Cloned phishing site targeting Solana users. Injects IPFS-hosted wallet drainer.
Domain: psyopanime.net
Malicious behavior:
-
Loads drainer via /secureproxy?s=%2Fipfs%2F_qEVAUVavvzeiYiasp2KRw7531dfc2b686e4c47507eec9adb88115
-
Strips href attributes from links to intercept clicks
-
Registered 2026-01-13 via Nicenic (CN), Cloudflare NS
Proposed rule:
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Psyopanime Crypto Drainer Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"psyopanime.net"; nocase; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
1 Like
Hi @tetsuoai, thank you for the heads up on this. I’ll provide an update when the rules are released.
Cheers,
1 Like
Update. The following rules were released today:
2066784 - ET PHISHING Wallet Drainer CnC Domain in DNS Lookup (psyopanime .net) (phishing.rules)
2066785 - ET PHISHING Observed Wallet Drainer Domain (psyopanime .net in TLS SNI) (phishing.rules)
2066758 - ET PHISHING IPFS Resource Executing from Memory Defined Script Tag (phishing.rules) # Covers the injector code where ipfs is statically present in landing page.
2066788 - ET INFO Landing Page Executing Memory Defined Script Tag (info.rules) # Similar to rule above, but drops the ipfs content to match on other landing pages. Under category INFO instead of PHISHING for False Positive reduction purposes.
Cheers
1 Like