highPhishing

LOKI Ransomware/Extortion Operation — Full Infrastructure & Panel Analysis

PublishedMarch 13, 2026

Threat Actors:progressed through three phases:using automated certbot ACME clients.and Campaign AnalysisLOKI GroupEvidence"LOKI" — Iranian Nexus]address.

phishingsocial-engineeringc2ransomwareexploitaptspearphishing

Breakglass Intelligence — Investigation Report

Classification: TLP:AMBER — Restricted distribution Priority: CRITICAL Analyst: GHOST / Breakglass Intelligence Date: 2026-03-13 Version: 2.0 (Round 2 — Full Panel Scrape) Lead Name: loki [195.24.237.15]

Executive Summary

IP 195.24.237.15 hosts LOKI, an active ransomware and data extortion operation running a public clearnet leak site on plain HTTP. This report consolidates findings from two investigation rounds: the initial infrastructure and OSINT analysis (Round 1), and a comprehensive panel scrape including full source code recovery, API dump, and evidence photo retrieval (Round 2).

What we know:

LOKI has been operating continuously since at least December 2025. The threat actor progressed through three phases:

November–December 2025 — Cryptocurrency wallet phishing (TrustWallet, Phantom Wallet)
December 2025 — Financial-sector phishing (CTBC Bank lookalike domains)
February 2026–present — Active ransomware/data extortion with one confirmed victim

The current extortion target is Credit Freedom & Restoration (creditfreedomrestoration.com), a US financial services company running Vtiger CRM 6.4.0. 230 GB of PII belonging to 30,000+ US citizens — including SSNs, credit card data (photographs and plaintext), driver's licenses, credit reports, utility bills, and Equifax login credentials — was exfiltrated and is actively available on gofile.io across five live links as of 2026-03-13 00:29 UTC.

Round 2 key findings:

The LOKI panel API endpoint /api/data is open with no authentication and returns the complete victim database in structured JSON
Three evidence photographs were downloaded from /static/uploads/ — file manager screenshots showing the stolen file tree — uploaded by the operator on 2026-03-07 22:08:45 UTC
Complete site source code (HTML, JavaScript, CSS) was recovered and analyzed
No admin panel, debug console, or hidden API routes were found
The Flask backend is confirmed by 405 error page format
Zero security headers (no HSTS, no CSP, no X-Frame-Options, no CORS policy)
The victim site (creditfreedomrestoration.com) is still live and still running vulnerable Vtiger CRM 6.4.0 as of 2026-03-13

Attribution: Iranian nexus via personal Iranian-name Gmail in RIPE WHOIS (hadihasanzadebashtiyan@gmail.com) and Iranian LIR as IP block maintainer (lir-ir-amingostar-1-MNT). All campaign phases anchored to the same persistent IP — a catastrophic operator OPSEC failure.

IOC Metadata

Field	Value
IP Address	195.24.237.15
Current ASN	AS209373 (Swissnet LLC)
Previous ASN	AS60223 (Netiface Limited, GB)
Hosting Provider	Swissnet LLC / RIPE
IP Block	195.24.237.0/24
Country (RIPE)	NL (Netherlands)
RIPE Abuse Contact	hadihasanzadebashtiyan@gmail.com
Block Created	2026-02-22
Sponsoring LIR	lir-ir-amingostar-1-MNT (Iranian LIR)
Sponsor Entity	ORG-DM262-RIPE (Daniel Mishayev, IL/DE)
First Phishing Seen	2025-12-05 (trustwallet.com.do)
Leak Site Active Since	2026-02-07
VirusTotal Detections	1 malicious, 2 suspicious (Mar 2026)
Reverse DNS	None (NXDOMAIN)
SSH Banner	OpenSSH 8.9p1 Ubuntu-3ubuntu0.10
Web Server	nginx/1.18.0 (Ubuntu)
Backend	Python/Flask (confirmed by 405 error format)
Security Headers	NONE — no HSTS, no CSP, no X-Frame-Options
Tox ID	7290408F9A2C4D60FB77CB9CEE25E177F07C47BD22A437137CB4E60D3B1C692EBB1BA203A90F
Evidence Photos Uploaded	2026-03-07 22:08:45 UTC (Unix: 1772921325)
Round 2 Scrape Time	2026-03-13 00:28–00:29 UTC

Phase 1 — Infrastructure Profiling

Network Registration

The /24 block 195.24.237.0/24 was registered in RIPE on 2026-02-22 — approximately 3 weeks before this investigation. Key WHOIS data:

inetnum:      195.24.237.0 - 195.24.237.254
netname:      Swissnet_LLc
country:      NL
admin-c:      AA46315-RIPE
tech-c:       AA46315-RIPE
status:       AGGREGATED-BY-LIR
created:      2026-02-22T08:25:05Z
mnt-by:       lir-ir-amingostar-1-MNT        <-- IRANIAN LIR MAINTAINER

abuse-mailbox: abuse@swissnetwork.io
address:      121 E 2ND ST STE 401, OWENSBORO, KY 42303   <-- LIKELY FAKE US ADDRESS

route:        195.24.237.0/24
origin:       AS209373
mnt-by:       lir-ir-amingostar-1-MNT

OPSEC LEAK: The RIPE abuse contact for the /24 block is hadihasanzadebashtiyan@gmail.com — a personal Gmail address. The name "Hadi Hasanzadeh Bashtian" (حسن‌زاده بشتیان) is an Iranian surname, consistent with the Iranian LIR maintainer.

ASN AS209373 (Swissnet LLC)

The AS was created 2026-02-12. Sponsoring organization is ORG-DM262-RIPE (Daniel Mishayev, Israeli national, address: Lilienstraße 5, 94051 Hauzenberg, Germany, +4917640385000). Swissnet LLC upstream connections: AS51396 and AS62403.

Swissnetwork.io uses Cloudflare nameservers and Zoho Mail (zoho-verification=zb36335559.zmverify.zoho.com), presenting a professional front despite serving as a bulletproof hosting vehicle.

Prior ASN: Before 2026-02, the same IP operated under AS60223 (Netiface Limited, GB) — URLScan scans from December 2025 show the IP on Netiface hosting crypto phishing domains.

