Chenlun aka Sinkinto01: A worldwide phishing & carding campaigns provider

30 min readAug 21, 2023

Read about one of the most active carding communities, specialized in smishing attacks that redirect users to fake shipping & e-commerce websites.

Chenlun Services Logo — New Sinkinto01 Logo

Edit 11–11–2023: Featuring Section E (Mass Hunting sellers & resellers)

Chenlun has made it into a new brand name in order to avoid foreign attention. After me, KrebsonSecurity posted a blog featuring Chenlun products activity on USPS phishing campaigns. Read it:

This probably made Chenlun to get some real attention, so he decided to go on the run hiding as much as possible and rebranding his services. In fact, the main reason for these hasty changes is this private blog from a Spanish blogger.

too much Spain.
You can still find both profile images on Telegram groups

Operations has not been stopped. Everything is as usual as before, indeed new products were announced to the Chenlun services.
So, I have to update.

Previous @chenlun and @chenlun2022 accounts

Money can sometimes be attractive, especially if you can get it quickly and anonymously. People are seduced by the money, whether it is yours or not (in fact, it is not) and start committing crimes against other people in a rush that has no end. That’s all, money. Financially motivated groups with a common objective: steal from you, no matter the way they can do it.

For those who don’t know what carding means, I would try to summarize it very briefly: credit card fraud, where criminals steal credit card information to gain personal benefits, using the money associated with those cards, or sell this information to other criminals.

A. An Asian community around a phishing website rental service

Starting in October 2022 and using the moniker “Chenlun”, this Chinese-based individual has built a community of hundreds of users to successfully steal credit card information from victims via fake shipping and e-commerce websites with worldwide targets.

He advertises its product as 【沉沦】钓🐟频道 , translated:[Sinking] Phishing Channel. Note that Chenlun is the transliteration of 沉沦 and translated to Sinking. (?).

Chenlun offers three options of sophisticated phishing website source code as a rental (using “u” as $USDT, the most used cryptocurrency by Asian individuals, it is meant to be 1 USDT = 1 $USD):
/*translated*/ Source:

- 1. Basic Credit Card Phishing (100u / month) ~ 92€/month
Website asks for “Ordinary 2D material” including Address, Card Number, CVV and other information.

- 2. Regular Verification Code (200u / month) ~ 184€/month
2.1. User comes in to fill in the information, and the background will receive a reminder, ready to bind your channel or wallet card.
2.2. User enters the card number and other information to submit, and the intercepted front desk shows that it has been loading, and you get the information synchronously in the background to top up the card or find a way to realize it.
2.3. After top up, click release, fill in the mobile phone number of the user where you need to receive the verification code, send the verification code to the user, and wait for the user to enter the verification code
2.4. If the input is wrong, you can refuse to obtain the verification code again, and perform the above operation again

- 3. Online banking PIN (250u / month) ~ 230€/month
You can log in to users’s online banking to transfer money or check the balance

As stated by him, the first option is already the most commonly sold, and this has been verified as the most common phishing website model seen in the wild. Options above 1 includes the perks of the below options. Consider option 3 as a full version of Chenlun services.

Chenlun offers a wide range of custom phishing websites impersonating companies from all over the world. Furthermore, at a price of 500u / month ~ 460€ / month, he is willing to set up a brand-new customized website in less than a week, impersonating any company on request, and then adding it to his collection at a regular price when the client has ceased its operations. Additional charges are required for special needs, he states “Customization is equivalent to only receiving guaranteed money.”

The main source where the clients of Chenlun services meet each other is Telegram. They can chat or advertise its services or needs. (renamed, currently at 1960 users) — phishing service advertisement channel (renamed, currently at 3775 users) — individual advertisement group

Sadly this channel has been closed or made private — general chat for users

He also has a Youtube channel ( where he uploaded tutorials on how to setup its products in a real life campaign, and the features of them.

