I've decided to take a closer look at the recently seized domain portfolio owned by the infamous Samourai Cryptocurrency Mixer where the actual infrastructure consists of several primary domains and several secondary domains including a vast social media presence including an actual Android application for the cryptocurrency mixing service.
Sample description of the service:
"Samourai Wallet is the most feature rich and advanced bitcoin wallet available on Android today. It has been created from the ground up by privacy activists to be extremely portable, highly secure, and lead the pack in protecting the privacy of bitcoin users.
- Full Segwit Support for the most efficient transactions and lowest miner fees
- You control your private keys on your device, they are never communicated with any server
- Best in class dynamic miner fee estimation and custom fee settings
- STONEWALL for increasing the privacy of your transactions
- Ricochet spend for mitigation against address clustering attacks
- Send and receive Stealth Payments directly into your wallet with PayNym (BIP47)
- Deterministic sorting of input/outputs to prevent the wallet from leaving a discernible block chain fingerprint (BIP69)
- Bump a stuck transaction with full Replace By Fee (RBF) and Child Pays for Parent (CPFP) support
- Route outgoing transactions via your own trusted node
- No addresses are reused to help manage metadata leakage
- Standard import/export functionality. Compatible with any other BIP44/BIP49/BIP84 wallet.
- Stealth mode hides the wallet on the device. Dial a secret code to access your wallet.
- Enable remote SMS commands to regain access to your funds if you lose your phone
- Block Explorer support for all popular services
- Passphrase protection by default (BIP39)
- Fully encrypted client side and offline
- Connect via your preferred VPN
- Connect via Tor (Socks5 proxy)"
Primary domains involved in the campaign include:
hxxp://samourai.io
hxxp://samouraiwallet.com
hxxp://samourai.support
Sample responding IPs:
68[.]65[.]123[.]241
198[.]27[.]104[.]163
37[.]143[.]131[.]158
162[.]255[.]119[.]8
82[.]221[.]130[.]110
37[.]143[.]131[.]230
52[.]203[.]48[.]25
162[.]255[.]119[.]42
136[.]243[.]224[.]53
193[.]29[.]187[.]225
82[.]221[.]131[.]139
82[.]221[.]139[.]204
172[.]67[.]194[.]72
206[.]253[.]90[.]229
104[.]21[.]68[.]107
193[.]29[.]187[.]21
Sample responding IPs:
68[.]65[.]123[.]241
198[.]27[.]104[.]163
37[.]143[.]131[.]158
162[.]255[.]119[.]8
82[.]221[.]130[.]110
37[.]143[.]131[.]230
52[.]203[.]48[.]25
162[.]255[.]119[.]42
136[.]243[.]224[.]53
193[.]29[.]187[.]225
82[.]221[.]131[.]139
82[.]221[.]139[.]204
172[.]67[.]194[.]72
206[.]253[.]90[.]229
104[.]21[.]68[.]107
193[.]29[.]187[.]21
Related responding IPs:
37[.]143[.]131[.]158
160[.]19[.]51[.]112
82[.]221[.]131[.]27
185[.]165[.]170[.]172
99[.]83[.]154[.]118
185[.]165[.]170[.]173
82[.]221[.]131[.]139
188[.]214[.]30[.]147
192[.]95[.]12[.]14
162[.]255[.]119[.]161
37[.]143[.]131[.]195
185[.]165[.]170[.]143
Related domains known to have been involved in the campaign include:
hxxp://oxtresearch.com
hxxp://nextblock.is
hxxp://samourai.email
Sample social media accounts:
hxxp://twitter.com/SamouraiWallet
Android application URL:
hxxp://play.google.com/store/apps/details?id=com.samourai.wallet&hl=en_US
hxxp://www.youtube.com/c/Samouraiwallet
hxxp://www.facebook.com/samouraiwallet
hxxp://github.com/Samourai-Wallet
The group behind the cryptocurrency mixing service also maintains several other domains:
hxxp://paynym.is - 193.29.187.225; 192.95.12.14; 188.214.30.147
hxxp://oxt.me
hxxp://sovereign.ly
hxxp://mule.tools
Sample known responding IPs:
13[.]56[.]33[.]8
54[.]243[.]255[.]92
54[.]225[.]158[.]198
50[.]19[.]120[.]203
199[.]73[.]55[.]35
188[.]114[.]96[.]6
23[.]217[.]138[.]108
188[.]114[.]97[.]3
198[.]54[.]117[.]218
188[.]114[.]96[.]0
198[.]54[.]117[.]217
104[.]21[.]65[.]40
192[.]64[.]119[.]152
188[.]114[.]97[.]29
23[.]202[.]231[.]167
I'll continue monitoring the campaign and will post updates as soon as new developments take place.