Active Services on 195.24.237.15

Port	Protocol	Service	Banner / Notes
22	TCP	SSH	SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
80	TCP	HTTP	nginx/1.18.0 (Ubuntu) — LOKI leak panel

No HTTPS (port 443). The operator chose plain HTTP for the extortion panel, exposing all traffic in cleartext and enabling trivial interception.

Technology Stack (Confirmed by Source Code)

Layer	Technology	Evidence
OS	Ubuntu 22.04 LTS	OpenSSH 8.9p1 Ubuntu-3ubuntu0.13 banner
Web Server	nginx/1.18.0	Server header on all responses
Backend	Python / Flask	405 "Method Not Allowed" error page format
API	JSON REST API	`/api/data` returns structured JSON
Frontend	Vanilla JavaScript (no frameworks)	script.js analyzed — no React/Vue/jQuery
CSS	Custom CSS with variables	style.css (8.0 KB) with CSS custom properties
Font	Share Tech Mono	Google Fonts CDN call (OPSEC: leaks visitor IPs)
Logo	SVG from svgrepo.com	`/static/logo.svg` — public SVG library asset
File Drop	gofile.io	5 active gofile.io links for PII distribution

Phase 2 — Panel Scrape: API, Source Code & Endpoint Analysis

Round 2 findings from active scrape conducted 2026-03-13 00:28 UTC. No re-probing of target occurred after initial scrape.

2.1 — API Endpoint: `GET /api/data` (No Authentication)

The LOKI leak site exposes its entire victim database via an unauthenticated REST API endpoint at http://195.24.237.15/api/data. There is no API key, no session requirement, and no rate limiting observed.

Full captured JSON response:

{
  "stats": {
    "active_since": "2026-02-07",
    "breaches": 1,
    "id": 1,
    "leaked_data_gb": 230.0
  },
  "victims": [
    {
      "countdown_end": "0001-01-01T00:00",
      "data_stolen": "PII Data (DLs, SSNs(pics), credit cards(pic and written plaintext), utility bills, credit reports)",
      "description": "Website: http://creditfreedomrestoration.com/\r\nDB type: Vtiger crm 6.4.0 that includes 30k+US members fullz, SSNs, equinax logins (and other websites)\r\n[LEAKING 1 FOLDER PER DAY]\r\n\r\nDATA FORMAT:\r\n/cportal/creditreport\r\n/cportal/idcardupload\r\n/cportal/mortgageupload\r\n/cportal/uploaddocs\r\n/storage/{2016-2026}",
      "download_link": "https://gofile.io/d/0Kv7aY\r\nhttps://gofile.io/d/HAne2i\r\nhttps://gofile.io/d/DPTV4M\r\nhttps://gofile.io/d/KptulC\r\nhttps://gofile.io/d/RWzKpM",
      "id": 1,
      "name": "Credit Freedom & Restoration",
      "photos": "[\"1772921325_2.png\", \"1772921325_3.png\", \"1772921325_logo_main.png\"]",
      "size_gb": 230.0
    }
  ]
}

JSON Schema Analysis:

stats object:

Field	Type	Value	Notes
`active_since`	string	"2026-02-07"	Self-reported operation start date
`breaches`	integer	1	Victim count (currently only 1 active victim)
`id`	integer	1	Auto-increment row ID — backend uses a relational database
`leaked_data_gb`	float	230.0	Total GB claimed across all victims

victims[] array — per-victim object:

Field	Type	Notes
`id`	int	Victim row ID; current only value is 1
`name`	string	Victim organization display name
`description`	string	Multiline; CRLF (`\r\n`) newlines — Windows line endings in actor's database
`data_stolen`	string	Summary of data categories stolen
`download_link`	string	Newline-delimited gofile.io URLs
`photos`	string	JSON-encoded string (not a true JSON array) — filenames from `/static/uploads/`
`size_gb`	float	Victim-specific data size in GB
`countdown_end`	string	ISO datetime; `"0001-01-01T00:00"` = sentinel value indicating no active timer

API Behavior:

Method	Endpoint	Response	Notes
GET	/api/data	200 + JSON	Full victim database, no auth required
POST	/api/data	405	Flask "Method Not Allowed" error page
PUT	/api/data	405	Flask "Method Not Allowed" error page
DELETE	/api/data	405	Flask "Method Not Allowed" error page
GET	/api/data?format=csv	200 + same JSON	Query params silently ignored
GET	/api/data?limit=1	200 + same JSON	No pagination implemented
GET	/api/data?id=2	200 + same JSON	No filtering implemented

The 405 error pages are consistent with Flask's default werkzeug error handler, definitively confirming the Python/Flask backend.

Key intelligence from the API response:

countdown_end: "0001-01-01T00:00" — The sentinel date (year 1 AD) indicates the countdown timer is not active for this victim. The JavaScript renders download links immediately when this value is in the past. This means the actor has already committed to leaking — there is no remaining countdown period during which the victim could pay to prevent leakage.
Windows CRLF in the description field suggests the actor drafted the victim entry on a Windows machine before uploading to the Linux server.
The photos field stores a JSON string inside a JSON string (double-encoded) — a common Flask/SQLite artifact indicating the backend stores JSON blobs in a TEXT column rather than a proper JSON type.

2.2 — HTTP Response Headers & Security Posture

Full response headers captured on GET / and GET /api/data:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 13 Mar 2026 00:28:XX GMT
Content-Type: text/html; charset=utf-8

Missing security headers (complete absence):

Header	Status	Impact of Absence
`Strict-Transport-Security`	ABSENT	No HTTPS, HSTS not applicable — but confirms cleartext
`Content-Security-Policy`	ABSENT	XSS attacks against visitors trivially executable
`X-Frame-Options`	ABSENT	Panel can be iframed by third parties
`X-Content-Type-Options`	ABSENT	MIME type sniffing possible
`Referrer-Policy`	ABSENT	Browser sends full Referer on outbound clicks
`Permissions-Policy`	ABSENT	No browser feature restrictions
`Cache-Control`	ABSENT	Static content served without caching directives
`Access-Control-Allow-Origin`	ABSENT	No CORS policy — /api/data accessible from any origin

The absence of CORS headers on /api/data means any website can make a cross-origin request to the API and read the victim database — a secondary intelligence collection vector.

