BreakglassIntelligence
Back to reports

One DigitalOcean Droplet, Six Phishing Brands, and an Unprotected Nexus C2 Panel: Inside a Converged Criminal Operation

Android banking trojan + Windows RAT + Bank of America/Chase/O365/Yahoo phishing + OpenSea crypto drainer on one server

PublishedApril 3, 2026
nexusphishingsheetratbanking-trojancrypto-drainerconverged-operation

A single IP address. A $5/month DigitalOcean droplet. Running simultaneously: an Android banking trojan command-and-control panel with no authentication, phishing kits impersonating Bank of America, Chase, Microsoft Office 365, Yahoo, credit unions, and OpenSea, a Windows RAT under active development, and a crypto drainer that's been operational since November 2022.

Researcher @Fact_Finder03 flagged 159.203.95[.]70 as a "Nexus C2 Dashboard." We found considerably more.

The Open Panel

The Nexus C2 dashboard on port 5000 requires no authentication. No login page. No API key. The full operator interface is accessible to anyone who navigates to it:

  • Bot inventory with device details, status, and last check-in times
  • Stolen credentials viewer for harvested banking and social media logins
  • Seed phrase extractor for cryptocurrency wallet recovery phrases
  • Bot command dispatch: lock screen, inject overlay, update APK, force uninstall

At time of investigation, the panel showed zero active bots -- either a freshly deployed instance or recently wiped. But the infrastructure surrounding it tells a different story.

Six Brands, One Server

Every phishing domain was registered through the same Cloudflare account (identified by the consistent albert/sloan nameserver pair) within a 12-day window:

DomainTargetScale
verifyprotection[.]comBank of America, Amazon, Huntington, credit unions91 TLS certificates
0ffice-signin[.]comMicrosoft Office 36512 subdomains including "webshell"
yahoo-accounts[.]comYahooEmail credential harvesting
creditunion-verify[.]comCredit unionsFinancial institution phishing
myaccounts-chase[.]comChaseBanking credential theft
claim-opensea[.]comOpenSeaCrypto wallet drainer, active since November 2022

The 91 TLS certificates on verifyprotection[.]com indicate massive subdomain generation -- each certificate covers a unique phishing subdomain customized for a specific target or campaign wave. This is industrialized phishing.

The OpenSea drainer at claim-opensea[.]com is the oldest component, predating the other domains by over three years. This suggests the operator started with crypto theft and expanded into banking and credential phishing -- a natural progression in the cybercrime ecosystem.

SheetRAT: The Windows Arm

MalwareBazaar hosts 10+ SheetRAT samples associated with this infrastructure, with the most recent uploaded April 1, 2026. SheetRAT is a .NET remote access trojan with:

  • AMSI and ETW bypass for evasion of Windows security telemetry
  • WMI-based virtual machine detection to avoid sandbox analysis
  • Registry-based persistence
  • Camera access capability
  • Character substitution obfuscation in the source code

The active development timeline -- samples uploaded within the last 48 hours -- confirms this is a live, evolving operation.

The Converged Model

This operation runs four distinct criminal capabilities on a single server:

  1. Nexus -- Android banking trojan for mobile credential theft and cryptocurrency wallet seed extraction
  2. SheetRAT -- Windows RAT for desktop access, surveillance, and data exfiltration
  3. Multi-brand phishing -- Credential harvesting across financial, tech, and email platforms
  4. Crypto draining -- Direct cryptocurrency theft via OpenSea impersonation

The convergence isn't accidental. Each component feeds the others: phishing harvests credentials that unlock accounts, the banking trojan captures 2FA codes and seed phrases, the RAT provides persistent access for manual exploitation, and the crypto drainer monetizes stolen wallet access. It's a complete financial crime pipeline.

All of it running on what appears to be a single DigitalOcean droplet, behind Cloudflare, with the C2 panel wide open.

Indicators of Compromise

Network Indicators

  • 159.203.95[.]70 (DigitalOcean)
  • verifyprotection[.]com (91 TLS certs)
  • 0ffice-signin[.]com (12 subdomains)
  • yahoo-accounts[.]com
  • creditunion-verify[.]com
  • myaccounts-chase[.]com
  • claim-opensea[.]com (active since Nov 2022)
  • Cloudflare NS pair: albert / sloan

Detection

Four YARA rules and sixteen Suricata signatures covering the Nexus panel, SheetRAT samples, phishing kit patterns, and C2 communications are available on our GitHub:

h/t @Fact_Finder03 for the initial tip.

Share