Fake crypto scams try to piggyback off SpaceX IPO
This campaign involves scammers exploiting public interest in the SpaceX IPO by creating fraudulent investment portals that impersonate SpaceX, Elon Musk, and major financial brands such as Fidelity and Robinhood. The fake portals mimic legitimate investment onboarding processes, including W-8BEN tax forms for non-U.S. investors, and ask victims to select investment tiers before directing them to deposit funds via cryptocurrency wallets. The operation focuses on direct cryptocurrency theft rather than credential harvesting. Multiple randomized and SpaceX-themed domains are used to appear legitimate. One Bitcoin wallet linked to the campaign received approximately $8,700.
AI Analysis
Technical Summary
Scammers are conducting a phishing campaign leveraging the SpaceX IPO hype by deploying fake investment portals that impersonate SpaceX, Elon Musk, and well-known financial brands. These portals simulate legitimate investment procedures, including tax form submission, to deceive victims into depositing cryptocurrency funds (Bitcoin, Ethereum, USDT) into attacker-controlled wallets. The campaign infrastructure includes numerous randomized and SpaceX-themed domains designed to appear authentic. This campaign resembles tactics used by threat actor TA2730 but is focused on direct cryptocurrency theft rather than stealing credentials.
Potential Impact
Victims of this campaign risk losing cryptocurrency funds sent to attacker-controlled wallets. The campaign has already resulted in at least one Bitcoin wallet receiving approximately $8,700. There is no indication of credential theft or other forms of compromise beyond financial loss through fraudulent investment deposits.
Mitigation Recommendations
No official patch or fix applies as this is a phishing and fraud campaign. Defenders should block and monitor the listed malicious domains and educate users about the risks of fake investment portals, especially those impersonating high-profile events like IPOs. Users should be advised to verify investment opportunities through official channels and avoid sending cryptocurrency to unverified wallets. Since this is a social engineering campaign, technical controls such as domain blacklisting and email filtering are recommended.
Indicators of Compromise
- domain: 8fv4dxp7lx035f8ylk7.live
- domain: 467jtzbkqcfl22t9hxh.live
- domain: ddgaoylh4h420fvm7o5.live
- domain: u7aq3ocwrexd70ulpdj.live
- domain: zavpejjyz432d577l2e.live
- domain: cd7yt860whhm7g7ylj8.live
- domain: g8iqelymkc4eya9zs49.live
- domain: hy0zu0fuf7rc2ou5aje.live
- domain: k1rg2oz4zpzw91pdx90.live
- domain: ogqw9cpz7t7et3j1rur.live
- domain: adanispacex.com
- domain: fidelityspacex.site
- domain: fidelityspacexipo.site
- domain: muskspacexipo.com
- domain: muskspacexipo.vip
- domain: robinhoodspacex.com
- domain: spacexshares.xyz
- domain: mail.musksapcex.space
Fake crypto scams try to piggyback off SpaceX IPO
Description
This campaign involves scammers exploiting public interest in the SpaceX IPO by creating fraudulent investment portals that impersonate SpaceX, Elon Musk, and major financial brands such as Fidelity and Robinhood. The fake portals mimic legitimate investment onboarding processes, including W-8BEN tax forms for non-U.S. investors, and ask victims to select investment tiers before directing them to deposit funds via cryptocurrency wallets. The operation focuses on direct cryptocurrency theft rather than credential harvesting. Multiple randomized and SpaceX-themed domains are used to appear legitimate. One Bitcoin wallet linked to the campaign received approximately $8,700.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Scammers are conducting a phishing campaign leveraging the SpaceX IPO hype by deploying fake investment portals that impersonate SpaceX, Elon Musk, and well-known financial brands. These portals simulate legitimate investment procedures, including tax form submission, to deceive victims into depositing cryptocurrency funds (Bitcoin, Ethereum, USDT) into attacker-controlled wallets. The campaign infrastructure includes numerous randomized and SpaceX-themed domains designed to appear authentic. This campaign resembles tactics used by threat actor TA2730 but is focused on direct cryptocurrency theft rather than stealing credentials.
Potential Impact
Victims of this campaign risk losing cryptocurrency funds sent to attacker-controlled wallets. The campaign has already resulted in at least one Bitcoin wallet receiving approximately $8,700. There is no indication of credential theft or other forms of compromise beyond financial loss through fraudulent investment deposits.
Mitigation Recommendations
No official patch or fix applies as this is a phishing and fraud campaign. Defenders should block and monitor the listed malicious domains and educate users about the risks of fake investment portals, especially those impersonating high-profile events like IPOs. Users should be advised to verify investment opportunities through official channels and avoid sending cryptocurrency to unverified wallets. Since this is a social engineering campaign, technical controls such as domain blacklisting and email filtering are recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.netcraft.com/blog/fake-tax-forms-spacex-ipo-offer"]
- Adversary
- TA2730
- Pulse Id
- 6a57f270713faa71010c16ad
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domain8fv4dxp7lx035f8ylk7.live | — | |
domain467jtzbkqcfl22t9hxh.live | — | |
domainddgaoylh4h420fvm7o5.live | — | |
domainu7aq3ocwrexd70ulpdj.live | — | |
domainzavpejjyz432d577l2e.live | — | |
domaincd7yt860whhm7g7ylj8.live | — | |
domaing8iqelymkc4eya9zs49.live | — | |
domainhy0zu0fuf7rc2ou5aje.live | — | |
domaink1rg2oz4zpzw91pdx90.live | — | |
domainogqw9cpz7t7et3j1rur.live | — | |
domainadanispacex.com | — | |
domainfidelityspacex.site | — | |
domainfidelityspacexipo.site | — | |
domainmuskspacexipo.com | — | |
domainmuskspacexipo.vip | — | |
domainrobinhoodspacex.com | — | |
domainspacexshares.xyz | — | |
domainmail.musksapcex.space | — |
Threat ID: 6a5803ac68715ace4390f5fa
Added to database: 07/15/2026, 22:03:24 UTC
Last enriched: 07/15/2026, 22:17:53 UTC
Last updated: 07/15/2026, 22:17:53 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.