2.3 — HTML Source Code Analysis

Full page title and structure from index.html (2.9 KB):

<title>Loki</title>
<link rel="icon" type="image/svg+xml" href="/static/logo.svg">
<link href="https://fonts.googleapis.com/css2?family=Share+Tech+Mono&display=swap" rel="stylesheet">

Key HTML identifiers:

Element / ID / Class	Purpose
`<h1 class="glitch" data-text="LOKI">LOKI</h1>`	Title with CSS glitch animation effect
`>_ from loki with love`	Tagline (terminal-aesthetic styling)
`id="leaked-gb"`	Animated data leak counter (populated by JS)
`id="breaches-count"`	Animated breach count (populated by JS)
`id="active-since"`	Active-since date (populated by JS)
`id="last-update"`	"Last update: [time]" (populated by JS with client time)
`id="victims-list"`	Victim cards container (populated by JS from API)
`id="victim-modal"`	Popup modal for victim detail view
`id="tox-id"`	Tox contact ID display element
`id="copy-btn"`	Tox ID copy button
`class="site-footer"`	Page footer containing the Tox section
`class="tox-container"`	Tox ID + copy button wrapper
`id="lightbox"`	Full-image lightbox overlay for photo carousel
`id="lightbox-img"`	Image element inside lightbox

The Tox ID is hardcoded directly in the HTML source, exposed in cleartext with a one-click copy button for victim convenience:

<p class="tox-text" id="tox-id">tox:
    7290408F9A2C4D60FB77CB9CEE25E177F07C47BD22A437137CB4E60D3B1C692EBB1BA203A90F</p>
<button class="copy-btn" onclick="copyToxId()" id="copy-btn">[COPY]</button>

2.4 — JavaScript Analysis (`script.js`, 11 KB)

The JavaScript is custom vanilla JS with no external dependencies. Key functions and their operational significance:

fetchData() — Bootstraps the panel on page load. Calls /api/data via fetch(), populates animated stat counters and the victims list. Each victim card is appended with a 100ms stagger animation (.victim-item divs).

showVictimModal(victim) — Renders the victim detail popup. The countdown logic is central:

If victim.countdown_end is in the future, renders a live countdown timer with the text [!] DATA REMAINS ENCRYPTED [!] and DECRYPTION IN: Xd Xh Xm Xs
If victim.countdown_end is in the past (or set to the year-1 sentinel), immediately calls renderDownloadLink() — displaying the evidence photos and gofile.io download links
This confirms the panel is designed to handle multiple victims simultaneously, some in countdown phase and some in full-leak phase

The countdown timer HTML template extracted verbatim:

[!] DATA REMAINS ENCRYPTED [!]
DECRYPTION IN: Xd Xh Xm Xs

The download link section HTML template extracted verbatim:

[+] DECRYPTION KEY RELEASED
[ Part X ] Access Data

renderDownloadLink(container, linkStr, photosJson) — Renders the download section. Parses the photos JSON string and builds a photo carousel from /static/uploads/ paths. Builds labeled download buttons for each gofile.io link. URLs without a https:// prefix have it prepended automatically.

animateValue(id, start, end, duration, suffix) — Eased counter animation (ease-out quadratic). Used for the leaked GB and breach count stats. Duration is 1500ms. This "live dashboard" aesthetic is deliberate social engineering — making the breach statistics feel dynamic and authoritative.

copyToxId() — Clipboard API call. On success, temporarily changes [COPY] to [COPIED!] for 2 seconds. Error falls through to console.error.

changeCarousel(direction, btn) — Photo carousel navigation. Cycles through evidence photos by manipulating display style. Updates indicator dots.

openLightbox(src) / closeLightbox() — Full-image lightbox overlay for photo zoom.

Operational significance of the countdown feature: The presence of a fully-implemented countdown timer in the JavaScript — despite the current victim having no active countdown — reveals this is a template designed for serial use. Future victims will likely be placed in countdown phase (ransom deadline) before transitioning to full leak. The actor is running a double-extortion operation: pay before the timer expires to prevent leakage; if not, data becomes public.

2.5 — CSS Theme Analysis (`style.css`, 8.0 KB)

The CSS uses a "matrix hacker" aesthetic:

Background: Black (#000 or near-black)
Primary text color: Matrix green (#00FF41 or variant) — var(--text-color)
Border color: Matrix green — var(--border-color)
Danger color: Red (#FF003C or variant) — var(--danger-color) — used for the countdown timer
Font: Share Tech Mono (monospace, hacker aesthetic) via Google Fonts CDN

Key CSS classes identified:

Class	Purpose
`.glitch`	CSS glitch animation on the "LOKI" title
`.stats-grid`	Dashboard stat card grid layout
`.card`	Individual stat card with glow effect
`.card-glow`	CSS glow pseudo-element on cards
`.victim-item`	Clickable victim list entry
`.modal`	Fullscreen modal overlay
`.modal-content`	Modal inner box
`.photo-carousel-container`	Photo evidence carousel wrapper
`.carousel-img`	Individual photo in carousel
`.carousel-btn`	Prev/next carousel navigation button
`.site-footer`	Page footer (Tox contact section)
`.tox-container`	Tox ID display wrapper
`.tox-text`	Tox ID text display
`.copy-btn`	Tox ID copy button
`.lightbox`	Fullscreen photo lightbox overlay
`.download-ready`	Download link section (shown post-countdown)
`.timer-box`	Countdown timer display (red border, red background tint)

The Google Fonts CDN call (fonts.googleapis.com) is a persistent OPSEC failure: any browser that loads the page — including the operator previewing their own panel — sends a DNS and HTTP request to Google's infrastructure, leaking the visitor's IP unless behind a VPN or Tor.

