Boxing Clever: The Million-Dollar Task Scam Cluster
Netcraft recently discovered DeltaAirlineiVIP[.]com, a task scam exploiting the US airline’s branding. It was the introduction to a cluster with more than $1M of attributable crypto transactions using an API-driven, templated approach to convince victim to make advance payments. The scam template is multipurpose, with a particular focus on American brands, including Delta, AMC Theatres, Universal Studios and Epic Records.
Figure 1. Task scam exploiting Delta's brand identity.
Operating in a similar vein to other task-based job scams, including those recently reported by Australia’s ABC News, it encourages would-be workers to enroll which unlocks the capability to “earn” money by completing a series of tasks. In this case, operating as a flight booking agent to earn a commission.
From Delta Flights to Multi-Brand Fraud
Netcraft has identified linked malicious activity using the “Boxer” domain registrant organization name including scams targeting DJI, Accor Hotels, AMC Theatres, and 20th Century Fox. Netcraft has identified more than $1M of inbound transactions with associated cryptocurrency wallets, based on the cryptocurrency valuation at the time of writing.
This activity comes on the back of other cybersecurity developments in the aviation sector, including customer support scams, data breaches, scattered spider activity, and increased regulatory attention.
The deltaairlineivip[.]com domain, created on 7th June, is registered through Dominet, the domain registrar arm of Alibaba Cloud, the Chinese cloud computing giant. As is commonly the case, the registrant’s details are “Redacted for Privacy.” However we do get some clues; the registrant claims to be a “boxer” from “DALLAS, US”. This turned out to be a useful fingerprint, with Netcraft able to identify hundreds of domains with a similar registrant pattern.
The Role of Dominet in Scam Infrastructure
Dominet came to prominence after a previous incarnation of Alibaba’s registrar business received an ICANN breach notice in March 2024. Since early May 2025, Netcraft has observed increasing use of Dominet by threat actors, particularly those associated with Smishing Triad campaigns targeting Western victims impersonating government authorities, toll agencies, and prominent brands.
Netcraft previously covered Alibaba’s cloud computing business back in 2017 when it became the second largest hosting company in the world by the number of effective web-facing computers. It retains this position today, with only Amazon Web Services ahead of it. It ranks consistently in the world’s top 20 by a variety of metrics including active IP address count, web sites, domains, and SSL certificate count.
Tracing the Technical Footprints
The deltaairlineivip[.]com apex domain has a CNAME record pointing (a common mistake) to s5d2cm8u[.]xmocloud[.]com which has A records for three IP addresses within netblocks announced by Autonomous System 59371, owned by Dimension Network & Communication Limited (DNC), a Hong Kong-based hosting company registered in 2014. Netcraft has blocked malicious content using xmocloud or otherwise hosted by DNC including crypto scams, fake shops, delivery scams, fake gambling sites and phishing sites.
This type of task-based scam typically falls outside the definition that ICANN uses for DNS abuse, which covers four principal types, the closest of which is phishing. By ICANN’s definition, this requires masquerading as a trusted entity to obtain sensitive information. For more complex scams, it becomes more involved for both abuse reporter and platform to determine how to proceduralize detecting and responding to more complex types of online fraud or scam.
And onto the scam itself.
Problem number one: we didn’t have the invite code. Many scams are multi-platform and multi-channel, often beginning with direct messages on peer-to-peer messaging platforms to coax victims into using the website platform. Invite codes restrict access to would-be victims; everybody else (us included) is persona non gratis.
Figure 2. Peer-to-peer message with adversary who provided an invite code to their platform.
With a little bit of social engineering to wangle an invitation code without having spoken to an agent, we were in. Now we can invite others to also invest with our own invitation code.
Figure 3. After receiving an invite code, we were able to set up our account.
If you weren’t already convinced to sign on, we found a “certificate of incorporation” linked within the menu structure to put your mind at ease.
Figure 4. Counterfeit certification threat actors use to trick victims into believing their platform is legitimate.
The scam itself involves acting as a travel agent, booking flights with often implausibly low order amounts to earn a “commission.” The example below claims that the agent will earn $0.71 in USDT (Tether stablecoin) for booking a $35.83 TUI flight from Eindhoven to Rhodes, a flight that might ordinarily cost more than $100.
Figure 5. Screenshot of the submission to "book flights" in exchange for a commission.
To begin operating as an agent, you need to be become a VIP. To become a VIP, you must deposit at least $100 worth of cryptocurrency, with the highest published tier requiring $50,000.
Figure 6
Figure 7
Figure 6, 7. Screenshots that show how the VIP member process as part of this scam.
Blockchain transparency works in our analyst’s favor here, allowing Netcraft to identify approximately $948,000 USDC and $300,00 ETH worth of inbound transactions to wallet 0xD53529E8, alongside $114,000 in Bitcoinand $3,000 in USDT. It is likely that these transactions include both payments from victims and money movement between accounts controlled by the threat actor or their associates.