Sadly, videos were deleted because violated Youtube policies.

I will highlight one of these features, the “anti-red principle”:

Summarizing, Chenlun refers to the ability of his fake websites to avoid getting flagged by browsers (with a red screen), as “the same source code is used both by Chenlun products and official websites”. He states that he can bypass those flags using websites with dynamic content capable of isolating crawlers (scraping bots) from real human visits and bypassing an automatic report.

Red Flagged websites

Additionally, Chenlun has been advertising its services on Chinese forums: ~ “League of Libertarians”

B. Xibanya, a real-life campaign targeting Spanish people

Edit: Some people have noticed Chenlun activities on Spain in the past. Thanks to Germán Fernández Bacian for letting me know that for example, 0xDanielLopez was aware of this threat.

Daniel López on X: “Phishings activos contra @Correos 🎯 ➡️ / ➡️ / Registrar: @namesilo Exfil mediante Telegram, config en: /ResourceConfig/urlConfig.json #phishing | #scam" / X (

I will expose Chenlun’s services implementation on a campaign done by its clients. Then, it will be easier to understand how this community works, no matter who the target is, and the real threat they represent.

It is important to mention that Chenlun ONLY provides the front-end source as a service, although he shares tutorials and advices on how to implement his products in a real-life campaign.
He, in fact, runs his own campaigns.

1. Smishing, a way to approach victims

Smishing is the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.

In the past few days, I’ve been observing fraudulent SMS complaints on Twitter, impersonating Correos, the state-owned postal service company in my country, Spain:

Pablo Arrabal on X: “Bueno bueno, phishing para terminar la semana: @Correos @CorreosAtiende Utilizan un acortador, pero el dominio final es: https[:]//correos-se[.]top El dominios pertenece a @namesilo @CCNCERT @incibe_cert @CCNPYTEC @INCIBE" / X (

Derecho de la Red on X: “Cuidadito si os llega un mensaje falso como este de @Correos. Si pulsas en el link, te puedes dar cuenta que esta muy mal escrito. Así que NO PIQUES!" / X (

Even more if we search deep on Twitter. These phishing attempts are being reported to Correos, and the CorreosAtiende account is already confirming these threats.

CorreosAtiende on X: “@KoToRRo @KoToRRo hola! informarte que Correos nunca solicita datos personales ni transacciones económicas a través de correo electrónico o SMS. Consulta nuestros consejos para protegerte de phishing aquí: Gracias y un saludo!” / X (

The phishing chain consists of an initial approach to victims via SMS regarding a failed delivery of a package. A link, shortened or not, is provided to a fake website impersonating the company.

Fraudulent SMS shared on Twitter regarding this campaign

Smishing is a practice recommended by Chenlun. He states, “SMS is not the easiest method to use but is highly profitable”, and traditional email phishing is something that he has never used and doesn’t know how to put into practice. Also, he doesn’t recommend the use of shortened links because “robot visits will also be recorded” (tracking users that open the links is a statistical method to know how profitable phishing campaigns are).

Sometimes, to fool people into clicking the phishing link, victims can see that SMSs were sent by some “trustworthy source” or even show off at previous real conversations, instead of being sent by a suspicious phone number. At this point, you must know that the SMS was spoofed, sender was faked to make you fall into phishing. This is very common in traditional email phishing.

There are specialized services known as “SMS providers”, which provide valid and checked numbers prepared to run geo-targeted campaigns. Those services will be one of the main sources for Chenlun-related campaigns. I could identify one provider advertising on Chenlun’s channel, a Chinese threat actor known as “Da Long”. Numbers are being censored to protect the privacy of victims.

Da Long´s advertisement on valid Spanish Phone Numbers
Da Long´s check on Swedish Phone Numbers

2. Fake phishing websites, Chenlun speciality

After successfully making a victim click on the phishing link, a fake website will show up on the device. In this campaign, a website impersonating Correos will tell you that a package delivery is waiting for your confirmation, so you need to send some personal information and pay a tax.

