ALERT! PHISHING!

We have found that a known .onion directory "dark.fail" currently lists an URL impersonating our service.

The domain "SWP[dot]CX" has been registered less than 30 days ago and somehow managed to get listed by DARK.FAIL - a popular .onion URL monitor that only lists well-known and reputable resources (perhaps not anymore).

This is an unusual phishing attempt when the scammer has ripped off our original design and HTML template assets used by us in the past along with our current template performing a slight "rebranding". Meanwhile it's still a confirmed phishing since this website got to our knowledge from some scammed user who thought it was our original website and explained to us how they found it.

As a preventive measure we have decided to use the same background image that was in our assets some years ago which the current scammer also uses, as well as restoring our previous "light" text-only logo version, which the scammer is also trying to impersonate.

Our current website design changes will remain while we are dealing with that scammer and till the situation is resolved.

However, during investigation of this issue we have also got very interesting findings where we were able to trace back this domain to someone who have made the first ever eXch phishing vanity-generated .onion domain and managed to scam a few of our users in the past, that caused the phishing alert at our original .onion domain: hszyoqnysrl7lpyfms2o5xonhelz2qrz36zrogi2jhnzvpxdzbvzimqd[dot]onion (WARNING: THE LINK ON THE LEFT IS A PHISHING LINK FOR DEMONSTRATION PURPOSES ONLY - DO NOT USE)

We were able to find hszyoqnysrl7...onion on some Tor listing directories earlier that we have managed to wipe by contacting admins of such resources directly, which apparently worked because we stopped receiving complaints of scammed users who accidently used phishing links.

However it seems this actor has returned under a new "brand", since after performing some brief OSINT we have found that the only other place on the Internet where both SWP[dot]CX and hszyoqnysrl7...onion are listed are here: github[dot]com/tarpetra/welcome-to-darknet  (WARNING: THE LINK ON THE LEFT IS A MALICIOUS GITHUB REPO FOR DEMONSTRATION PURPOSES ONLY - DO NOT USE)

What's even more interesting is that the username tarpetra behind that Github repo have managed to get ~1500 Github stars by supposedly using bots/fake accounts to create visibility and the fact he/she lists both scam resources (SWP[dot]CX and hszyoqnysrl7...onion) confirms that he/she is the operator of both resources (main indicator here is how recent SWP[dot]CX is and how fast it was added to a repo with "1500" [fake] stars)

We have tried to contact the DARK.FAIL admin regarding this incident but got no reply and hope other concerned users will have better luck on that in case they want to try.

We also suspect that DARK.FAIL admin might be involved in this scam scheme because we don't believe that such an experienced Tor user might have overlooked our service and .onion, since our actual onion link hszyoqwrcp7cxlxnqmovp6vjvmnwj33g4wviuxqzq47emieaxjaperyd.onion is listed at least on the following popular resources: kycnot.me, monerica.com, tor.taxi, darknet-bible[.]net, darknetdaily[.]net, darkweblink[.]com

Another few important points:

- the scammer is reverse-proxying their domain via Cloudflare - something that eXch would never do, since we genuinely care about customers privacy.

- the scammer is using a third-party email provider (Protonmail) as their email server - something that eXch would never do, since we genuinely care about customers privacy.

This was an important announcement to make today but there is still work ongoing which we will update on during next days, depending on how long this issue will persist.

P.S. will communicate on other subjects later since this announcement had to be prioritized.