2.6 — Endpoint Probing Results

Complete results of endpoint discovery probing conducted during Round 2:

Admin/login panels — NOT FOUND:

Path probed	Result
/admin	404
/admin/login	404
/admin/dashboard	404
/panel	404
/login	404
/console	404
/debug	404
/werkzeug	404

Hidden API routes — NOT FOUND:

Path probed	Result
/api/v1	404
/api/v2	404
/api/victims	404
/api/admin	404
/api/upload	404
/api/config	404
/api/users	404
/api/login	404
/api/health	404

Information disclosure — NOT FOUND:

Path probed	Result	Notes
/robots.txt	404	Not present
/.env	404	Not exposed
/static/	403	Directory listing disabled
/static/uploads/	403	Directory listing disabled

Conclusions from probing:

The Flask application exposes exactly two routes: / (HTML panel) and /api/data (JSON API)
The backend panel (admin interface, upload functionality) is either on a different port, a different IP, or protected behind a VPN/firewall that was not reachable externally
Directory listing is disabled on nginx (autoindex off) — prevents enumeration of uploaded files by path guessing
No Flask debug mode (/console would expose a Werkzeug interactive debugger if debug=True)

Phase 3 — Evidence Photo Analysis

Upload Timestamp Decoding

All three evidence photos share a Unix timestamp prefix in their filenames: 1772921325

Unix timestamp:  1772921325
UTC datetime:    2026-03-07 22:08:45 UTC
Day:             Saturday
Days before scrape: 5 days (scrape: 2026-03-13 00:28 UTC)

This timestamp is confirmed by the HTTP Last-Modified response header on all photo requests:

Last-Modified: Sat, 07 Mar 2026 22:08:45 GMT

Inference: The operator uploaded the three evidence photos at 22:08 UTC on Saturday 7 March 2026, exactly 5 days and ~2 hours before our investigation scrape. This is consistent with the actor uploading a batch of evidence photos after collecting the exfiltrated data and staging the panel.

Photo 1 — `1772921325_2.png` (154 KB)

Type: File manager screenshot Contents: Directory listing of the victim's /storage/ directory Data visible: PDF files, credit report documents, ID card uploads — file timestamps indicating September 2025 data Significance: Demonstrates the actor had access to at least September 2025 data within the victim's file system. This was likely the oldest actively-browsed data tranche at time of exfiltration.

Photo 2 — `1772921325_3.png` (169 KB)

Type: File manager screenshot Contents: Directory listing of /downloaded_files/ directory Data visible: SSN images, credit reports, personal identification documents — file timestamps indicating February 2026 data Significance: The /downloaded_files/ directory name suggests the actor used an automated file download tool (possibly a web shell file manager or wget/curl script) to stage data for exfiltration. The February 2026 data shows the breach was ongoing or freshly concluded at time of upload.

Photo 3 — `1772921325_logo_main.png` (112 KB)

Type: Corporate logo image Contents: Credit Freedom & Restoration company logo (victim branding) Significance: Standard ransomware extortion group practice — displaying victim branding on the leak site to establish identity and increase reputational pressure on the victim organization.

Photo Filename Convention

The naming pattern {unix_timestamp}_{original_name}.{ext} indicates the Flask backend renames uploaded files by prepending the Unix timestamp of the upload event. This is a common Flask/Python file upload pattern using datetime.now().timestamp() or time.time(). It is used to prevent filename collisions. The fact that all three photos share the same timestamp prefix (1772921325) confirms they were uploaded in a single batch operation.

Phase 4 — Victim Analysis: creditfreedomrestoration.com

Victim Profile

Field	Value
Organization	Credit Freedom & Restoration
Website	http://creditfreedomrestoration.com/
IP	159.89.225.19 (DigitalOcean, US)
CRM	Vtiger CRM 6.4.0
Web Server	Apache/2.4.58 (Ubuntu)
Session Cookie	`napoleon_session` (Vtiger default session identifier)
Email Provider	Mailgun (mxa.mailgun.org, mxb.mailgun.org)
DNS Provider	DigitalOcean (ns1-3.digitalocean.com)
Domain Registrar	GoDaddy.com, LLC
Status (2026-03-13)	LIVE — still operating and still vulnerable

Vtiger CRM 6.4.0 — Active Vulnerabilities

The victim's CRM remains unpatched as of 2026-03-13. Vtiger CRM 6.x has multiple published CVEs:

CVE / Vulnerability	Impact
Authentication bypass	Unauthenticated access to CRM data and functionality
File upload RCE	Remote code execution via malicious file upload
SQL injection	Database dump without valid credentials
PHP object injection	Code execution via unserialize

The napoleon_session cookie was observed in the HTTP response headers during our probe — confirming the CRM is responding to requests and issuing session tokens. Our probe IP was logged in the victim's session store via this cookie mechanism. This is an additional artifact of the victim's running CRM.

Data Stolen

Per the LOKI API response, the breach scope is:

Volume: 230 GB
Count: 30,000+ US citizen records ("fullz")
Data types: Driver's licenses (photographs), SSNs (photographs and text), credit cards (photographs and plaintext written text), utility bills, credit reports, Equifax login credentials, credentials for unspecified other websites
CRM database: Full Vtiger CRM database export including member accounts and portal data
File paths exfiltrated:
- /cportal/creditreport/
- /cportal/idcardupload/
- /cportal/mortgageupload/
- /cportal/uploaddocs/
- /storage/{2016–2026}/ (10 years of customer document storage)

Active data leak: The actor announced [LEAKING 1 FOLDER PER DAY] — a pressure tactic to force victim response while continuously escalating public exposure. All 5 gofile.io download links confirmed HTTP 200 at 2026-03-13 00:29 UTC. Each gofile link serves a JavaScript-rendered landing page (8,468 bytes) from which the 230 GB archive is directly downloadable by anyone with the link.