None of this is real, all the information sent to the website is exfiltrated to a control panel and proxified to a Telegram Bot, run by the Chenlun client. Check out Correos phishing page advertisement video on Chenlun’s official channels:

Advertised at March 7th 2023 — Chenlun Correos Phishing Website

Let’s dive deep into how data is exfiltrated.

One of the latest real examples is zl-correoss[.]top:

The configuration of this sites can be found at /ResourceConfig/urlConfig.json. It’s a common path to all Chenlun Correos websites.
From here, we can see that “serviceURL” would refer to the panel server domain where exfiltrated data is collected, the TG bot where information is proxified, and the chat user who is getting this information.

At first, you were asked for personal information (name, surname, address, email, and phone), at /information.html.

Information is then exfiltered to hxxps:// via POST requests with the following request.
/*Tested with fake information under the TOR circuit*/

{"id":12203,"fastName":"test","lastName":"test","phone":"000000000","email":"","country":"España","state":"Valencian Community","city":"test","address1":"test","address2":"","zipCode":"00000","cardNumber":"","cardName":"","cardDate":"","cvv":"","language":"","timezone":"","ua":"","ip":"","queryState":0,"codeSMS":"","onlineState":1,"threadId":"","bankSchem":"","bankType":"","bankBrand":"","bankCountry":"","bankName":"","cookie":"","ebankClientNumber":"","ebankPwd":"","bankPayPIN":"","pageId":""}

Then, you get asked for Credit Card Information

When you send this information, it will also be updated to the same URL as before. But this time, Credit Card is first checked at lookup[.]binlist[.]net and then all the info is proxified to the telegram account via a bot.
/*Tested with fake information under TOR circuit*/

FirstName: test
LastName: test
电话: 000000000
国家: España
州: Valencian Community
n城市: test
地址1: test
邮编: 00000
姓名: test test
卡号: ****************
日期: **/**
CVV: ***
归属: visa
类型: debit
等级: Business
国家: United States of America
浏览器UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
获取时间: undefined

In this case, user getting info is @pay0828 via @xxy000001_bot (bot6147609678:AAFMveUJ-Cyug3mHRFhcxE_1lmReFqDKxx8)

3. Xibanya websites, a dual working domains

Edit: Chenlun Panel is just a modified version of the Innap — Hotel Admin Dashboard Bootstrap Templates ( This a common pattern of Chinese phishing products.

Note that Xibanya is the transliteration of Spain, and that’s clearly a demonstration that this is a campaign targeting Spanish users.

You could see that information is stored at a “serviceURL” (xibanya08[.]top), but this is in fact only a storing domain. To access the data exfiltered, you must access another dashboard panel, via xibanya09[.]top or xibanya11[.]top.

Auhorization is made via POST to xibanya08[.]top/user/loginUser

Login panel for Chenlun products

We can take a brief look at how the panel would look without a successful authorization. The server uses some kind of “token authorization”, but content is being generated before authentication. This is, in fact, INNAP, the common dashboard for all Chenlun products. This can already be bypassed.

Leaked source of dashboard

Dashboard offers diferent themes of personalization as advertised by Chenlun. He offers 5 demo default styles, the sky is the limit.

Personalization palette on xibanya09[.]top

Personalization options as advertised by Chenlun

We can extract the site configuration at /config/urlConfig.json. Note that these panels are being run by the same user that is running the Correos phishing websites.

Let’s see how the dashboard panel looks and what options it has. Content on this page is being generated dynamically; first, it loads all the functionalities on the panel, then checks for authentication to load the data associated with accounts on the other domain (authentication is made on serviceURL). My thoughts are that if somehow I can let the panel load but not connect to serviceURL, I would be able to check the panel without restrictions, but also no data would show up.

This would be what you receive as a new customer of Chenlun.
WE ARE IN! (or likely)

No information was accessed during this research

Null session but logged in. I can’t create accounts.