Unpacking the inner workings of the scam uncovered a curiously named JSON file that is loaded when visiting deltaairlineivip[.]com. The file, loaded from api[.]hongchengdiany[.]com/font/config, contains a large set of configuration parameters that specify how the site works:
{
"msg": "操作成功",
"code": 200,
"data": {
"registerMoney": "10",
"conveyTime": "00:00:00,23:59:00",
"depositTime": "00:00:00,23:59:59",
"rechargeTime": "10:00:00,23:00:00",
"conveyPrice": "25,65",
"conveyLoadingTime": "0",
"copyright": "© 2025 Delta Air Lines, Inc.",
"conveyStatus": "0",
"dateArea": "America/New_York",
"oneCommission": "0.2",
"twoCommission": "0",
"threeCommission": "0",
"fourCommission": "0.0001",
"fiveCommission": "0.0001",
"loginLogo": "/profile/upload/2025/05/23/Delta_logo.svg_20250523004508A028.png",
"topLogo": "/profile/upload/2025/05/23/Delta_logo.svg_20250523004511A029.png",
"loginWindow": "0",
"loginWindowStatus": "1",
"currencyUnit": "USDT",
"creditWithdraw": "90",
"rechargeOneAddress": "TNuXZuENK3M4HBfE8YkLXGdx4EVNfJfx3J",
"rechargeOneImg": "/profile/upload/2024/07/05/Legendary-61_20240702023559A001_20240705025718A008.png",
"rechargeOneStatus": "0",
"rechargeTwoAddress": "0xD53529E83e12BE7677524210F9fb7E5fc6B3a425",
"rechargeTwoImg": "/profile/upload/2024/07/05/Ethereum-ETH-icon_20240705024404A002.png",
"rechargeTwoStatus": "0",
"rechargeThreeAddress": "bc1q2v00m4ws7lt3w2xqldt9ycdhmkgms4r2nfj56y",
"rechargeThreeImg": "/profile/upload/2024/07/05/Legendary-63_20240702023608A003_20240705025747A009.png",
"rechargeThreeStatus": "0",
"rechargeFourAddress": "0xD53529E83e12BE7677524210F9fb7E5fc6B3a425",
"rechargeFourImg": "/profile/upload/2025/02/22/5a8229787b5e4c809b5914eef709b59a_20250222045140A003.png",
"rechargeFourStatus": "0",
"rechargeFiveAddress": "3BjKpKfEnUwx7Hh3sVmGUrqfcEMQ9wvVsM",
"rechargeFiveImg": "0",
"rechargeFiveStatus": "1",
"rechargeOneExchangeRate": "1",
"rechargeTwoExchangeRate": "2481",
"rechargeThreeExchangeRate": "103991",
"rechargeFourExchangeRate": "1",
"rechargeFiveExchangeRate": "58078",
"rechargeOneName": "TRC20",
"rechargeTwoName": "ERC20",
"rechargeThreeName": "BTC",
"rechargeFourName": "USDC",
"rechargeFiveName": "BTC"
}
}
By pivoting on the domain registrant (“Boxer” from “Dallas, US”) and additional web-based indicators, Netcraft uncovered a slew of additional scam sites and more than 15 distinct configuration files, with a sample of the copyright string configuration here:
"copyright": "© Accor2024",
"copyright": "© 1986-2025 Disney-Pixar",
"copyright": "Copyright © 2025 Alpha All Rights Reserved",
"copyright": "Copyright © OUTLAND, INC. 2025 All rights reserved.",
"copyright": "Copyright © NIFTYKIT, INC. 2025 All rights reserved.",
"copyright": "© 2025 Burst Digital. All rights reserved.",
"copyright": "Copyright © 2025 Branch All Rights Reserved",
"copyright": "© In Digital Marketing Ltd. 2025",
"copyright": "©2025 Adamapp . All rights reserved.",
"copyright": "Copyright © 2024 leanplumAll Rights Reserved",
"copyright": "© 2025 - layer3. All Rights Reserved",
"copyright": "© 2024 Comscore, Inc.",
"copyright": "© 2025 Universal Studios",
These configuration files also unveil additional wallet addresses, including a Tron wallet with more than $200,000 of inbound USDT transactions, $64,000 of Bitcoin and an Ethereum wallet with $240,000 of inbound ERC-20 token transactions. Many of the configuration files did not contain wallet addresses and are likely to use alternative payment mechanisms.
An extract from Netcraft’s IOC sample of associated domain names includes:
amctheatreilu[.]com (AMC Theatres)
all-accorli[.]com (Accor Hotels)
amblinil[.]com (Amblin)
fp40[.]com (DJI)
universalstudioworksite[.]com (NBC Universal)
epicrecorlvip[.]com (Epic Records)
This cluster is active at the time of writing, with Netcraft continuing to monitor its activity.
Implications for Threat Intelligence and Mitigation
The “Boxer” task scam cluster illustrates how opportunistic actors are weaponizing API-driven brand-impersonation templates to scale financially motivated fraud across multiple verticals.
By linking evidence from domains, registrant patterns, and blockchain transactions, we can expose the full scope of the operation and move to disrupt it before more people are caught. Netcraft will keep monitoring this cluster and similar scams, sharing intelligence and collaborating with partners to shut them down wherever they surface.
Join our mailing list for regular blog posts and case studies from Netcraft.
