eeccfdf-4e14-4b11-b1f2-2f7614f1ebe2",
			"created_at": "2024-12-21T02:00:02.855516Z",
			"updated_at": "2026-04-10T02:00:03.788016Z",
			"deleted_at": null,
			"main_name": "Aggressive Inventory Zombies",
			"aliases": [
				"AIZ"
			],
			"source_name": "MISPGALAXY:Aggressive Inventory Zombies",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434444,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea1eba30f6a36c6a42792cbf334a0b2caa5a43c0.pdf",
		"text": "https://archive.orkl.eu/ea1eba30f6a36c6a42792cbf334a0b2caa5a43c0.txt",
		"img": "https://archive.orkl.eu/ea1eba30f6a36c6a42792cbf334a0b2caa5a43c0.jpg"
	}
}