BreakglassIntelligence
Back to reports

Full Source Code, Hardcoded Secrets, and Ten Crypto Wallets: Inside the CRPX0 Ransomware-as-a-Service Operation

An open directory exposes a complete crypto theft + ransomware suite with operator Telegram, hardcoded API secrets, and AI-generated ransom art

PublishedApril 3, 2026

Twelve minutes after @malwrhunterteam tweeted a domain with a shrug emoji and a screenshot of a multilingual login page, we had the operator's complete source code, their Telegram handle, their hardcoded API secrets, ten cryptocurrency wallet addresses, and the full architecture of a three-component malware suite that combines clipboard hijacking, seed phrase theft, and ransomware.

The domain fanonlyatn[.]xyz hosts an open directory. The operator forgot to disable directory listing on their /files/ and /files/old/ paths. Everything they built was sitting there for download.

Three Tools, One Operator

The CRPX0 suite is a complete cryptocurrency theft operation with a ransomware fallback:

1. CRPX0 Crypto Clipper (v1.1.py)

A clipboard hijacker that monitors the victim's clipboard for cryptocurrency addresses and silently replaces them with attacker-controlled wallets. When a victim copies a Bitcoin address to paste into a transaction, the clipper swaps it for the operator's address. The transaction goes to the attacker instead.

Supported currencies: Bitcoin (three address formats -- Legacy, SegWit, Bech32), Ethereum, Tron, Dogecoin, Litecoin, Solana, XRP, and Bitcoin Cash. Ten currencies, ten wallet addresses hardcoded in the source.

The clipper also includes BIP39 seed phrase detection. If a victim copies a 12 or 24-word recovery phrase -- the master key to their entire crypto portfolio -- the clipper captures and exfiltrates it immediately.

2. CRPX0 Seed Finder (finder2.py)

A dedicated file scanner that searches every document on the victim's system for cryptocurrency wallet recovery phrases. It reads text files, documents, notes, and any file that might contain a human-readable seed phrase. Found phrases are exfiltrated to the C2 server.

This is the fallback for victims who don't copy-paste their seed phrases. If the clipper doesn't catch it in real-time, the finder will locate it on disk.

3. CRPX0 Ransomware (crypter.py)

Cross-platform file encryption using Fernet (AES-128-CBC with HMAC-SHA256). Encrypted files receive the .crpx0 extension. On Windows, the ransomware deletes Volume Shadow Copies to prevent recovery. Ransom notes are generated in three languages -- English, Russian, and Chinese -- matching the panel's language options.

The ransomware is the final monetization layer. If clipboard hijacking and seed phrase theft don't generate revenue, the operator encrypts the victim's files and demands payment.

The Open Directory

The /files/ directory contained the complete operational toolkit:

  • Full Python source code for all three CRPX0 components
  • Seven macOS Gatekeeper bypass builder scripts (AppleScript dialogs, native C binaries, PKG installers, encrypted DMG vaults)
  • FedEx fake shipping document lures (tracking number 7945 6821 0349 2)
  • "50 working OnlyFans accounts" social engineering bait
  • Stealth loader with hardcoded password pass2021#

The /files/old/ directory contained previous versions -- the operator's development history, preserved for anyone to study.

Hardcoded Secrets

The panel's source code contains credentials in plaintext:

  • Dashboard API secret: 26i$MyYe@r
  • Stealth loader password: pass2021#
  • Ten cryptocurrency wallet addresses for BTC, ETH, TRX, DOGE, LTC, SOL, XRP, BCH

The API secret could allow authenticated access to the panel's management functions. The wallet addresses are the operator's direct financial infrastructure -- reportable to exchanges for freezing.

The Operator

  • Telegram: @DataBreachPlus
  • Email: databreachplus@proton[.]me
  • qTox ID: extracted from panel source
  • Language: Russian-speaking (Russian ransom notes, Russian backup C2 domains)
  • AI usage: GPT-4 provenance metadata (Truepic C2PA signature) embedded in the ransomware wallpaper image -- the ransom note graphic was generated with ChatGPT

Infrastructure

The primary domain fanonlyatn[.]xyz sits behind Cloudflare. But the operator also configured three Russian backup C2 domains that are NOT behind Cloudflare:

DomainIPProvider
caribb[.]ru31[.]31[.]198[.]206REG.RU (Russian registrar)
mekhovaya-shuba[.]ru31[.]31[.]198[.]206REG.RU
beboss34[.]ru31[.]31[.]198[.]206REG.RU

All three resolve to the same REG.RU shared hosting IP. These are the real C2 servers -- the Cloudflare-fronted domain is just the panel interface. The backup domains reveal the operator's actual hosting infrastructure.

mekhovaya-shuba translates from Russian as "fur coat" -- the kind of personal detail that suggests these domains were registered from the operator's existing registrar account, not through operational security-conscious infrastructure provisioning.

The AI-Generated Ransom Note

The ransomware wallpaper contains Truepic C2PA provenance metadata identifying it as generated by ChatGPT/GPT-4. The operator used AI to create their ransom demand graphic. This is a minor but notable detail -- threat actors are using generative AI for operational content, and the provenance metadata they don't know about becomes an attribution artifact.

Indicators of Compromise

Network Indicators

  • fanonlyatn[.]xyz (panel + open directory)
  • caribb[.]ru (backup C2)
  • mekhovaya-shuba[.]ru (backup C2)
  • beboss34[.]ru (backup C2)
  • 31[.]31[.]198[.]206 (REG.RU shared hosting -- true C2)

Operator Indicators

  • Telegram: @DataBreachPlus
  • Email: databreachplus@proton[.]me
  • Panel API secret: 26i$MyYe@r

File Indicators

  • .crpx0 extension on encrypted files
  • 19 sample hashes in full report

Cryptocurrency Wallets (10 addresses for blockchain monitoring/freezing)

All wallet addresses are listed in the full report for submission to exchanges and blockchain analysis platforms.

Detection

Five YARA rules and twelve Suricata signatures are available on our GitHub:

UPDATE: TwizAdmin Panel Mapped

A second @malwrhunterteam tip -- 103.241.66[.]238:1337 labeled "TwizAdmin" -- turned out to be the management panel for this same operation. The FastAPI /docs endpoint was publicly exposed with full Swagger API schema.

Additional capabilities confirmed via the panel:

  • Infostealer module: Discord tokens, Telegram sessions, Chrome v20 cookies, Opera/OperaGX data, Steam/Minecraft credentials, 2FA backup codes, screenshots
  • Infrastructure timeline extended: beboss34[.]ru dates to July 2025 -- this operation has been running for at least 9 months

Additional IOCs

  • 103[.]241[.]66[.]238:1337 (TwizAdmin management panel, FastAPI)
  • Panel FastAPI docs at /docs (Swagger UI exposed)

h/t @malwrhunterteam for the tip.

Share