/index.html. Demo 4 theme.

/guest-list.html ~ This is where the exfiltrated data from phishing sites would show up. This is what you get with the first option of Chenlun services.

Do you remember the format of the data sent to Telegram via the API bot? It looks very similar…


Query all: As the name implies, all data in the database is queried, sorted by the latest acquisition date by default.
Today’s data: Only query the data obtained today and has not yet been extracted, and sort by the latest acquisition date by default.
Old data: Only data that has not been extracted except today is queried, and the latest acquisition date is sorted by default.
Extracted: Query all extracted data, sorted by the latest acquisition date by default.

Translation vs original | Sort options

/admin-list.html ~ This is where a list of all the users and all the phished victims will show up. Admin is watching all of you, workers…

I’m supposing a client of Chenlun can use his panel to hire third party workers to work for him.

/behaviour.html ~ At this part of the website, it will be a curated list of every phishing site up and connected to the panel. It records every phishing site view for statistical purposes.

Do you remember the advice of Chenlun about shortened links on smishing attacks?

/app-profile.html ~ The famous synchronous panel, the second option of Chenlun services. Here you can see live interactions between victims and the phishing page. The client of Chenlun will get a notification when a victim falls for phishing, and then he can choose to do his job or delete the request.

Fish notification as Phised Victims. Time to fish

Options: not available (there’s no live interaction) Extract: Text, Images

All information collected from victims will be shown in a fancy list following this pattern. You will also get a Credit Card .png showing Credit Card Information, ready to share it in a criminal way.

“Crad” check typos

/E-Bank.html ~ the third and last service option of Chenlun. The client will get full interaction with the bank accounts of victims if successful phishing is done. It also has the same perks as previous options.

Options: Jump user to Credit Card page, to PIN verification page, to Online Bank page, to Credit Card 4-PIN Refuse information | Redirect user to official bank page | Extract: Text info, Images

There are more options for other relevant services that Chenlun offers. They are just copies of /E-bank.html, but adapted and customized to the needs of the client. These are not directly advertised by Chenlun in official channels but promoted as additional features and capabilities of his work. They would have a price of 500U / month ~ 460€ / month.

/apple.html ~ I’m assuming this gateway is used for Apple ID phishing. It also collects credentials for this Apple service. The main objective would be accessing Apple Pay, where credit card information is stored.

Options: Jump user to Login credentials page, to credit card information page, to PIN verification code page Refuse information | Redirect user to official page | Extract: Text info, Images

/ymx.html ~ Chenlun offers phishing as a fake Amazon websites. On this phishing websites, you were asked for your information to get a refund.

Options: Jump to Log In, to Verification Log In , to information page, to Credit Card, to Credit Card Verification Refuse information | Redirect user to official page | Extract: Text info, Images

/wp.html ~ The latest service of Chenlun is a phishing website as an e-commerce site, hosted on Wordpress. Unleash your imagination.

Options: Get SMS verification , Get email verification code, get 2FA bank PIN verification, get Credit Card Pin Refuse information | Redirect user to official page | Extract: Text info, Images

Chenlun states: “ 目前还有很多功能未完成,后期会慢慢完善并添加更多源码” ~ At present, there are still many functions that have not been completed, and more source code will be slowly improved and added in a later stage

4. Past Telemetry

This Correos campaign has been running for weeks, let’s summarize all the related telemetry to this campaign, in order to keep tracking it in the future.

You will note that a lot of domains used by Chenlun clients will follow a pattern. Remember, Chenlun only offers its front-end infrastructure, but gives advices on how to setup a phishing page.

