Cybercriminals are always looking for new ways to trick people, using exploitative tactics to steal money, data, and sensitive information. Netcraft has observed a recent shift in how they have been leaning on a subtle but clever tactic that exploits how we visually process text using the Japanese Hiragana character ん. Netcraft uncovered novel attacks targeting cryptocurrency wallets and exchanges, prominent travel websites, large cloud services, and as we’ve also seen, security researchers use it in testing.

Initial reports earlier in August have identified that campaigns are leveraging this abuse against Booking.com. However, our own investigation revealed that this technique can be tracked back to November 25, 2024, beginning with the domain ioんhardware-wallet[.]best. Netcraft later identified more than 600 related domains using this technique.

Figure 1: The Hiragana character "ん" (Latin "n") deployed in a URL.

By using carefully chosen lookalike Unicode characters in domain names, attackers can make fake websites URLs that look almost identical to legitimate ones. This type of attack, often called a homoglyph attack, works because different scripts or writing systems have characters that look similar; think about a Latin ’a’ and a Greek ‘α’ (alpha). This is not a new attack vector, dating back to the early 2000s, but threat actors have found a new twist exploiting an edge case in the processing rules designed to prevent confusion.

These attacks rely on the use of “confusable” characters like Unicode symbols that resemble Latin letters or symbols but are encoded differently. Recent activity has begun to use the Japanese character “ん” (hiragana ‘n’). At a quick glance, it is intended to look like a forward slash “/”. And when it’s dropped into a domain name, it’s easy to see how it can be convincing. That tiny swap is enough to make a phishing site domain look real, which is the goal of threat actors trying to steal logins and personal information or distribute malware.

Figure 2: How Hiragana ん appears in Chrome’s URL display. The host domain name is "comprehensive-protection[.]guru" in the example shown.

To make these deceptive domains functional, threat actors rely on Punycode, a way to encode Unicode characters into ASCII so they can be used in DNS. For instance, a domain like example.comんlogin would be encoded as example.xn--comlogin-0o4g, allowing it to be registered and resolved like any other domain.

Tracing the Campaign’s Early Activity

Our investigation revealed that the majority of the 600 domains leveraging this deceptive character technique were aimed at cryptocurrency users. These domains frequently impersonated legitimate browser extensions, particularly fake versions of the Google Chrome Web Store, as part of an effort to lure victims into downloading malicious wallet applications. These wallets include Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust.

Mapping the Infrastructure Behind New Domain Activity

Days after the Booking.com domains were uncovered, we identified a wave of newly registered domains that appeared shortly after the initial public reporting:

• chromewebstore[.]google[.]comんdetailんokx-wallet.comprehensive-protection[.]guru

• chromewebstore.google[.]comんdetailんrabby-wallet.comprehensive-protection[.]guru/

We decided to dig deeper to understand their intentions.

Fake Chrome Extension, Real Wallet Theft

Figure 3: Fake Chrome extension page mimicking OKX Wallet download.

First, we took chromewebstore[.]google[.]comんdetailんokx-wallet.comprehensive-protection[.]guru and examined the contents of the phishing page, which mimicked Google’s Chrome Web Store to download the OKX cryptocurrency wallet browser extension. Clicking “Add to Chrome” prompted us to add the OKX Wallet as an extension, however, this was fake. Instead, it redirected to /welcome, which prompted us to either create or import a wallet.

Figure 4: Navigation path leading to fake OKX Wallet import page.

Once a seed phrase was entered, we tracked that the phrase was sent to process.php, which appeared to validate the phrase before harvesting it. After validation, the seed phrase was leaked, giving threat actors unlimited access to the victim’s Bitcoin wallet.

When a Browser Button Becomes a Malware Dropper

Figure 5: Fake Chrome Extension page mimicking Rabby Wallet download.

While this page looks nearly identical to the example above, the outcome is quite different. Clicking ‘Add to Chrome’ did not redirect us to a web-based seed phrase stealer. Instead, it immediately downloaded an .exe file named “acmacodkjbdgmoleebbolmdjsighsdch.exe,” a malicious file that the page implies is a browser extension for Chrome named Rabby Wallet (a commonly available wallet for the Ethereum and EVM cryptocurrencies). After the download, the page presents a fake error message appears, claiming the installation failed and instructing the page visitor to manually open the downloaded file.

Figure 6: Error message used to trick users into running the malicious file.

Upon closer analysis, the .exe appears to be malicious. The file is signed with a valid cryptographic signature, issued to OLAN LLC, which introduces a new layer of uncertainty. It is possible that the certificate belongs to a legitimate IT services company, and that the threat actors are now leveraging it for malicious activity, as other campaigns have abused other commercial IT administration tools, such as ConnectWise.

Further investigation revealed that the malware communicates with 826exe.carnegie.workers[.]dev. In communication we intercepted between the executable and this address, the program transmitted profile data about the infected system to its command & control service, including the logged-in user account name, machine name, operating system version, and other parameters.

Figure 7: The initial C2 check-in communication with profile data masked out.

Subsequent connections to the C2 address revealed that the program self-identifies as "Performance Enhancement Tool v.3.7.2" and deploys a payload into a folder named PerformanceModules under the logged in user's AppData\Local folder path.

Figure 8: The "Performance Enhancement Tool" executable communicates with its C2 that it has deployed a payload under the MyTestExtension folder.

