"You chose the wrong inbox.""

"You clearly didn't realize who you were dealing with."

Hello, my name is lu3ky-13, a security researcher on the Hackerone platform. I am part of security researcher, a team that operates a website dedicated to bug bounty education, hacking tutorials, and security awareness. We publicly provide a contact email on Facebook for anyone who has questions or needs assistance.

It appears that an attacker discovered our email address through Facebook and attempted to target us with a phishing campaign.

In most cases, phishing emails are filtered directly into the spam folder. We receive such messages frequently and usually do not investigate them further. However, this incident was different and immediately stood out.

The attacker leveraged Google AppSheet's legitimate email infrastructure (appsheet.com) to send the phishing email. Because the message originated from a trusted Google service and passed email authentication checks, it was delivered directly to our inbox rather than being flagged as spam.

Upon interacting with the email, the link redirected to malicious domains such as:

• a9k3m.usnic-token.me
• 2h9s.idvaultsys.me

These pages presented a fake login interface and requested sensitive information, including full name, email address, mobile number, and password. After submitting credentials, the phishing flow attempted to capture a two-factor authentication (2FA) code, indicating a clear attempt at full account takeover.

Following this, I began analyzing the attacker's infrastructure. The investigation revealed that the operation relied on two primary domains, with dynamically generated subdomains created per victim, suggesting an organized phishing framework designed to evade detection and tracking.

Identified Malicious Domains and Infrastructure

Primary Domains and Subdomains

usnic-token.me , idvaultsys.me

A total of 21 dynamically generated subdomains were identified, including:

• a7f3.usnic-token.me
• 7mv6d.usnic-token.me
• k9m2.usnic-token.me
• a3r8.usnic-token.me
• qz7mv.usnic-token.me
• y5t8.usnic-token.me
• b9l4.usnic-token.me
• q2x7.usnic-token.me
• 7p2x.usnic-token.me
• 4zp8.usnic-token.me
• a5x9v.usnic-token.me
• a9k3m.usnic-token.me
• (and 9 additional similar variations)

idvaultsys.me A total of 15 subdomains were identified, including:

• 2h9s.idvaultsys.me
• f6r9.idvaultsys.me
• 3n7c.idvaultsys.me
• 2dp5.idvaultsys.me
• x8k1.idvaultsys.me
• 5vd1r.idvaultsys.me
• ry7mp.idvaultsys.me
• 6bf2t.idvaultsys.me
• p7c4.idvaultsys.me
• (and 6 additional similar variations)

Additional Malicious Domain

• access-information.auth-update233.click

Server Enumeration and Directory Discovery

To further analyze the attacker's infrastructure, directory and file enumeration was performed using Dirsearch.

A publicly accessible /admin directory was discovered across all tested subdomains.

Command used:

dirsearch -u https://p7c4.idvaultsys.me \
-i 200,301 \
-e html,php,rar,zip,txt,sql,json,jsp,xml,csv,log,doc,xls,pdf,tar,sys,ini,db,conf,bak,env,jsonc

The results confirmed that all subdomains shared the same directory structure and content, strongly suggesting a centralized phishing framework deployed across multiple dynamically generated subdomains.

Targeted Geographic Distribution

Analysis of the phishing activity indicates that the campaign primarily targeted users in the following regions:

• Algeria (DZ) — 40%
• Iraq (IQ) — 25%
• Morocco (MA) — 15%
• Tunisia (TN) — 10%
• Jordan (JO) — 5%
• Other regions — Egypt, UAE, Lebanon

This targeting pattern suggests a focused campaign against Arabic-speaking regions, rather than a broad, untargeted phishing operation.

Discovery of Attacker Configuration File

Further investigation revealed a publicly accessible configuration file located at:

https://p7c4.idvaultsys.me/admin/app_config.json

This file contained hard-coded operational data used by the attacker to exfiltrate stolen credentials and distribute them via Telegram, strongly confirming that the infrastructure was actively used for phishing and monetization.

Exposed Configuration Details

The configuration file included:

• Telegram bot tokens used to transmit harvested data
• A Telegram group chat ID where victim information was sent
• An IP intelligence API token used for victim tracking
• Timing and delay values designed to mimic real login behavior
• Event topics indicating different stages of the phishing flow (password entry, OTP capture, form opened, etc.)

