Receiving Addresses:33vKD4naQpNzNUfpZHzJisaJQ7V5GA4EG6
3GJm3XupPkAcC8v2HxZ2HyT9zZxAzcJsKD
39RNRVNZSbqoV1woXPwGYer6FkAPRTqnsz
Blockchain: Bitcoin
Type of Scam: Investment
Cryptocurrency: BTC
Amount Lost: $42,000.00
I’m sharing the results of an OSINT investigation into the fraudulent website crvfi.pro. This site appears to be part of a cryptocurrency scam, and I urge anyone who has interacted with it or has additional information to share it here.

The domain crvfi.pro is registered through GoDaddy.com, LLC, a well-known domain registrar. The nameservers associated with the domain are ns67.domaincontrol.com and ns68.domaincontrol.com, both hosted by Wild West Domains, LLC. This connection to reputable registrars and hosting companies may make the site appear legitimate at first glance, but fraudulent actors often use such services to lend a veneer of credibility to their operations.

No MX (Mail Exchange) records were found for the domain, which may suggest that email communication was not a significant component of the scam or that the scammers used external services to carry out communications.

Technical checks performed on July 22, 2023, revealed several noteworthy aspects. The site’s content was predominantly in Chinese, which could indicate it’s targeting a specific demographic or market. Additionally, the site was optimized for mobile use, ensuring compatibility with Apple devices and preventing content scaling on mobile browsers.

A key observation is the use of Cloudflare, which provides both content delivery network (CDN) and hosting services for the site. Cloudflare is a common tool used by scammers to mask the true origin of their websites and avoid detection. The site also utilized several JavaScript libraries such as Vue, crypto browserify, and Elliptic for cryptographic operations, suggesting the site may have been promoting some form of cryptocurrency investment scheme.

On May 24, 2024, the domain was no longer resolving to a functional site, meaning that it may have been taken down or is no longer active. However, this doesn’t necessarily mean the scam has ended. Fraudsters often abandon compromised domains or move to new ones, and they could be using similar tactics with another site.

The site also used SSL certificates provided by Let’s Encrypt, which gives the site an appearance of legitimacy by encrypting data, but this does not guarantee the site is trustworthy.

If you’ve been a victim of this scam, or if you have any further information, please share your details. Transaction records, emails, or other forms of communication could help us trace the fraudsters’ actions and possibly uncover related domains or schemes.

Stay cautious and report any suspicious activity—together, we can prevent further damage and help others avoid falling victim to this scam.