Phase 5 — Threat Intelligence Correlation

VirusTotal Analysis (195.24.237.15)

Malicious: 1 (CRDF)
Suspicious: 2 (AlphaSOC, Gridinsoft)
First URL submission: 2026-02-04
Last URL scan: 2026-03-12
Last HTTPS cert (Jan 2026): Subject = leafvivid.shop, issuer = Let's Encrypt R13, valid Jan 3 – Apr 3, 2026

Passive DNS — All Domains Resolved to 195.24.237.15

Domain	Timestamp	Category
vividoleaf.shop	2026-02-05	Unknown / suspicious
leafvivid.shop	2026-02-03	Unknown / suspicious
lyvia.shop	2026-02-03	Unknown
trustwallet.org.do	2025-12-30	Crypto phishing
protection.trustwallet.org.do	2025-12-30	Crypto phishing
ctbcsolution.pro	2025-12-30	Bank phishing (CTBC)
protection.ctbcsolution.pro	2025-12-30	Bank phishing
protection.trustwallet.com.do	2025-12-30	Crypto phishing
solutionproglobal.pro	2025-12-22	Unknown
www.trustwallet.com.do	2025-12-21	Crypto phishing
phantomairdrop.com.do	2025-12-12	Phantom wallet phish
www.ecosparkly.shop	2025-12-08	Phishing/spam
trustwallet.com.do	2025-12-06	Crypto phishing
postboxesmail.store	2025-12-02	Suspicious
ecosparkly.shop	2025-12-02	Phishing/spam (VT: 5M)

URLScan.io

Three scans captured the IP hosting TrustWallet phishing on Dec 30, 2025 under AS60223. All triggered by certstream-suspicious monitoring — automated flagging of newly-issued TLS certificates for domains resembling known brands.

Certificate Transparency (crt.sh)

Domain	First Cert	Issuer
trustwallet.com.do	2025-12-05	Let's Encrypt R12/13
trustwallet.org.do	2025-12-30 → 2026-01-26	Let's Encrypt R13
protection.trustwallet.org.do	2025-12-30	Let's Encrypt R12
phantomairdrop.com.do	2025-12-12	Let's Encrypt R13
ctbcsolution.pro	2025-12-30	Let's Encrypt R12
protection.ctbcsolution.pro	2025-12-30	Let's Encrypt R12
ecosparkly.shop	2025-03-07, 2025-11-30	Let's Encrypt R11/12
leafvivid.shop	2026-01-03	Let's Encrypt R13

All certificates are free Let's Encrypt certificates — consistent with a cost-minimizing actor using automated certbot ACME clients.

Phase 6 — Infrastructure Mapping

Full Infrastructure Graph

[LOKI OPERATOR — Iranian Nexus]
    │
    ├── Primary IP: 195.24.237.15
    │       ASN: AS209373 (Swissnet LLC) [2026-02-22+]
    │       ASN: AS60223 (Netiface Limited) [2025-12+]
    │       └── Port 22: OpenSSH 8.9p1 (Ubuntu)
    │       └── Port 80: nginx/1.18.0 → Flask app → LOKI panel
    │               ├── GET /               → HTML panel (index.html)
    │               ├── GET /api/data       → JSON victim database (no auth)
    │               ├── GET /static/script.js → JavaScript (11 KB)
    │               ├── GET /static/style.css → CSS stylesheet (8 KB)
    │               ├── GET /static/logo.svg  → SVG logo
    │               └── GET /static/uploads/ → Evidence photos
    │                       ├── 1772921325_2.png (154 KB — /storage/ screenshot)
    │                       ├── 1772921325_3.png (169 KB — /downloaded_files/ screenshot)
    │                       └── 1772921325_logo_main.png (112 KB — victim logo)
    │
    ├── Crypto Phishing Cluster (Dec 2025)
    │       ├── trustwallet.com.do     → 195.24.237.15 (Dec 5, 2025)
    │       ├── www.trustwallet.com.do → 195.24.237.15 (Dec 21, 2025)
    │       ├── protection.trustwallet.com.do → 195.24.237.15 (Dec 30, 2025)
    │       ├── trustwallet.org.do     → 195.24.237.15 (Dec 30, 2025)
    │       ├── protection.trustwallet.org.do → 195.24.237.15 (Dec 30, 2025)
    │       └── phantomairdrop.com.do  → 195.24.237.15 (Dec 12, 2025)
    │
    ├── Financial Phishing Cluster (Dec 30, 2025)
    │       ├── ctbcsolution.pro           → 195.24.237.15
    │       └── protection.ctbcsolution.pro → 195.24.237.15
    │
    ├── Unknown/Staging Domains
    │       ├── ecosparkly.shop    → 195.24.237.15, then 84.32.84.32 (Hostinger LT)
    │       ├── www.ecosparkly.shop → 195.24.237.15
    │       ├── postboxesmail.store → 195.24.237.15, then 145.79.25.23, 85.90.197.50
    │       ├── solutionproglobal.pro → 152.53.253.95 (netcup GmbH, AT)
    │       ├── vividoleaf.shop    → 2.57.91.92 (Hostinger, CY)
    │       ├── leafvivid.shop     → 213.165.230.65 (InMotion Hosting, US)
    │       └── lyvia.shop         → (unresolved)
    │
    ├── Data Exfiltration (gofile.io — all 5 links ACTIVE at 00:29 UTC 2026-03-13)
    │       ├── https://gofile.io/d/0Kv7aY  (Part 1)
    │       ├── https://gofile.io/d/HAne2i  (Part 2)
    │       ├── https://gofile.io/d/DPTV4M  (Part 3)
    │       ├── https://gofile.io/d/KptulC  (Part 4)
    │       └── https://gofile.io/d/RWzKpM  (Part 5)
    │
    └── VICTIM
            └── creditfreedomrestoration.com (DigitalOcean 159.89.225.19)
                    └── Apache/2.4.58 + Vtiger CRM 6.4.0 (STILL LIVE, STILL VULNERABLE)
                            └── 30k+ US citizens: SSN, DL, CC, credit reports (2016–2026)

IP	ASN	Provider	Associated Domain	Notes
195.24.237.15	209373	Swissnet LLC (NL)	LOKI panel, ctbcsolution	PRIMARY — ACTIVE
84.32.84.32	47583	Hostinger Int'l (LT)	ecosparkly.shop (prior)	13 VT malicious hits
145.79.25.23	47583	Hostinger Int'l (MY)	postboxesmail.store (prior)
85.90.197.50	8254	Green Floid LLC (GR)	postboxesmail.store (prior)
152.53.253.95	197540	netcup GmbH (AT)	solutionproglobal.pro	Mail server, self-signed TLS
2.57.91.92	47583	Hostinger Int'l (CY)	vividoleaf.shop	Multiple jQuery CVEs
213.165.230.65	22611	InMotion Hosting (US)	leafvivid.shop
159.89.225.19	14061	DigitalOcean (US)	creditfreedomrestoration	VICTIM — STILL LIVE

Phase 7 — Attribution and Campaign Analysis

Threat Actor: LOKI Group

Confidence: HIGH

The self-identified group name is LOKI (from Norse mythology, the trickster god). This appears to be a small-to-mid-size extortion operation exhibiting the following characteristics. Based on the technical sophistication of the panel (custom Flask API, carousel UI, countdown timer logic), the actor is a capable developer — likely operating individually or in a very small team.