Here’s one of his advices:
PHP类型钓鱼网站搭建 | PHP phishing website construction

域名购买:| Domain Purchase:
服务器购买: | Server Purchase:

宝塔国际版CentOS安装指令 (功能少,无需注册)| Pagoda International Edition CentOS Installation Instructions (fewer functions, no registration required)
yum install -y wget && wget -O && bash forum

宝塔国内版CentOS安装指令 (功能多,需要手机号注册)| Pagoda’s domestic version of CentOS installation instructions (multiple functions, mobile phone number registration is required)
yum install -y wget && wget -O && sh ed8484bec

Xshell7 download link

源码出租定制频道: 咨询TG:@chenlun

At the time of writing this article:

AS8100 quadranet enterprises llc
Domain Status Resgistrar ServiceURL User | LIVE | NameSilo 17-08 | | @pay0828 | DEAD | NameSilo 01-08 | DEAD | NameSilo 26-07 | DEAD | NameSilo 24-07 | LIVE | NameSilo 21-07 | | @pay0828 | LIVE | NameSilo 21-07 | | @pay0828 | DEAD | NameSilo 17-07 | LIVE | Alibaba 17-07 | | @pay0828 | DEAD | Alibaba 17-07 | LIVE | NameSilo 06-07 | | @pay0828 | LIVE | NameSilo 06-07 | | @pay0828 | LIVE | NameSilo 04-07 | | @pay0828 | LIVE | NameSilo 04-07 | | @pay0828
AS8100 quadranet enterprises llc

Domain Status Resgistrar ServiceURL User | LIVE | WebNIC 12-08 | | unknown

Chenlun Panels:
AS8100 quadranet enterprises llc | LIVE | NameSilo 17-08 | LOGIN PANEL | LIVE | NameSilo 17-08 | ServiceURL | LIVE | NameSilo 14-06 | LOGIN PANEL | DEAD | NameSilo 14-06 | ???
AS8100 quadranet enterprises llc | LIVE | NameSilo 05-07 | LOGIN PANEL | LIVE | NameSilo 05-07 | ServiceURL
AS8100 quadranet enterprises llc | LIVE | NameSilo 10-08 | LOGIN PANEL | LIVE | NameSilo 10-08 | ServiceURL
AS8100 quadranet enterprises llc | LIVE | NameSilo 13-07 | LOGIN PANEL | LIVE | NameSilo 13-07 | ServiceURL

This is still active and I expect more activity from this individuals

C. World-Wide Targets

Edit: As of November 7th, Chenlun made his first advertisement under the new handle Sinkinto01. This is Royal Mail pishing kit from UK.

Please refer to further sections to see an active hunting on Chenlun infraestructure.

A total of 24 products have been advertised on Chenlun’s official channels. I’m not going to attach every single demo video, you can find them by yourself on Chenlun channels and they were public and previously shared.

Instead, I will be exposing more live campaigns targeting other countries, listing the available products by country and the advertisement date.

- Canada Post ( [October 18th, 2022]

- United States Postal Service ( [October 22th, 2022]
- Amazon ( [July 2nd, 2023]

AS8100 quadranet enterprises llc
Domain Status Resgistrar | LIVE | NameSilo 27-07 | | LIVE | NameSilo 01-08 | | LIVE | NameSilo 29-07 | | LIVE | NameSilo 21-07 |

serviceURL ->
LOGIN PANEL -> AS25820 it7 networks inc | NameSilo May 20, 2023
serviceURL -> AS8100 quadranet enterprises llc | NameSilo July 21, 2023
serviceURL ->
LOGIN PANEL -> | NameSilo July 03, 2023
serviceURL -> AS8100 quadranet enterprises llc | NameSilo July 22, 2023
AS8100 quadranet enterprises llc | LIVE | Alibaba 25-07 |
serviceURL -> | | DEAD | Namesilo 21-07 |
AS8100 quadranet enterprises llc | LIVE | Goddady 25-07 |
serviceURL ->
RELATED | | DEAD | Namesilo 21-07 | | | DEAD | Namesilo 21-07 | | | DEAD | Namesilo 21-07 |
serviceURL -> AS8100 quadranet enterprises llc | NameSilo July 29, 2023

