Who is Animesh Roy and how he scams people.

The journey from a sophisticated phishing scheme to bribing an anti-phishing resource DARK.FAIL.

These are summarized topics this article will talk about:

Around 5 months ago we (eXch) were contacted by a customer who lost 1 ETH to an unknown at that time phishing scam targeting eXch.

The customer was unable to provide any details on how he ended on that URL nor he provided us with a text version of that URL, since he was very upset by the situation leaving the chat quickly after giving as little as a screenshot with some information like his OS and device. Since the screenshot contained an incomplete URL, we had hard times finding it since it was not indexed by any clearnet search engine.

After some time spent on searching that URL across various .onion indexers since it was our best guess of the most realistic attack vectors, we were eventually able to find the full malicious domain name:

hszyoqnysrl7lpyfms2o5xonhelz2qrz36zrogi2jhnzvpxdzbvzimqd[.]onion (NOTE: this is a malicious domain name, DO NOT USE IT)

which is a typosquatted .onion imitating our original HSv3 domain:

hszyoqwrcp7cxlxnqmovp6vjvmnwj33g4wviuxqzq47emieaxjaperyd.onion

We have messaged all the affected indexers and most of them removed the malicious URL from their resources and we went all happy to the new year thinking it was the end... while it was just the beginning!

From January to February we had at least other three victims scammed that was a ground to pin an announcement at our .onion domain in regards to phishing and how to reliably find our .onion URL.

Then this month the shocking event happens - dark.fail lists some "crypto swap" website with a domain registered less than 30 days ago appearing out of nothing ripping off completely the web-design of eXch and even having its clearnet domain in the .cx top-level DNS zone suggesting that this new "project" is a blatant copycat of eXch.

Many emails sent from us, our customers and just mere observers to dark.fail's admin who ignored 100% of the emails concerning this new project for at least week, since dark.fail is quite a well-known resource that is used by many people that wish to avoid ending on malicious phishing .onion URLs.

The complete lack of the official response from dark.fail surged many rumors and guesses: "dark.fail hacked" (again), "dark.fail scammer", "dark.fail bribed", etc...

Specially the "bribe" part, since dark.fail also states the following:

"[...] dark.fail is supported by our users. No sites pay for placement or advertisements, no affiliate links have or will ever be used. If this resource has helped you please consider sending a contribution. [...]"

which turned to be a complete lie, but that will be covered by another part of this publication.

Back to the new-rising star SWP[.]CX listed by dark.fail, promising a bright future to many with their innovating "PGP-signatures" (or simply Letters of Guarantee), non-KYC exchanges and privacy/anonimity (while using Cloudflare and Protonmail in order to voluntarily provide all the customer data to federal agencies in an automatic way)

Just by taking a brief glance at that SWP[.]CX website that originally was a 95% copy of eXch and rebranded after their domain was suspended once, we have also discovered some obvious problems such as the website accepting invalid Bitcoin addresses for order creation without any further verification which almost always indicates that the website's objective is to take the money by any means without caring about its service quality (which is also an ideology of an average scam).

A simple Google search for their clearnet domain did not reveal anything but 3 results just a week ago:

This find of a random Github repo listing SWP[.]CX was absolutely shocking and surprising because for a such freshly registered domain name as "SWP[.]CX" and poor Google results it would be already something proving the involvement of SWP.CX to the previous phishing scheme targeting eXch, but we have digged it a bit further in an attempt to link all the dots together.

