I’ve been building Cylect, an AI-powered OSINT engine, and recently used it to deconstruct a live phishing campaign targeting Hotpads users.
What’s interesting here isn't just the phishing site itself, but the exfiltration path. Most of these scripts are "black boxes" to the average user, but by sending them a CanaryToken, was able to uncover their infrastructure behind it all:
The Collection: The victim enters credentials into a pixel-perfect Hotpads clone.
The Bundle: A script bundles the credit card information into a JSON payload.
The Transport: The script utilizes the Telegram API as a lightweight C2 (Command & Control) channel. It pings 149.154.161.248 (Telegram’s infrastructure).
The Attribution: The data was being routed to a receiver at 213.59.3.178, an IP located in Russia.
The Problem I'm Solving: Investigating this manually usually involves jumping between 20+ different browser tabs (VirusTotal, WHOIS, Hunter, URLScan, etc.). I built Cylect to unify 475+ OSINT tools into a single AI-powered workspace that can automate the "pivoting" between data points.
Additionally, doing this research in a completely separate VM Browser ensures that there is no attribution to you, while still having access to all 475+ OSINT tools, and Cylect AI, and an infinite Mind Map with notes.
The Business Model: I recently pivoted from a standard SaaS sub to a $5 Day Pass model. I found that OSINT researchers often have "bursty" workloads—they need deep access for 24 hours of intense investigation but don't want a recurring monthly bill.
I'd love to hear your thoughts on the investigation flow or the "Day Pass" model for developer tools!
1 comment
[ 1.8 ms ] story [ 11.3 ms ] threadWhat’s interesting here isn't just the phishing site itself, but the exfiltration path. Most of these scripts are "black boxes" to the average user, but by sending them a CanaryToken, was able to uncover their infrastructure behind it all:
The Collection: The victim enters credentials into a pixel-perfect Hotpads clone.
The Bundle: A script bundles the credit card information into a JSON payload.
The Transport: The script utilizes the Telegram API as a lightweight C2 (Command & Control) channel. It pings 149.154.161.248 (Telegram’s infrastructure).
The Attribution: The data was being routed to a receiver at 213.59.3.178, an IP located in Russia.
The Problem I'm Solving: Investigating this manually usually involves jumping between 20+ different browser tabs (VirusTotal, WHOIS, Hunter, URLScan, etc.). I built Cylect to unify 475+ OSINT tools into a single AI-powered workspace that can automate the "pivoting" between data points.
Additionally, doing this research in a completely separate VM Browser ensures that there is no attribution to you, while still having access to all 475+ OSINT tools, and Cylect AI, and an infinite Mind Map with notes.
The Business Model: I recently pivoted from a standard SaaS sub to a $5 Day Pass model. I found that OSINT researchers often have "bursty" workloads—they need deep access for 24 hours of intense investigation but don't want a recurring monthly bill.
I'd love to hear your thoughts on the investigation flow or the "Day Pass" model for developer tools!