highStealer
Smile Admin Panel
InvestigatedApril 3, 2026PublishedApril 3, 2026
Threat Actors:ProfileAssessments may move after exposure)
smilepanelsratlaravelhetznertorshodan
TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime -- Cookie Theft & Financial Fraud Platform Status: LIVE INFRASTRUCTURE
Executive Summary
Investigation initiated from a Twitter lead by @salmanvsf referencing "Smile admin panels." Through Shodan fingerprinting on the HTTP title "Smile Admin," we identified a LIVE Laravel/Inertia.js-based fraud administration panel hosted on Hetzner (Finland) at 46.62.192.169. The panel -- branded "Smile Admin" -- manages stolen browser cookies, user wallets, payment processing, and a storefront ("OMG - GameShop") targeting Myanmar users (Burmese language UI). Two domains (crazydazy[.]online and skibidispace[.]xyz) were registered on the same day via Namecheap and point to the same server. Multiple critical OPSEC failures were identified including open registration, a cookie domain leak, placeholder Google OAuth credentials, and an exposed .git repository.
Key Findings
- LIVE fraud admin panel at smile[.]crazydazy[.]online with open registration
- Panel manages stolen cookies (
cookiesjsonCRUD routes), wallets, wallet transactions, and payments - Frontend storefront "OMG - GameShop" at app[.]crazydazy[.]online targets Myanmar users (Noto Sans Myanmar font)
- Cookie domain scoped to
.skibidispace[.]xyz-- reveals hidden second domain - Both domains registered 2025-10-15 at Namecheap, WHOIS-privacy protected
- Certificate Transparency reveals a third subdomain:
redeem[.]crazydazy[.]online(now offline) - Google OAuth configured with placeholder
your-client-id.apps.googleusercontent.com .envreturns 403 (exists but blocked),.git/HEADreturns 403 (git repo on server)- Product routes include
updateMmkPrice-- MMK = Myanmar Kyat, confirming Myanmar targeting - Built with Laravel 11+, Inertia.js, Livewire, Sanctum API auth, Vite, TanStack Router
- Server: nginx/1.24.0 on Ubuntu Linux, OpenSSH 9.6p1
- Zero VirusTotal detections, zero URLScan submissions -- previously undocumented infrastructure
Infrastructure Analysis
Network Infrastructure
| IP | ASN | Provider | Location | Ports | Services | Status |
|---|---|---|---|---|---|---|
| 46[.]62[.]192[.]169 | AS24940 | Hetzner Online GmbH | Vaala, Finland | 22, 80, 443 | nginx/1.24.0, OpenSSH 9.6p1 | LIVE |
Domain Infrastructure
| Domain | Registrar | Created | NS | Purpose |
|---|---|---|---|---|
| crazydazy[.]online | Namecheap | 2025-10-15 | registrar-servers.com | Primary -- panel + storefront |
| skibidispace[.]xyz | Namecheap | 2025-10-15 | registrar-servers.com | Cookie domain -- session scope |
Subdomain Map
| Subdomain | Domain | Purpose | Status |
|---|---|---|---|
| smile[.]crazydazy[.]online | crazydazy.online | Admin panel | LIVE |
| app[.]crazydazy[.]online | crazydazy.online | "OMG GameShop" storefront | LIVE |
| redeem[.]crazydazy[.]online | crazydazy.online | Redemption portal | OFFLINE |
| www[.]crazydazy[.]online | crazydazy.online | Redirects to root | LIVE |
| smile[.]skibidispace[.]xyz | skibidispace.xyz | Mirror admin panel | LIVE |
| app[.]skibidispace[.]xyz | skibidispace.xyz | Mirror storefront | LIVE |
| www[.]skibidispace[.]xyz | skibidispace.xyz | Unknown | LIVE |
Certificate Timeline
| Date | Certificate | SANs |
|---|---|---|
| 2025-10-16 | www.crazydazy.online, www.skibidispace.xyz | Single domain certs (initial setup) |
| 2025-10-18 | crazydazy.online | app, smile, www subdomains |
| 2025-10-21 | skibidispace.xyz | app, smile subdomains |
| 2025-10-22 | skibidispace.xyz | app, smile, www subdomains |
| 2025-10-30 | app.crazydazy.online | app, smile subdomains |
| 2025-12-21 | skibidispace.xyz | app, smile, www (renewal) |
| 2025-12-29 | app.crazydazy.online | app, smile (renewal) |
| 2026-01-15 | redeem.crazydazy.online | redeem only (new service) |
| 2026-02-19 | skibidispace.xyz | app, smile, www (renewal) |
| 2026-02-27 | app.crazydazy.online | app, smile (current, expires 2026-05-28) |
Panel Architecture
Technology Stack
- Backend: Laravel 11+ (PHP), Inertia.js SSR, Livewire, Sanctum API authentication
- Frontend (Admin): Vue.js/React via Inertia, Vite bundler, Lucide icons, Instrument Sans font
- Frontend (Store): React, TanStack Router, Noto Sans Myanmar font
- Server: nginx/1.24.0 on Ubuntu, Let's Encrypt TLS (E7 issuer)
- Session: Cookie-based (
smile_admin_session), scoped to.skibidispace.xyz
Exposed Routes (47 routes discovered)
