Type of Scam: Investment (Phishing)
URL of Scam: http://www.arculus.at
Victim Description: The victim, Himanshu, fell prey to a sophisticated phishing attack that impersonated “ARCULUS,” the brand of a hardware wallet he uses. The phishing email, which was cleverly personalized with his name, directed him to a fraudulent website that mimicked an official Arculus service. Unaware, he entered his 12-word recovery phrase on this site, leading to the immediate draining of his wallet containing significant amounts of cryptocurrency.

Crypto Addresses:

0x7D1AfA7B718fb893dB30A3aBc0Cfc608AaCfeBB0
0x514910771AF9Ca656af840dff83E8264EcF986CA
0x3B950a8154Bed8713D71d5e214416b5ad6df0051
bc1qh6yzx4ynjft745ya2hxw0esgq6agqtxrqstwjy
0x0D8775F648430679A709E98d2b0Cb6250d2887EF
0xc944E90C64B2c07662A292be6244BDf05Cda44a7
0x0F5D2fB29fb7d3CFeE444a200298f468908cC942
0xa0Bb13B2A0D14ab281a24c6B0b7B975f5471D9db

Amount Loss: $102,818.00

Open-Source Intelligence Analysis: Preliminary Findings on Fraudulent Activities Associated with http://www.arculus.at

Current Website:
The website http://www.arculus.at is currently down, but it was involved in a phishing attack, using the reputable name of “ARCULUS” to deceive victims into disclosing sensitive recovery information.

Domain Information:

Domain: arculus.at
Registrar: Key-Systems GmbH
Nameservers: ns1.dispute.finedomain.at, ns2.dispute.finedomain.at

Technical Analysis and Subpoena Recommendations:

Domain Registrar: Key-Systems GmbHRecommendation for Subpoena: Obtain registration details, historical DNS records, and any available logs that might reveal identities or trace the phishing activities.
Nameservers: Managed under dispute resolution, suggesting post-attack remediation or investigation.Recommendation for Subpoena: Investigate the nameservers’ logs for clues on the domain’s operational history and any associated malicious activities.

Key Observations:
The targeted phishing attack employed an email spoofing strategy that included personalized details, making the communication appear credible. The use of a temporarily active, authentic-looking website to collect sensitive security information is indicative of a high-level organized cybercrime operation.

Conclusion:
The phishing scam at http://www.arculus.at targeted users of the Arculus hardware wallet, leveraging detailed personal information and sophisticated mimicry of legitimate services to execute theft. Immediate legal actions, including detailed subpoenas to the domain registrar and an examination of associated nameservers, are essential for tracing the perpetrators and addressing the domain’s misuse in the scam.