Inside that folder, the malware placed a subfolder named Module_ with eight random hexadecimal characters appended to the folder name, and inside that folder, creates a folder named MyTestExtension that contains more than 900 files that appear to contain some of the actual Rabby Wallet code, as well as scripts, images, and text that seems to have nothing to do with Rabby Wallet, including references to online Web games. Some of the graphics embedded in this code appear to prompt the user with guidance on how to change the cryptocurrency wallet address their currency is contained within.

Figure 9: The "Rabby Wallet" code appears inside this MyTestExtension folder the file drops into the user's AppData path.

Additionally, we identified a malicious payload hosted at storage.googleapis[.]com/8-26b/acmacodkjbdgmoleebbolmdjsighsdch.exe. This suggests a well-orchestrated setup that blends certificate abuse, cloud-hosted payloads, and evasive infrastructure to facilitate data theft or remote access.

Figure 10: Fraudulent extension mimicking Rabby Wallet interface.

The Spread of Phishing Abuse Continues

Following the initial wave of phishing domains targeting Booking.com and popular cryptocurrency wallets, our investigation uncovered a broader and rapidly evolving infrastructure leveraging the deceptive character. While many of these domains initially focused on impersonating cryptocurrency platforms, we have since identified a growing number of domains that extend beyond crypto and travel sectors.

A significant portion of these newly observed domains currently lack active content, but their structural patterns, registration timing, and thematic similarities suggest they are likely part of a coordinated setup. Notably, we saw these domains that do not target cryptocurrency, begin appearing shortly after public reporting on August 14, 2025, indicating that threat actors may be quickly adopting this tactic across multiple verticals.

Some of the newly discovered domains appear to target major tech platforms. For instance, we found several Microsoft-themed domains such as:

Microsoft[.]comんmeetup-joinん19meeting[.]otc4zjbhztytnji4ny0[.]com

Microsoft[.]comんmeetup-joinん19meeting[.]x1ls8966x1kpvhfamqo[.]com

Microsoft[.]comんmeetup-joinん19meeting[.]1lckz6ox3gfx4l6wud7[.]com

These domains are crafted to look like legitimate meetings or collaborating links, likely aiming to exploit trust in workspace tools.

In addition, we identified a domain impersonating Cloudflare:

Cloudflare[.]comんdetailんrestric-access[.]com-restrict[.]net

This domain is impersonating Cloudflare’s access control feature. Interestingly, both the original Booking.com phishing domain hxxps://account[.]booking[.]comんdetailんrestric-access[.]www-account-booking[.]com/en/ and the Cloudflare domain share the same hostname segment: restric-access. This reuse of hostname structure across different brands likely suggests a shared domain generation pattern or toolkit, possibly indicating a common threat actor or automated infrastructure setup.

Other domains seem to target educational services. Examples include:

sdu[.]edu[.]cnんcasんlogin[.]pass-sdu-edu[.]cn

These resemble login portals for universities and could be used in credential harvesting campaigns targeting students.

We also observed additional crypto-related domains like booth[.]pmんgiftsん8f53a3a2-adbc-4d10-9d03-f338215de494ん[.]sakurayuki[.]dev, which appears to be themed around digital gifts or giveaways, a common lure in crypto phishing. Another domain www[.]revolut[.]comんviewんtransactionんb3edf3638c29m4qdl5kdlx3んstatus[.]online, mimics the all-in-one finance application, likely intended to exploit user trust and familiarity with financial platforms.

In addition to these, we found several domains that are likely test cases or proof-of-concept setups, possibly created by researchers or security teams:

google[.]comんdetailsんaccount[.]test[.]c0ffee[.]ca

mail[.]lgss-spb[.]ruんlogin[.]donot[.]press

nubank[.]comんsuacontaんcadastropessoal[.]webphishing[.]com

These domains contain keywords such as “test”, “donot[.]press”, and “webphishing”, which suggest they are likely not part of active malicious campaigns but rather used for experimentation or awareness.

While these domains are not currently serving malicious content, their existence highlights how quickly this tactic is spreading. It’s common for threat actors to register domains in advance, either to avoid detection or to prepare infrastructure for future campaigns. The consistent use of the ん character across both malicious and experimental domains reinforces its potential as a tool for visual deception.

Implications for Defenders

One of the challenges with tracking these kinds of phishing campaigns is that Unicode makes detection and monitoring more complex than traditional Latin characters. Characters like ん are visually similar to Latin letters but are coded differently, meaning it is possible that they can slip past basic string-matching filters or regex-based detection rules.

Chrome’s IDN policy allows certain scripts, such as Latin and Hiragana to be used within a single label. This is permitted to support multilingual domain names, but with some exceptions to prevent abuse. For example, Chrome restricts combinations that are known to be highly confusable or deceptive. However, the policy still allows enough flexibility that threat actors can exploit visually similar characters like ん in phishing domains.

Many security tools and URL scanners aren’t configured to normalize or visually compare Unicode characters, which allows these domains to evade automated detection.

Outpacing Confusable Character Threats

The use of confusable Unicode characters in phishing domains isn’t new but is evolving. The abuse of Hiragana ん is just one example of how subtle character swaps can bypass filters and fool even vigilant users. Netcraft will continue to monitor this tactic, track emerging infrastructure, and share updates as attackers refine their methods.

Netcraft has published IOCs related to this research to our Github repository.