Attribution Evidence

Indicator	Value	Confidence
RIPE abuse contact	hadihasanzadebashtiyan@gmail.com	HIGH — direct identity leak
Iranian LIR maintainer	lir-ir-amingostar-1-MNT	HIGH — infrastructure link
CRLF in API response	Windows line endings in actor-authored text	MEDIUM — Windows desktop
Domain registration country	Denmark (redacted/GDPR)	MEDIUM
Tox ID	7290408F9A2C4D60FB77CB9CEE25E177F07C47BD22A437137CB4E60D3B1C692EBB1BA203A90F	HIGH — unique operator identifier
ASN sponsor	ORG-DM262-RIPE (Daniel Mishayev, IL/DE)	MEDIUM — could be victim/reseller
Infrastructure pattern	Single persistent IP across ASN hops	HIGH — operator OPSEC failure
Evidence photo upload time	2026-03-07 22:08:45 UTC (Saturday evening)	LOW — timezone inference only

OPSEC Failures (Comprehensive)

Personal email exposed — hadihasanzadebashtiyan@gmail.com submitted to RIPE as abuse contact. "Hadi Hasanzadeh Bashtian" (حسن‌زاده بشتیان) is a distinctly Iranian name.
Iranian LIR — lir-ir-amingostar-1-MNT is the RIPE block maintainer, directly linking the infrastructure to Iranian internet administration.
Clearnet leak site — Plain HTTP, no Tor/I2P. Trivially blocked, fingerprinted, and accessible to investigators and law enforcement.
No security headers — Zero HTTP security headers on the panel. Any JavaScript injected via MitM could hijack the panel or deanonymize visitors.
Server banners exposed — OpenSSH 8.9p1, nginx/1.18.0, Flask 405 pages — full stack fingerprint.
Google Fonts CDN — fonts.googleapis.com loaded on every page view. Leaks visitor IP to Google unless behind VPN/Tor.
Single IP persistence — All campaign phases (December 2025 crypto phishing through March 2026 ransomware) anchored to 195.24.237.15. Full 15-month timeline reconstructable from this single pivot.
Tox ID in plaintext HTML — Contact channel exposed in page source; trivially scraped.
Unauthenticated API — /api/data returns the full victim database with zero authentication. Any internet user can query it.
CORS absent on API — No CORS policy means cross-origin requests to /api/data succeed from any website.
Upload timestamp in filenames — 1772921325_*.png exposes exact upload time of evidence photos.
Windows CRLF in database — CRLF line endings in the victim description field suggest the actor uses a Windows desktop/laptop for composing entries, then uploads to a Linux server.
napoleon_session cookie exposed to probers — The victim's Vtiger CRM still issues session tokens to unauthenticated requests, leaking probe IPs into the session store.

Campaign Timeline

2025-03-07  ecosparkly.shop earliest cert (first known cluster artifact)
2025-11-30  ecosparkly.shop cert renewed
2025-12-02  ecosparkly.shop, postboxesmail.store → 195.24.237.15
2025-12-05  trustwallet.com.do created (TrustWallet phishing begins)
2025-12-06  trustwallet.com.do resolves to 195.24.237.15
2025-12-11  phantomairdrop.com.do created (Phantom wallet phishing)
2025-12-12  phantomairdrop.com.do → 195.24.237.15
2025-12-21  www.trustwallet.com.do → 195.24.237.15
2025-12-30  trustwallet.org.do, ctbcsolution.pro, protection.* domains created
2026-01-03  leafvivid.shop TLS cert issued
2026-02-04  195.24.237.15 first submitted to VirusTotal
2026-02-07  LOKI extortion panel goes live (active_since from /api/data)
2026-02-12  AS209373 (Swissnet LLC) created in RIPE
2026-02-22  195.24.237.0/24 registered under AS209373
2026-03-07  Evidence photos uploaded to /static/uploads/ (22:08:45 UTC)
2026-03-12  LOKI panel rescanned by VirusTotal
2026-03-13  Round 1 infrastructure OSINT completed
2026-03-13  Round 2: Full panel scrape, API dump, source code recovery (00:28–00:29 UTC)
2026-03-13  All 5 gofile.io leak links confirmed active, 230 GB PII downloadable

Campaign duration: ~15 months of continuous infrastructure activity on a single IP.

MITRE ATT&CK TTPs

Technique ID	Name	Evidence
T1583.001	Acquire Infrastructure: Domains	15+ domains across .do, .pro, .shop, .store TLDs
T1583.003	Acquire Infrastructure: Virtual Private Server	Swissnet LLC VPS; prior Netiface hosting
T1566.002	Phishing: Spearphishing Link	TrustWallet, Phantom, CTBC phishing with SSL certs
T1190	Exploit Public-Facing Application	Vtiger CRM 6.4.0 exploitation
T1078	Valid Accounts	"equinax logins" stolen — credential reuse capability
T1005	Data from Local System	30k+ member database exfiltrated from Vtiger CRM
T1560	Archive Collected Data	Multi-part gofile.io upload (5 folders, 230 GB)
T1567.002	Exfiltration Over Web Service: Cloud Storage	gofile.io used for PII distribution
T1486	Data Encrypted for Impact	Countdown timer in JS implies ransomware capability
T1657	Financial Theft	Credit card data (photos and plaintext) stolen
T1589.001	Gather Victim Identity Information: Credentials	SSNs, DLs, credit reports collected
T1608.005	Stage Capabilities: Link Target	Protection subdomain pattern
T1071.001	Application Layer Protocol: Web Protocols	Panel communicates via HTTP, gofile via HTTPS
T1594	Search Victim-Owned Websites	Vtiger CRM portal paths exfiltrated (/cportal/*)
T1608.001	Stage Capabilities: Upload Malware	Evidence photos staged to /static/uploads/