After performing a Google search for some of the phishing links hosted by that repo (including one targeting eXch), we got two interesting results persistent across various searches:

The first github repo by `vtempest` seems to be something called "DarkNetEye" which claims to have the clearnet site https://darkneteye[.]com (registered on 2023-04-29 via Njalla/Sarek and IP behind Cloudflare) with one of the commits adding 2 phishing links targeting eXch and Majestic Bank simultaneously on Sep 1, 2023: https://github.com/vtempest/dark-web/commit/0582721f3e632a39d650bc187276a7a9d343e6b7 (they also add Coinomize phishing URL in another commit)

The second blog post from Oct 2, 2023 by someone named Animesh Roy linking to the previous github repo's website and claiming "DarkNetEye" to be the "one of the oldest and most established darknet news and link portals which is used by thousands of people every day to access the darknet safely" which is a lie since there was never a project called "DarkNetEye" ever existing before this blog article, but instead there is some project called "DarkEye" which only exists in Tor and has nothing in common with "DarkNetEye".

Right after the first quoted sentence from that blog comes another sentence "These are a selection of the most popular darknet markets and services which are currently listed on our platform:" with that "our" suggesting the "DarkNetEye" ownership belonging to the blog's author Animesh.

And of course right after all this wording comes out the famous phishing URL targeting eXch in its all glory, once again (hszyoqnysrl7lpyfms2o5xonhelz2qrz36zrogi2jhnzvpxdzbvzimqd).

So let's take a deep dive from here now - who is Animesh Roy (anir0y) ?

Just from a glance at his blog and other profiles around his socials, everything suggests that this guy from India is a self-proclaimed security researcher doing lots of hacking (in a whitehat meaning of the term, but only for now), describing himself "10+ years in Infosec Domain", "Scripting in my square time, pwning ⚡ at work!" at his Github page.

Looking at that blog author's articles he seems to be fascinated by phishing which is definitely one of his main scope in his "10+ years in Infosec Domain" studies:

While his actual work remains unknown to us since his "work" websites and link lead to himself in a loop, his self-description of how he is "pwning ⚡ at work!" suggested to us that his actual work might be related to actual phishing. Any person with a common sense would already start noticing the following:

Of course, anyone claiming to be a "security researcher" and specially interested in phishing would verify the links before publishing anything in their post, since making a blog post as a security researcher that contains phishing links might immediately destroy one's reputation and flag a "security researcher" incompetent for the rest of his days.

One may suggest that he was paid to publish that blog article and the guy is innocent, but then even specially here for someone having "10+ years in Infosec Domain" making a negligent mistake of including phishing in their own blog might be a reason to perform a "virtual seppuku" immediately. Very doubtful that a specialist of this kind would not verify anything prior publishing and specially not removing the "our" part for the project behind a blog advertisement to not appear as his own project (which actually happened).

If all this is not yet enough to assign the role of the actual actor behind phishing of Majestic Bank, eXch and Coinomize to Animesh, we inform you that we have contacted the blog's author immediately after a discovery suggesting to remove that blog article explaining that it contains a malicious URL was complete ignored. Now it's for sure is enough. Why? Because this "work" simply "works" for him and generating passive income. Many of our customers scammed by that person is yet another proof for that. Additionally, meanwhile ignoring our message that definitely was of importance for his own good, he had time to make another fresh blog post ridiculizing someone else who also messaged him in regards to our previous Bitcointalk post.

This given that his recent blog post comes right after the blog post advertising his malicious "DarkNetEye" and its phishing URLs.

It also appears that the guy is very persistent in everything he does and won't give up easily since it's a first time in his life he managed to get some significant (for India) income on the Internet, but in any case, the date of this publication is the day when anir0y's professional career ends and official criminal history starts, unfortunately for him, since there will be the criminal investigation on his person because we will for sure do our best to inform our affected customers by his phishing to sue the correct person and demand their money back. It's also not a joke how India's law enforcement threats their own citizens involved in criminal practices and it will be for sure hard times for Animesh.

By the way, have you ever noticed how https://darkneteye[.]com/services/ is one of the few resources that also added SWP[.]CX so quickly?

Which even got update earlier today removing eXch and substituting it with SWP[.]CX so they can continue scamming, since their phishing scheme is becoming outdated.