Extracted Data (as observed)

{
  "bot_token": "7871555324:AAHUSIAw2N0psJlFbJ7sfkq4D2L6e9qofGU",
  "bot_token_journey": "8053731074:AAEWnpsgr82u-yoKWONk2eA1mqiVKBhL4bY",
  "chat_id": "-1003162196749",
  "ipinfo_token": "b61cb983a2e24b",
  "delays": {
    "password_first": 5500,
    "password_second": 10000,
    "otp_first": 1500,
    "otp_second": 1300,
    "otp_third": 1000,
    "auth_method": 5500
  },
  "timers": {
    "otp_correct": 15
  },
  "topics": {
    "main_data": "2",
    "password_2": "21",
    "otp_1": "9",
    "otp_2": "17",
    "otp_3": "19",
    "journey": "3097",
    "form_opened": "355"
  }
}

Analysis and Impact

The exposed configuration confirms that this phishing operation was fully automated and professionally structured. The attacker's workflow involved:

1. Capturing victim credentials through fake login pages
2. Collecting IP and device metadata using third-party APIs
3. Timing interactions to appear legitimate
4. Exfiltrating stolen data in real time to a Telegram supergroup
5. Aggregating and likely selling compromised credentials

The presence of multiple bot tokens and structured event topics indicates scalability and reuse across multiple phishing campaigns, rather than a one-off attack.

This information may be valid when you see this report

Infrastructure Analysis and Bot Intelligence Extraction

After identifying the exposed configuration file, I developed multiple custom scripts using AI assistance to analyze the extracted Telegram bot tokens and enumerate the attacker's infrastructure.

All sensitive credentials and identifiers have been redacted to prevent abuse.

Infrastructure Attack

Telegram Channel

• Channel Name: BEE_SERVER_2
• Channel ID: -1003162196749
• Type: Supergroup (Forum)

Telegram Bots Used

• Bot 1: @data_mail233_bot (ID: 7871555324)
• Bot 2: @beetraffic_bot (ID: 8053731074)

Suspected Attackers

• @Corn2222 (User ID: 6069780763)
• @beetee9999 (User ID: 5720378181)
• @beetee7777 (User ID: 7879199076)

Attack Statistics

• Total Attack Records: 5 documented incidents
• Emails Compromised: 6 unique email addresses
• Passwords Harvested: 14 password variations
• Geographic Distribution: Multiple countries (Iraq, Algeria, Morocco)
• Time Period: December 30, 2025 (12:44–14:34 UTC)

Attack Timeline

Incident #1

• Time: 2025–12–30 12:44:13 UTC
• Target Email: yasse***@gmail.com
• Source IP: 169.224.99.17
• Location: Baghdad, IQ
• Phishing Domain: 6bf2t.idvaultsys.me
• 2FA Method: Email
• OTP Codes Captured: ***, ***

Incident #2

• Time: 2025–12–30 13:26:35 UTC
• Target Email: *samerf**@gmail.com
• Source IP: 105.235.132.139
• Location: Algiers, DZ
• Phishing Domain: 7p2x.usnic-token.me
• 2FA Method: Auth App

Incident #3

• Time: 2025–12–30 13:28:17 UTC
• Target Email: *eng.ahm**@gmail.com
• Source IP: 212.95.135.127
• Location: Ad Diwaniyah, IQ
• Phishing Domain: f6r9.idvaultsys.me
• 2FA Method: WhatsApp

Incident #4

• Time: 2025–12–30 13:30:44 UTC
• Target Email: ***@gmail.com
• Source IP: 129.45.35.38
• Location: Blida, DZ
• Phishing Domain: k9m2.usnic-token.me

Incident #5

• Time: 2025–12–30 14:34:22 UTC
• Target Email: ***@gmail.com
• Source IP: 196.70.124.66
• Location: Meknes, MA
• Phishing Domain: f6r9.idvaultsys.me
• 2FA Method: WhatsApp
• OTP Code Captured: ***

Technical Indicators

User Agents Observed

• iPhone (iOS 18.7, 18.6.2)
• Android 10 (Samsung Browser, Chrome)
• Windows 10 (Chrome)

IP Addresses Used

1. 169.224.99.17 (Baghdad, IQ)
2. 105.235.132.139 (Algiers, DZ)
3. 212.95.135.127 (Ad Diwaniyah, IQ)
4. 129.45.35.38 (Blida, DZ)
5. 196.70.124.66 (Meknes, MA)

Note: Some IPs may belong to VPN or proxy services.