- Australia Post ( [November 11th, 2022]
- LinkT ( [December 3th, 2022]
- Amazon Australia ( [May 18th, 2023]

Chenlun behind these sites
AS8100 quadranet enterprises llc
Domain Status Resgistrar User | LIVE | NameSilo 18-04 | @chenlun | LIVE | NameSilo 17-08 | @chenlun
serviceURL ->

- Amazon Japan ( [November 13th, 2022]

- DHL Singapur ( [December 8th, 2022]
- OneMotoring ( [December 17th, 2022]

- LaPoste ( [Februry 3rd, 2023]

- An Post ( [Februry 10th, 2023]

- Correos ( [March 3rd, 2023]
- Vodafone ( [July 15th, 2023]

- New Zealand Transport Agency ( [March 20th, 2023]

- Postnord ( [April 1st, 2023]

- Posteitaliane ( [April 8th, 2023]

- Post NL ( [May 18th, 2023]

- Telekom Erleben ( [May 23th, 2023]

- Etisalat ( [June 23th, 2023]

- Correos Chile ( [July 2nd, 2023]

Chenlun runs himself this campaign
AS132203 tencent building kejizhongyi avenue
` Domain Status Resgistrar User | LIVE | NameSilo 06-07 | @chenlun | LIVE | NameSilo 06-07 | @chenlun | LIVE | NameSilo 06-07 | @chenlun
serviceURL ->
LOGIN PANEL -> AS132203 tencent building kejizhongyi avenue | Alibaba 30/06 | LIVE | NameSilo 08-07 | @chenlun
serviceURL ->
LOGIN PANEL -> AS8100 quadranet enterprises llc | Alibaba 12/05

- Correios ( [July 20th, 2023]

- Die Post ( [August 8th, 2023]

- Pošta Slovenije ( [August 8th, 2023]

- Royal Mail ( [November 7th, 2023]

- Saudi Post SPL ( [November 15th, 2023]

D. About Chenlun, the developer & his workers

Profile picture of Chenlun associated accounts

Chenlun used to develop and advertise its products on real hosts until he discovered how to setup his tests on localhost (mostly in 2022). He recorded these advertisements and shared them on his channels, with a poor desire to hide anything that could relate him to those hosts. That way, we can retrieve a little bit of past telemetry from his own operations.


serviceURL -> AS138915 kaopu cloud hk limited | Alibaba 12/06/2022
AS132203 tencent building kejizhongyi avenue | Alibaba 27/04
serviceURL ->
DEAD LOGIN PANELS | NameSilo 05-11-2022 | | NameSilo 24-11-2022 | | AS174 cogent communications | NameSilo 12-18-2022 |
emails -> |

Chenlun himself shared Credit Card Information on his channels, a total of 121 files, mostly from United States phishing victims. The authenticity of these files can’t be verified.

The community around Chenlun products seems active and growing, new users join every day and advertisements of other individuals services are made on a daily basis.

Some of the trend behind this criminals is to show off his crime results, sharing them on public channels. Every image shared after this was found on Chenlun channels.

Chenlun panel screenshoots shared on groups

Not only online, also in real life “success“:

Regarding information on spanish victims:

And phished credit cards:

At the bottom, we can see criminals showing off their carding frauds. On the left, a threat actor is using a TPV to charge amounts of 29.100 THB (~750€) to credit cards, at some Thai company based in Bangkok, and showing off the possession of a Santander Bank (Spain) card.
On the right, we can see a threat actor possessing an Imagin Bank (Spain) and the fraudulent charge of 200€ on a tobacco shop (Estanc Comandant Benitez, presumably, at Carrer del Comandant Benítez, 28, 08028 Barcelona). I’m assuming this threat actor was already in Spain, because if we look closely, the photo seems to have been taken on a Rodalies train (the regional rail system in the Spanish autonomous community of Catalonia).

