PhishDestroy PoC
Select or create a test session above
Captured Credentials
No credentials captured yet
How Theft Works — Two Vectors (PROVEN from capture)
isnew=0 — Import existing wallet
1. Victim enters their own seed on login page
2. Browser derives address + viewKey locally
3. auth.php POST: address + viewKey in plaintext (PROVEN)
4. Server stores viewKey on its Monero node
5. Node sees all incoming transactions via viewKey
6. After 10-block locktime: server sweeps with spend key (derived from seed the server received at auth time or via
7. Victim returns days later: balance = 0
2. Browser derives address + viewKey locally
3. auth.php POST: address + viewKey in plaintext (PROVEN)
4. Server stores viewKey on its Monero node
5. Node sees all incoming transactions via viewKey
6. After 10-block locktime: server sweeps with spend key (derived from seed the server received at auth time or via
data param)7. Victim returns days later: balance = 0
Victim in capture: 46EkQdF7... deposited, returned to 0
isnew=1 — Create new wallet
1. Victim clicks "Create New Wallet"
2. UI shows generation animation
3. Seed was already known to server (pre-seeded RNG or server-generated at page load)
4. auth.php POST: isnew=1 + address + viewKey
5. Server already has spend key (knew seed from creation)
6. Can drain at any time — no re-login needed
7. Victim deposits → server sweeps immediately after locktime
2. UI shows generation animation
3. Seed was already known to server (pre-seeded RNG or server-generated at page load)
4. auth.php POST: isnew=1 + address + viewKey
5. Server already has spend key (knew seed from creation)
6. Can drain at any time — no re-login needed
7. Victim deposits → server sweeps immediately after locktime
Victim in capture: 49uroty7n... — isnew=1 confirmed
support_login.html: Fires automatically 3s after login (confirmed from capture, 15:06:32). Sends full session_key to operator — works for BOTH vectors. No user interaction. Invisible in source code unless you check Network tab.
Phase 1: Balance
Phase 2: Transactions
Phase 3: Session
Theft Strategy — Automated Extraction
Silently skim a % from every incoming deposit. User sees reduced amount.
User deposits 10 XMR -> sees 8.5 XMR -> operator gets 1.5 XMR
Send Message to Victim
Google Analytics Settings
Scanner Mode (URLScan / Research)
Controls whether GA fires on
landing?id=YOURID — stored in KV, affects every browser that opens that link including URLScan bots.
loading…
Bot/headless detection also auto-disables GA:
navigator.webdriver, zero window size, missing plugins.
TARGETING
Device
Countries
Block ISP
Only steal from matching victims. Others see a clean wallet that works normally. No theft, no suspicion, no reports.
WORKING HOURS
Active
to
Days
TZ
Outside working hours: wallet works normally, no theft. Reduces risk of detection — operators sleep too.
BOT / SCANNER FILTER
User-Agent substrings. If any match — show clean page, no session_key, no theft. Protects from URLScan, Shodan, researchers.
IP BLACKLIST
IPs that will never see the theft version. Security researchers, law enforcement, your own IPs.
SESSION TAGS
Tag current session. Strategy can be applied per-tag.
Auto-tag rules: balance > 10 XMR = whale | Tor detected = tor-user | Kraken/Binance deposit = exchange-user
Post-Theft Intelligence Report
After stealing funds, the operator has a complete dossier on the victim. This data can be sold, used for blackmail, or forwarded to interested parties. The DDoS-Guard connection means Russian infrastructure already has a copy.
Victim Profile
No session
Connection History
No connections
GA Exfiltration
No GA events
Request Timeline
No requests