Telegram Identifiers

Channel ID: -1003162196749

Bot IDs: 7871555324, 8053731074

User IDs: 6069780763, 5720378181, 7879199076

This is the information of the admins who run the campaign.

The main group that sells information

Targeted Entities and Victim Profiles

Analysis of the extracted Telegram logs shows that the phishing campaign targeted businesses, commercial pages, and professional accounts, primarily in Iraq and North Africa. The attacker systematically collected full identity profiles, credentials, and OTP codes.

Below are sanitized examples of the harvested data.

Target 1 — Commercial Page (Iraq)

Entity Name: مجموعة الصريح التجارية للمنتجات البلاستيكية

• Email: ***@gmail.com
• Password: ***
• Password (Variant): ***
• 2FA Method: Email
• OTP Codes Captured: ***, ***
• Phishing Domain: 6bf2t.idvaultsys.me
• User Agent: iPhone (iOS 18.7)
• IP Address: 169.224.99.17
• Location: Baghdad, IQ
• Time: 2025–12–30 12:44:13 UTC

Target 2 — Furniture Business (Algeria)

Entity Name: Meuble espoire

• Email: ***@gmail.com
• Password: ***
• Password (Variant): ***
• 2FA Method: Authenticator App
• Phiing Domain: 7p2x.usnic-token.me
• User Agent: Android 10 (Samsung Browser)
• IP Address: 105.235.132.139
• Location: Algiers, DZ
• Time: 2025–12–30 13:26:35 UTC

Target 3 — Engineering Office (Iraq)

Entity Name: مكتب الجادرية الهندسي

• Email: ***@gmail.com
• Password: ***
• Password (Variant): ***
• 2FA Method: WhatsApp
• OTP Code Captured: ***
• Phishing Domain: f6r9.idvaultsys.me
• User Agent: iPhone (iOS 18.6.2)
• IP Address: 212.95.135.12
• Location: Ad Diwaniyah, IQ
• Time: 2025–12–30 13:28:17–13:28:55 UTC

Target 4 — Wholesale Accessories Business (Algeria)

Entity Name: كنوز الإكسسوارات بالجملة

• Email: ***@gmail.com
• Password: ***
• Phishing Domain: k9m2.usnic-token.me
• User Agent: Android 10 (Chrome)
• IP Address: 129.45.35.38
• Location: Blida, DZ
• Time: 2025–12–30 13:30:44 UTC

Observed Data Collection Pattern

The extracted logs confirm that the attacker consistently harvested:

• Email addresses
• Passwords (including multiple variants per victim)
• Phone numbers
• Business and personal names
• OTP / 2FA codes (Email, Auth App, WhatsApp)
• User agents and device fingerprints
• IP addresses and geolocation data

This information was automatically forwarded to a Telegram supergroup for aggregation and resale.

Language and Operator Notes

Telegram messages include mixed Arabic, Vietnamese, and French, suggesting:

• Either multiple operators
• Or reused phishing infrastructure sold to different threat actors

Short command-style messages such as:

• rcv
• vô thẳng
• /start

indicate automation and real-time monitoring of incoming victim data.

Impact Assessment

Immediate Risks

• Account takeover via harvested credentials
• Unauthorized access to linked services
• Identity theft and secondary phishing campaigns

Long-Term Risks

• Credential resale on underground markets
• Reuse of credentials across services
• Personal data misuse

Victim Recommendations

Immediate Actions

1. Change passwords on all affected accounts.
2. Enable app-based 2FA (avoid SMS).
3. Review and terminate unauthorized sessions.
4. Check for forwarding rules or recovery changes.

Reporting

• Report phishing to Google Safe Browsing.
• Report to Facebook.
• Consider local law enforcement reporting for identity theft.

All File I used here

https://github.com/Lu3ky13/Facebook-Credential-Phishing-Campaign-Delivered-via-Gmail-Infrastructure

Contact

https://www.linkedin.com/in/lu3ky13/