Chenlun knows perfectly what he and his people are doing, he even joked once about a report made by KFOR-TV (Oklahoma’s channel 4) ( stating the spread of USPS smishings attempts towards US citizens.
文案来了 ~ Here comes the copywriting (Translations seem misled, I believe this refers to other individuals serving USPS phishing products, that copy Chenlun services).

Thousands of Credit Card Information stolen mean thousands of dollars being given to criminals, encouraging crime in an infinite loop. In fact, they also share screenshots of benefits, something that could be attractive to people who decide to become criminals.

E. Mass-Hunting on the “C Circle”: Sellers & Resellers

As stated in previous sections of this blog, phishing landing consists in two parts: The Panel and the Service URL (backend). As we can’t access backend, Panel shows a default version of itself. So, we can easily know who is the owner/seller of panels just by looking on the contact information or default profile picture shown in the html body.

88.jpg is Chenlun Default profile image

No matter that this information is changed, in order to resell panels. We know every panel came from Chenlun, because every reseller I found seems to forget how to delete comments.

This couldn´t be possible without you, brother Chenlun!

Thanks to FOFA, an amazing InfoSec tool, we can track down Chenlun products on the Internet.

Chenlun panels can be found as easy as: fid=”FC2AZAzMFkyHkLAlyDR9GQ==”

Search results fid=”FC2AZAzMFkyHkLAlyDR9GQ==” — FOFA Search Engine

I will be posting recent ones (from October 1st to 9th November)
These panels were found:

Chenlun LIVE Panels: (USE HTTPS)

IP DOMAIN SERVICE URL | | | | | | | | | | |
-- related:, | | | | | | | | | | | | | | | | | | | | | | |
---- ,, are USPS phishing pages | | | | | | | |
* |
* |
* |
* | | | | | | | | | | | | | | | | | | | | || || | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | || | | | | | | | | | | | | | | | ||| | | | | | | | | |
Cloudflare | | | |


Dead / Historical telemetry

You can check the full export here

So let’s start exposing resellers:

Introducing “GAGA” (Rattle in chinese) @qqhbqq

GAGA’s associated profile images on panels
Gaga references on the panels

Following Chenlun’s market model, Gaga also offer “his” services on Telegram channels.

各国鱼站源码租售, 全球手机数据,邮箱数据 ,教学频道:
Fish station source code rental and sale in various countries, global mobile phone data, email data, teaching channel:
收货频道:Receiving channel:

While the first group is where he advertise his sales, the second link is just a “freebies” section.

Gaga offers a “full set of phishing stations”, and tutorials on how to run a campaign. In fact, products from Chenlun. He also will share with you methods on how to launder money from stolen cards via Tiktok coins, Facebook, or, in the “most private and secure way of the carding community”.

Tiktok vs Nimo

This guy started his telegram channel at November 22nd, 2022, sharing videos from phishing sources that I can’t identify with the name: AFE — Phishing. Some example:

We can also see the use of shorteners and on the browser bar

Domains related to these other panels: | | |

Leaked emails: |

But in fact he’s a long-time customer of Chenlun, first reference on November 19th, 2022

As of May 27th, the first image of a panel with his own image was shared. I believe close to this date is when he copied the panel and put his information. In fact, the first telemetry of panels is from 2023–07–25

GAGA’s profile on a Chenlun panel

We can also track down Gaga resold products on the Internet.