Authentication: login, register, forgot-password, reset-password, verify-email, confirm-password, logout, auth/google (OAuth) Cookie Management: cookiesjson (CRUD -- index, create, store, show, edit, update, destroy), cookiesjsonupdate Financial: wallets (index, show, update), wallettransaction (full CRUD), payments (full CRUD) Products: product (index), updatehot, updateMmkPrice (Myanmar Kyat!), image upload Users: users (full CRUD) Admin: admin/dashboard, dashboard Settings: profile, password, appearance Infrastructure: pulse (Laravel Pulse -- 403), livewire/update, sanctum/csrf-cookie, storage/{path}
OPSEC Failures
- Open Registration: /register returns 200 -- anyone can create an account
- Cookie Domain Leak: Session cookies scoped to
.skibidispace.xyzwhile serving from crazydazy.online -- reveals hidden domain - Placeholder OAuth: Google OAuth uses
your-client-id.apps.googleusercontent.com-- template never configured - Exposed .env: Returns 403 (exists, blocked by nginx but confirms presence)
- Exposed .git: Returns 403 (git repository exists on server, blocked by nginx)
- Inertia Version Hash:
d1862febc9084f120197a10bcde82b6dexposed in every page response - Full Route Map: All 47 application routes exposed via Ziggy JavaScript in every page load
- Storage Path Traversal:
storage/{path}route accepts wildcard path parameter
Attack Chain Assessment
Cookie Theft (browser extension/stealer)
--> cookiesjson endpoint (stolen cookie ingestion)
--> "OMG GameShop" (Myanmar gaming platform -- likely a social engineering front)
--> wallets (victim account balances)
--> wallettransaction (drain victim wallets)
--> payments (cash out)
--> redeem (redemption of stolen value)
Threat Actor Profile
Attribution Assessment
- Confidence: LOW-MEDIUM
- Evidence: Domain registration patterns, technical choices, language targeting
- Targeting: Myanmar users (Burmese font, MMK currency)
- Motivation: Financial fraud -- cookie theft enabling account takeover and wallet drainage
- Sophistication: MEDIUM -- competent Laravel developer, uses modern stack (Inertia.js, TanStack), but multiple OPSEC failures suggest individual or small team
- Infrastructure Age: ~5.5 months (domain registration Oct 2025)
Indicators of Developer Profile
- Uses Laravel with latest patterns (Inertia.js, Livewire, Sanctum)
- Random/meme domain naming ("crazydazy", "skibidispace") suggests younger developer
- TanStack Router for frontend suggests awareness of modern React ecosystem
- Placeholder OAuth credentials suggest this may be a development/staging instance
redeemsubdomain appeared Jan 2026 -- operation expanding
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Credential Access | Steal Web Session Cookie | T1539 | cookiesjson endpoint ingests stolen browser cookies |
| Collection | Data from Information Repositories | T1213 | Panel aggregates stolen cookie data |
| Resource Development | Acquire Infrastructure | T1583.001 | Hetzner VPS, Namecheap domains |
| Resource Development | Establish Accounts | T1585.002 | Google OAuth (attempted), panel user accounts |
| Impact | Financial Theft | T1657 | Wallet transactions, payment processing |
IOC Summary
Network Indicators
- 46[.]62[.]192[.]169 (Hetzner, Finland)
- crazydazy[.]online
- skibidispace[.]xyz
- smile[.]crazydazy[.]online
- app[.]crazydazy[.]online
- redeem[.]crazydazy[.]online
- smile[.]skibidispace[.]xyz
- app[.]skibidispace[.]xyz
Behavioral Indicators
- HTTP title: "Smile Admin"
- Session cookie name:
smile_admin_session - Cookie domain:
.skibidispace.xyz - Inertia version:
d1862febc9084f120197a10bcde82b6d - Ziggy route signature: 47 routes including
cookiesjson,wallettransaction,updateMmkPrice - App title: "OMG - GameShop"
- Google OAuth redirect:
smile.skibidispace.xyz/auth/google/callback - User-Agent on JS:
Instrument Sansfont,Noto Sans Myanmarfont
TLS Indicators
- Cert CN: app.crazydazy.online
- SANs: app.crazydazy.online, smile.crazydazy.online
- Issuer: Let's Encrypt E7
- JARM: 27d27d27d29d27d00042d42d00000026a95928fa9b620834c2feff40bccb8f
Recommended Actions
Immediate (24-48 hours)
- Block IOC domains and IP at network perimeter
- Monitor for connections to skibidispace[.]xyz and crazydazy[.]online
- Check browser extension logs for cookie exfiltration to these domains
Short-term (1-2 weeks)
- Submit abuse report to Hetzner (abuse@hetzner.com)
- Submit abuse report to Namecheap (abuse@namecheap.com) for both domains
- Monitor CT logs for new certificates issued to these domains
- Check for related infrastructure using the JARM fingerprint
Medium-term (1-3 months)
- Monitor for domain migration (actors may move after exposure)
- Track the "updateMmkPrice" pattern for Myanmar-targeted fraud campaigns
References
- Twitter lead: @salmanvsf -- "More Smile admin panels"
- Shodan query:
http.title:"Smile Admin" - crt.sh: Certificate Transparency logs for crazydazy.online and skibidispace.xyz
GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."