There are also another resources sharing the same phishing links targeting Majestic Bank, eXch and Coinomize:

dark[.]taxi - yet another anir0y's work (registered via Njalla/Sarek and IP behind Cloudflare) that imitates the legitimate tor.taxi so it becomes even more confusing for newcomers in the same way anir0y imitates DarkEye with DarkNetEye.

darkweeble[.]com  - yet another anir0y's work (registered via Namecheap and IP behind Cloudflare) that lists phishing at https://darkweeble[.]com/services/ with special accent on these lovely reviews https://darkweeble[.]com/reviews/exch and https://darkweeble[.]com/reviews/majestic-bank with of course phished links again

darknetmarketlinks[.]net - anir0y's SEO optimization (registered via Njalla/Sarek and IP behind Cloudflare) listing all the same phishing links including dark[.]taxi, darkneteye[.]com and darkweeble[.]com 

tor2doormarket[.]io  - anir0y's "tutorial" (registered via Njalla/Sarek and IP behind Cloudflare) on how to use darknet with a "friendly" recommendation of eXch linking to the phishing (also in its FAQ page). Also at the footer there is a mix of legitimate links mixed with his own projects like dark[dot]taxi to confuse people and search engines

royalmarket[.]org - anir0y's another "tutorial" (registered via Njalla/Sarek and IP behind Cloudflare) on how to use darknet with a "friendly" recommendation of eXch linking to the phishing 

What is also specially interesting and common for all the malicious websites above (including 2 Github repos) is that they list a valid .onion link for the Infinity exchanger - the project behind DDoSing eXch in the past and also running a stealth rogue campaign against Majestic Bank - another popular instant exchanger. It's unclear whether Animesh is also behind Infinity or not, but all this data suggests that it's a possibility.

We think it's already more than enough talking about Animesh here so let's move on to DARK.FAIL now.

We were not publishing this article just because it was incomplete without at least some sign of life from DARK.FAIL's admin (later "DFF"), of course, as it was unclear what was the reasons for listing the potential (and actual) scammer's project on DDF.

Earlier this week, the DDF admin returned back from silence with a following statement on some known deepweb platform:

"Swp is not a phishing site. I will suggest to their admin that they change their design."

which was a reply to some kind of series of replies after yet another known legitimate similar resource operator "tor[.]fish" claimed the following:

"We were approached by a site going by the name of swp[dot]cx about a week ago and offered a large amount of money to list them (which we refused as we don't operate that way). A few days later, another offer from another very suspiciously similar looking exchange. Clearly someone is creating a series of these sites."

That makes it clear that Animesh Roy who is behind SWP[.]CX has used the money he obtained from scamming eXch users by phishing to bribe the DDF admin in order to get his scam platform boosted, given the significant popularity of DDF.

What makes it even more disastrous is that even an admin of a less popular resource TOR[.]FISH (TDF) refused the bribe in order to not risk their reputation because they must be mature enough to understand that it worth a lot more than just money.

This is where also DARK.FAIL's reputation comes to end, exposing this platform as a cheap liar with non-existent ethics capable of thinking only short-term, because SWP[.]CX will eventually exit-scam and forget about the Internet after someone sends him above 5 BTC which is enough money to rebuild some small village in India, while DARK.FAIL's reputation will remain damaged forever.

To finish this article on an additional note, we would like to inform our readers that Njalla/Sarek.fi (a one-man operation domain registrar by Peter Sunde) ignored all our reports and requests to suspend malicious domains mentioned in this article belonging to this scammer. It is widely known that Njalla/Sarek widely popular many years ago but after starting suspending domains and servers purchased from him that host websites that oppose his personal views on some political and controversial topics (like COVID), his service reputation decreased significantly due to people from many privacy-centric communities advocating against using his services. This also demonstrates how Peter Sunde is actively supporting phishers on his domain registrar and hosting, while bashing free speech which he used as his marketing gimmick when he launched his platforms.