Stick to fid=”kb+EDBy/JnEanlZPf7HOyw==” in order to track GAGA panels

I will be posting the most recent ones (from November 1st to 10th November)

Gaga LIVE panels (USE HTTPS) 

IP DOMAIN SERVICE URL | | | | || | | | | | | | | | | | | | | | | | | || | | | | || | | | | | | | | | | || | | || || || | | | | || | |

You can check the full export here:

Some panels had an active Telegram WebHook, so I share with them this article:

Related to Gaga, there’s another profile seen in panels until August.:

Introducing “Tanke” (Tank in chinese) @tanke1898

Image used in panels — Profile
Tanke references on panels

各国鱼站源码租售,代搭建同步鱼塘,电商网站, 全球手机数据,邮箱数据 ,教学频道: 频道不定时送新鲜鱼料,各国精准数据。价格全网最低。

Fish station source code rental and sale in various countries, synchronized fish pond construction, e-commerce website, global mobile phone data, email data, teaching channel: The channel delivers fresh fish feed from time to time, and accurate data from various countries. The price is the lowest on the Internet.

Tanke statement on the services he offer (Translated from Chinese):

There are a lot of noobs these days

You may have some misunderstandings about Circle C, thinking that you can get high returns by investing hundreds or thousands with zero investment.

Let me explain here. I rent out the fish station here for 150u a month. In the industry, I dare not say the lowest price, but it is definitely not the most expensive.

Then, you still have to send text messages, and the price will only be more expensive than the fish station, and some are several times more expensive.
The prerequisite for these is that you have some experience in channel hunting, otherwise, even if you really catch a lot of fish, you will still lose everything.

So, when playing in the c circle, don’t just think about making tens or hundreds of dollars with thousands of dollars. It’s not impossible, but it basically won’t happen to you.
More than half of the people in this circle are losing money. This is not alarmist.

Our tutorials include techniques, channels, and stable ways to make money. Those who can really make money are those who are patient~

Although there’s only activity in these channels since September 16, I strongly believe Tanke is a long time customer of Chenlun services.

Tanke LIVE panels (USE HTTPS)


Introducing “Chaoren” (Superman in chinese) @chaoren350

Image used in panels— Profile

Source code construction of fish stations in various countries, second and third screening of global data, source code sharing channel:
互助交流群:Receiving channel:

Individual started his activity at September 19, offers same services as Chenlun.

电商源码,260u/一个月,买断400u/售后半年,防红失效或无法部署随时找我更新 .@chaoren350

Fish station business:
Rental table, 160u (including server)/month, add domain names by yourself, and use more than 20 sets of source codes at the same time, no need to switch
Buy out the source code, 260u/one country, half-year after-sales service, if the red protection fails or cannot be deployed, please contact me for updates at any time
E-commerce source code, 260u/month, buyout 400u/half a year after sale, if the anti-red flag fails or cannot be deployed, please contact me for updates at any time. @chaoren350

Chaoren LIVE panels (USE HTTPS)


Introducing “LangLang” @langlang9188

Langlang LIVE panels (USE HTTPS)


Introducing “hrjdjjcvv” @hrjdjjcvv

劫持us jp au uk全球 电商鱼 us
客服: @hrjniuge
交流群 @hrjniugecvv2
Recycle apple, amazon, steam gift card
Support English service @DajijiCvv

Hijack us jp au uk global e-commerce fish us
The original synchronized fish station has all major source codes, and can be customized and modified with hard-core technology and originality, which is full of flood prevention.
Channel Share Cash, Gift Cards
Don’t ask me who did it, I’ll criticize it fiercely anyway
Customer Service: @hrjniuge
Communication group @hrjniugecvv2
Recycle apple, amazon, steam gift card
Support English service @DajijiCvv

hrjdjjcvv historical panels (USE HTTPS) (Until September 28th)


Introducing “ss” UNKNOWN

Image Profile
LIVE Example: | |


F. Keep a close eye

Everything written here is just an example of a real threat targeting worldwide victims. Further investigations must be done in order to successfully track the paths of these users, who are ruining the lives of fooled people.

I focused on Chenlun and his clients, but more users offer other services, similar to their products or necessary to take profit from stolen goods. This is a very big industry giving big benefits to too many people, something must be wrong.

Keep a close eye, I will try to update this with more information.

The rest is on your own. Track them down.

Best regards,