Full IOC Table

IP Addresses

IP Address	ASN	Country	Role	Status
195.24.237.15	209373	NL	LOKI leak site, primary C2	ACTIVE
84.32.84.32	47583	LT	Prior hosting (ecosparkly)	INACTIVE
145.79.25.23	47583	MY	Prior hosting (postboxesmail)	INACTIVE
85.90.197.50	8254	GR	Prior hosting (postboxesmail)	INACTIVE
152.53.253.95	197540	AT	solutionproglobal.pro	UNKNOWN
2.57.91.92	47583	CY	vividoleaf.shop	UNKNOWN
213.165.230.65	22611	US	leafvivid.shop	UNKNOWN
159.89.225.19	14061	US	Victim: creditfreedomrestoration	VICTIM

Domains

Domain	First Seen	Purpose	VT Detections
trustwallet.com.do	2025-12-05	TrustWallet phishing	11M / 2S
www.trustwallet.com.do	2025-12-21	TrustWallet phishing	—
protection.trustwallet.com.do	2025-12-30	TrustWallet phishing	—
trustwallet.org.do	2025-12-30	TrustWallet phishing	0M / 1S
protection.trustwallet.org.do	2025-12-30	TrustWallet phishing	—
phantomairdrop.com.do	2025-12-11	Phantom wallet phish	1M / 1S
ctbcsolution.pro	2025-12-30	CTBC Bank phishing	3M / 2S
protection.ctbcsolution.pro	2025-12-30	CTBC Bank phishing	—
ecosparkly.shop	2025-11-30	Phishing/spam	5M / 1S
www.ecosparkly.shop	2025-12-08	Phishing/spam	—
postboxesmail.store	2025-12-02	Suspicious	2M / 1S
solutionproglobal.pro	2025-12-22	Unknown	0M / 1S
vividoleaf.shop	2026-02-05	Unknown / suspicious	1M / 1S
leafvivid.shop	2026-02-03	Unknown / suspicious	1M / 1S
lyvia.shop	2026-02-03	Unknown	0M / 1S
swissnetwork.io	—	Actor front company	0M / 0S
creditfreedomrestoration.com	—	VICTIM	0M / 0S

URLs / Endpoints

URL	Type	Status
http://195.24.237.15/	LOKI leak site (HTML panel)	ACTIVE
http://195.24.237.15/api/data	Victim database (JSON, no auth)	ACTIVE
http://195.24.237.15/static/script.js	Panel JavaScript (11 KB)	ACTIVE
http://195.24.237.15/static/style.css	Panel CSS (8 KB)	ACTIVE
http://195.24.237.15/static/logo.svg	Panel SVG logo	ACTIVE
http://195.24.237.15/static/uploads/1772921325_2.png	Evidence photo 1 (154 KB)	ACTIVE (uploaded 2026-03-07)
http://195.24.237.15/static/uploads/1772921325_3.png	Evidence photo 2 (169 KB)	ACTIVE (uploaded 2026-03-07)
http://195.24.237.15/static/uploads/1772921325_logo_main.png	Victim logo (112 KB)	ACTIVE
http://creditfreedomrestoration.com/	Victim site (Vtiger CRM)	ACTIVE — STILL VULNERABLE
https://gofile.io/d/0Kv7aY	Leaked PII Part 1	ACTIVE (HTTP 200 confirmed)
https://gofile.io/d/HAne2i	Leaked PII Part 2	ACTIVE (HTTP 200 confirmed)
https://gofile.io/d/DPTV4M	Leaked PII Part 3	ACTIVE (HTTP 200 confirmed)
https://gofile.io/d/KptulC	Leaked PII Part 4	ACTIVE (HTTP 200 confirmed)
https://gofile.io/d/RWzKpM	Leaked PII Part 5	ACTIVE (HTTP 200 confirmed)

Email Addresses / Identifiers

Identifier	Type	Source	Significance
hadihasanzadebashtiyan@gmail.com	Email	RIPE WHOIS	OPSEC LEAK — likely real operator identity
abuse@swissnetwork.io	Email	RIPE WHOIS	Front company abuse contact
noc@swissnetwork.io	Email	RIPE WHOIS	Front company NOC
7290408F9A2C4D60FB77CB9CEE25E177F07C47BD22A437137CB4E60D3B1C692EBB1BA203A90F	Tox ID	HTML source	Operator's secure comms channel

TLS Certificates

SHA256 Thumbprint	Subject	Valid	Issuer
0f145acaa1f702fabf3b8d3487afb04f9f3afc66cc4338e081a17be00162c68e	leafvivid.shop	2026-01-03 – 2026-04-03	Let's Encrypt R13

Evidence Photos (Scraped from /static/uploads/)

Filename	Size	Upload Timestamp	Contents
1772921325_2.png	154 KB	2026-03-07 22:08:45 UTC	File manager: victim /storage/ dir (Sep 2025 data)
1772921325_3.png	169 KB	2026-03-07 22:08:45 UTC	File manager: /downloaded_files/ dir (Feb 2026 data)
1772921325_logo_main.png	112 KB	2026-03-07 22:08:45 UTC	Credit Freedom & Restoration company logo

Infrastructure Relationship Map

[ACTOR: "LOKI" — Iranian Nexus]
   │
   ├─ Identity Leak: hadihasanzadebashtiyan@gmail.com (RIPE abuse — Iranian name)
   ├─ Tox: 7290408F9A2C4D60FB77CB9CEE25E177F07C47BD22A437137CB4E60D3B1C692EBB1BA203A90F
   ├─ OPSEC: CRLF in database entries → Windows desktop
   ├─ OPSEC: Photo upload at Sat 22:08 UTC → timezone/schedule hint
   │
   └─ HOSTING CHAIN ──────────────────────────────────────────────────
      │
      AS60223 (Netiface, GB) [Dec 2025]
      └── 195.24.237.15 ←── crypto phishing, bank phishing
              │
      [ASN MIGRATION Feb 2026]
              │
      AS209373 (Swissnet LLC, NL) [Feb 2026+]
      Sponsored by: ORG-DM262-RIPE (Daniel Mishayev, IL/DE)
      Maintained by: lir-ir-amingostar-1-MNT (IRANIAN LIR)
      └── 195.24.237.15
              │
              ├── Port 22: OpenSSH 8.9p1 (Ubuntu)
              │
              └── Port 80: nginx → Flask
                      ├── / → LOKI panel (HTML, matrix green theme)
                      ├── /api/data → JSON victim DB (NO AUTH)
                      │       └── {"stats": {"breaches":1,"leaked_data_gb":230.0,...},
                      │            "victims": [{...Credit Freedom & Restoration...}]}
                      ├── /static/script.js → 11KB JS (countdown, carousel, Tox copy)
                      ├── /static/style.css → 8KB CSS (matrix theme)
                      └── /static/uploads/ → evidence photos (uploaded 2026-03-07)

