OP 14 September, 2025 - 06:55 AM
(This post was last modified: 14 September, 2025 - 06:57 AM by muelasrag.)
![[Image: 8bc36ef90b5e4e11ac4277e30c849a51.png?X-A...167abace27]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fdeeplor.s3.us-west-2.amazonaws.com%2Fupload%2F2025%2F09%2F14%2F8bc36ef90b5e4e11ac4277e30c849a51.png%3FX-Amz-Algorithm%3DAWS4-HMAC-SHA256%26amp%3BX-Amz-Date%3D20250914T045404Z%26amp%3BX-Amz-SignedHeaders%3Dhost%26amp%3BX-Amz-Expires%3D10800%26amp%3BX-Amz-Credential%3DAKIAROYXHKZUSZONTWIG%252F20250914%252Fus-west-2%252Fs3%252Faws4_request%26amp%3BX-Amz-Signature%3D7cab54262aa61f09bab4adb3d875b78300643e8667e83c36688613167abace27)
What we found after decodingAfter applying the XOR decryption (key = 92), the first readable strings appeared:-
→ This is a Bitcoin wallet address (Bech32)Code:[color=#c0392b][size=x-large]bc1qn0wcdzggzu0lzx92g6fgae54pdr3wv75r9yszp[/size][/color]
-
→ A JavaScript DOM function (used to add elements into the page)Code:[color=#c0392b][size=x-large]appendChild[/size][/color]
-
→ Refers toCode:[color=#c0392b][size=x-large]hostname[/size][/color]
(the website’s host name)Code:[color=#c0392b][size=x-large]location.hostname[/size][/color]
- The rest are numeric/technical values related to its operations.
ConclusionThe script does the following:
- It contains a hardcoded Bitcoin wallet address (
).Code:[color=#c0392b][size=x-large]bc1q...[/size][/color]
➝ Meaning: when it manipulates form inputs, it replaces the user’s wallet address with the attacker’s wallet.
- It uses DOM APIs (
,Code:[color=#c0392b][size=x-large]appendChild[/size][/color]
, …) to add or change elements in the page dynamically.Code:[color=#c0392b][size=x-large]hostname[/size][/color]
- It runs periodically (via
) to reapply the same manipulations continuously.Code:[color=#c0392b][size=x-large]setInterval[/size][/color]
⚠️ Final Summary:
This script is a malicious injection for stealing cryptocurrency:
- It monitors crypto input fields.
- It swaps the victim’s address with the attacker’s address:
.Code:[color=#c0392b][size=x-large]bc1qn0wcdzggzu0lzx92g6fgae54pdr3wv75r9yszp[/size][/color]
- It injects fake UI elements (e.g., copy buttons) to trick the user into copying the wrong address.
A malicious script is replacing wallet addresses with the attacker’s:
Code:
[color=#c0392b][size=large][font=Comic Sans MS,cursive]bc1qn0wcdzggzu0lzx92g6fgae54pdr3wv75r9yszp[/font][/size][/color]![[Image: WALLPAPER.jpg]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fi.postimg.cc%2FY0w1Rk6T%2FWALLPAPER.jpg)
![[Image: 989517874.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww2.0zz0.com%2F2025%2F09%2F14%2F04%2F989517874.png)
..