Executive summary
Netcraft identified scammers exploiting public interest in the SpaceX IPO with fake investment portals impersonating SpaceX, Elon Musk, and other well-known financial brands. The campaign uses domains such as spacexshares[.]xyz, fidelityspacexipo[.]site, robinhoodspacex[.]com, and muskspacexipo[.]vip to invite visitors to register for access to SpaceX shares, select an investment tier, and, in some cases, deposit funds using cryptocurrency.
The lure works because IPO participation is often complex and broker-mediated. A victim may reasonably expect a legitimate investment process to involve a recognized brokerage platform, eligibility checks, tax paperwork, and funding instructions. The scam mirrors that process: emails direct recipients to fake onboarding pages or W-8BEN-style forms, which are normally used by non-U.S. investors to certify their foreign tax status for certain U.S.-source income; branded pages create a sense of legitimacy; and deposit pages that turn investor interest into direct financial loss.
This activity is thematically consistent with the W-8BEN tax-form lures and investment-brand impersonation reported in Proofpoint's tracking of TA2730, though the monetization differs: TA2730 harvests investment-account credentials for account takeover, whereas this campaign solicits cryptocurrency deposits directly.
How the scam works
The campaign combines email lures, fake investment portals, impersonated brokerage brands, and cryptocurrency payment instructions into a convincing end-to-end fraud funnel.
The emails Netcraft examined direct recipients to fake onboarding pages or W-8BEN-style forms. The use of tax documentation is significant as it creates the appearance of a legitimate investment process. Rather than asking for payment immediately, the scam first asks victims to complete familiar-looking admin steps. This lowers suspicion and makes the interaction feel more legitimate.
Some of the sites ask visitors to select a “target investment tier” or otherwise indicate how much they intend to invest. This serves two purposes for scammers. First, it encourages victims to think about the process as a legitimate investment decision. Second, it allows the scammers to prioritize higher-value victims based on their stated willingness to deposit funds.
One of the sites, spacexshares[.]xyz, included a deposit page listing cryptocurrency wallets for BTC, ETH, and USDT. The ETH and USDT addresses are identical, as USDT is issued as an ERC-20 token on the same Ethereum address. The end goal is direct financial theft.
Observed wallet addresses include:
BTC: bc1q3ad4npa6qqxrcdrgd2gmmgttsakq9635q6uz50
ETH & USDT: 0xc4cf58a782cCa0dB793bE5fBE145361533A6AF30
At the time of writing, the BTC address had received 0.14174492 BTC, worth roughly $8,700.

An example of one of the lure pages promising to allow you to invest in the SpaceX IPO.
Campaign infrastructure
The campaign uses two broad categories of domains: randomized domains and more explicit SpaceX- or broker-themed domains.
One cluster consists of long pseudo-random .live domains:
467jtzbkqcfl22t9hxh[.]live
ddgaoylh4h420fvm7o5[.]live
u7aq3ocwrexd70ulpdj[.]live
zavpejjyz432d577l2e[.]live
8fv4dxp7lx035f8ylk7[.]live
cd7yt860whhm7g7ylj8[.]live
g8iqelymkc4eya9zs49[.]live
hy0zu0fuf7rc2ou5aje[.]live
k1rg2oz4zpzw91pdx90[.]live
ogqw9cpz7t7et3j1rur[.]live
A second cluster uses clear SpaceX-, IPO-, Elon Musk-, and brokerage-themed naming:
spacexshares[.]xyz
fidelityspacex[.]site
fidelityspacexipo[.]site
robinhoodspacex[.]com
adanispacex[.]com
muskspacexipo[.]vip
muskspacexipo[.]com
These specific domains are more directly tied to the lure itself, designed to resemble domains a potential victim might search for or expect to receive.
The domains “muskspacexipo[.]vip” and “muskspacexipo[.]com” also pointed their MX records to mail[.]musksapcex[.]space, which uses the misspelling “sapcex” instead of “spacex”.

Another lure page offering access to the SpaceX IPO.
Why the lure is effective
The campaign does not fully rely on the SpaceX name alone. The sites copy parts of the normal investment process, asking victims to complete a W-8BEN-style form, select an investment tier, and then deposit funds. Making the process appear legitimate.
The use of tax paperwork and broker names helps the sites look more legitimate. Asking victims how much they want to invest also makes the process appear like a genuine offer. This allows the scammers to exploit both interest in the SpaceX IPO and uncertainty over how investors can participate.
Conclusion
This specific SpaceX IPO campaign shows how scammers exploit major financial events. While this campaign centers on the SpaceX IPO, the techniques are not unique to SpaceX. High-profile IPOs and other widely anticipated investment opportunities naturally generate significant public interest, media coverage, and uncertainty around how investors can participate. Threat actors can exploit these uncertainties by impersonating companies, brokers, and financial institutions associated with the offering, creating fraudulent registration portals that closely resemble legitimate investment workflows.
As new IPOs and other major investment events emerge, organizations should expect attackers to continue adapting these techniques to capitalize on public interest. Rather than viewing this as a one-off SpaceX-themed campaign, defenders should recognize it as a repeatable fraud model that can quickly be repurposed in future campaigns. Monitoring for newly registered investment-themed domains, broker impersonation, and fraudulent onboarding portals will be critical to identifying and disrupting similar campaigns before they reach potential victims.
Indicators of compromise (IOCs) associated with this campaign are published in Netcraft’s public GitHub repository.