   PHISHING CLUSTER (all → 195.24.237.15)
   ├── trustwallet.com.do / .org.do / protection.*     (crypto theft)
   ├── phantomairdrop.com.do                           (crypto theft)
   ├── ctbcsolution.pro / protection.*                 (banking fraud)
   └── ecosparkly.shop, postboxesmail.store            (unknown)

   DATA DISTRIBUTION
   └── gofile.io (5 links, all ACTIVE, JS-rendered pages, 8468 bytes each)
           230 GB of US citizen PII — publicly accessible

   VICTIM
   └── creditfreedomrestoration.com [159.89.225.19 — DigitalOcean]
       ├── Apache/2.4.58 + Vtiger CRM 6.4.0 (STILL VULNERABLE)
       ├── napoleon_session cookie: active, leaks to probers
       └── 30,000+ US citizens: SSN, DL, CC, credit reports (2016–2026)

Scraped Artifacts Inventory

All artifacts saved in ./scraped/ relative to this investigation directory.

File	Size	Source URL	Description
`api_data.json`	902 B	http://195.24.237.15/api/data	Full victim database JSON dump
`index.html`	2.9 KB	http://195.24.237.15/	Full panel HTML source
`script.js`	11 KB	http://195.24.237.15/static/script.js	Panel JavaScript (countdown, carousel)
`style.css`	8.0 KB	http://195.24.237.15/static/style.css	Panel CSS (matrix theme)
`logo.svg`	4.6 KB	http://195.24.237.15/static/logo.svg	Panel SVG logo (from svgrepo.com)
`photo_2.png`	154 KB	/static/uploads/1772921325_2.png	Evidence: /storage/ file manager (Sep 2025)
`photo_3.png`	169 KB	/static/uploads/1772921325_3.png	Evidence: /downloaded_files/ (Feb 2026)
`logo_main.png`	112 KB	/static/uploads/1772921325_logo_main.png	Victim company logo

Detection rules based on scraped content:

YARA rules: yara_rules.yar
Suricata IDS/IPS rules: suricata_rules.rules
STIX 2.1 threat intelligence bundle: stix_bundle.json

Defender Recommendations

Immediate Actions

Block IP 195.24.237.15 at all network perimeters and email gateways.
Block entire /24: 195.24.237.0/24 — freshly allocated for malicious operations only.
Report gofile.io links to gofile.io abuse (abuse@gofile.io) for takedown — all 5 links contain stolen US citizen PII.
Notify creditfreedomrestoration.com and law enforcement (FBI IC3 at ic3.gov, CISA at cisa.gov/report) — 30,000+ US citizens' PII is actively downloadable.
Emergency Vtiger CRM patching — if running Vtiger CRM 6.x, take offline immediately and apply all security patches. The victim's CRM is still live and still vulnerable as of 2026-03-13.
Block Tox ID at enterprise network level if Tox traffic is observable.

Block Lists

IP Addresses:

195.24.237.0/24
84.32.84.32

Domains (DNS sinkhole or firewall):

trustwallet.com.do
www.trustwallet.com.do
protection.trustwallet.com.do
trustwallet.org.do
protection.trustwallet.org.do
phantomairdrop.com.do
ctbcsolution.pro
protection.ctbcsolution.pro
ecosparkly.shop
www.ecosparkly.shop
postboxesmail.store
vividoleaf.shop
leafvivid.shop
lyvia.shop
solutionproglobal.pro
swissnetwork.io

Detection Opportunities

/api/data access — Any internal request to http://195.24.237.15/api/data is a strong indicator of compromise (employee or automated system querying the breach database).
Vtiger CRM CVEs — Patch all Vtiger CRM installations immediately. CVEs exist for auth bypass, file upload RCE, and SQL injection.
gofile.io exfil — Monitor for bulk uploads to gofile.io. LOKI uses it as a primary dead-drop.
JavaScript function strings — The strings showVictimModal, renderDownloadLink, copyToxId, DATA REMAINS ENCRYPTED in web traffic indicate LOKI panel content.
Tox string detection — Tox IDs follow a specific hex format (76 hex characters). The LOKI Tox ID is uniquely attributable.
certstream monitoring — LOKI's phishing domains were flagged by certstream-suspicious. Enable certstream feeds for brand protection.
Email blocking — Block hadihasanzadebashtiyan@gmail.com as a confirmed threat actor address.
YARA — See yara_rules.yar for file-based and memory detection of LOKI panel artifacts.
Suricata — See suricata_rules.rules for network-based IDS/IPS detection rules.

Incident Response — Victims of LOKI

If you received or suspect a ransom demand from "LOKI":

Do NOT pay — data is already being leaked regardless; the current victim's countdown is set to year-1 AD (already expired)
Contact FBI IC3 (ic3.gov) and CISA (cisa.gov/report)
Preserve all evidence including Tox communications
The Tox ID 7290408F9A2C4D60FB77CB9CEE25E177F07C47BD22A437137CB4E60D3B1C692EBB1BA203A90F is a unique operator identifier linkable across multiple victims
Acquire forensic images of affected systems before remediation
The LOKI panel is Internet-accessible — investigators can confirm breach status by accessing /api/data directly

Report generated by GHOST / Breakglass Intelligence — 2026-03-13 Round 1: 2026-03-13 00:00 UTC | Round 2 (Panel Scrape): 2026-03-13 00:28 UTC "One indicator. Total infrastructure."