Phishing Analysis: imToken

Visual Capture

Screenshot of 77552354xyz.imtoken1.bmxuij.cn

Detection Info

http://77552354xyz.imtoken1.bmxuij.cn/

Detected Brand

imToken

Country

International

Confidence

100%

HTTP Status

200

Report ID

020d5956-72b…

Analyzed

2026-01-26 12:05

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1A56224705889EE3701E7A6D1CB71AB3DE1C192A6CA765D05C2F8878D4F46FADCE03906
CONTENT ssdeep	192:VjoEJKsPVzRACInJ+PmifkYK76AL4zKSpwj5bXkTRLTT3SPo73q:Wpsa6Zw6nlb6Wa

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	aced43929238e1ed
VISUAL aHash	fffffbffff000000
VISUAL dHash	1c2213372452f0d4
VISUAL wHash	ffffc3d7d7000000
VISUAL colorHash	070020001c0
VISUAL cropResistant	163803121f372642,0c3232320aa49409,809248b2b2969680,00143070ccd4d4d4

Code Analysis

Risk Score 85/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Credential harvesting phishing kit
• Target: imToken users internationally
• Method: Fake login form stealing user credentials
• Exfil: Data sent to external form action URL
• Indicators: Suspicious domain, obfuscated JavaScript, mismatched branding
• Risk: HIGH - Immediate credential theft

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

fromCharCode
unescape
document.write
unicode_escape
base64_strings

📡 API Calls Detected

POST
text/html

📤 Form Action Targets

https://d0a5ba0b.sibforms.com/serve/MUIEAEz3dQk0fDrweVnmTpQQbZ2rw7qQ0gwoG6uu7cmDs0Qbh-IH9n_9vnkOQcAbKkvvwJN3s6pdlocND15cgu8iWZpPKmLHrRotNy0Y7OWZCbE6s_ufjQdZ1gF97q8wMCufNErgiw-O2ZXG15IuswkxLv9-ibQzyNEr6vAKCXMI0DSy_0nRpnTgnUV27alZPD76WvkNNHW5Ylmh

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester, OTP Stealer, and Banking kits with real-time form interception capabilities.

Brand Impersonation

Domain impersonates imToken, a high-value cryptocurrency wallet target.

Obfuscation Techniques

3084 obfuscation techniques detected, indicating heavy code concealment.

Malicious JavaScript

Multiple obfuscated JS files (vendor.0c72b11a.js, main.6bd68ac0.js, main.4963463c.js) with total size 0.26 MB.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

imToken users (International)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

HTTP POST to backend

Risk Assessment

CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
3084 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

imToken

Official Website

https://token.im

Fake Service

Cryptocurrency wallet download

⚔️ Attack Methodology

Primary Method: Wallet Credential Harvesting

The phishing site mimics imToken's interface to trick users into entering their wallet credentials. The Credential Harvester kit captures input in real-time and transmits it to the attacker's server, enabling immediate unauthorized access to the victim's cryptocurrency wallet.

Secondary Method: OTP Interception

The OTP Stealer kit may intercept one-time passwords or 2FA codes sent to the victim's device, bypassing additional security layers to authorize fraudulent transactions.

Target Blockchain

Ethereum

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

77552354xyz.imtoken1.bmxuij.cn

Registered

2025-06-18 18:29:39+00:00

Registrar

厦门纳网科技股份有限公司

Status

Active (221 days old)

🦠 Malicious Files

Main File

File Size

Obfuscated JavaScript file containing credential harvesting and OTP interception logic.

📊 Attack Flow Diagram

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim directed to fake crypto wallet page          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE INTERFACE DISPLAY                                │
│    - Spoofed wallet login form presented                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - User enters wallet credentials                      │
│    - Form collects sensitive information                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA TRANSMISSION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Single endpoint receives harvested data             │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Total Code Size

269.0 KB

🔗 API Endpoints Detected

Other

19

🔐 Obfuscation Detected

: Moderate
: Light
: None
: Moderate
: None
: None
: None
: None
: None
: None
: Moderate
: None
: None
: None
: Light
: None
: None
: None
: None
: None

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim directed to fake crypto wallet page          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE INTERFACE DISPLAY                                │
│    - Spoofed wallet login form presented                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - User enters wallet credentials                      │
│    - Form collects sensitive information                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA TRANSMISSION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Single endpoint receives harvested data             │
└──────────────────────────────────────────────────────────┘
```