{ "type": "Domain", "indicator": "fontmaxplugin.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fontmaxplugin.cc", "alexa": "http://www.alexa.com/siteinfo/fontmaxplugin.cc", "indicator": "fontmaxplugin.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4197446909, "indicator": "fontmaxplugin.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "698408e23725b5d83f3ac6f4", "name": "IOC - Rublevka Team: Anatomy of a Russian Crypto Drainer Operation", "description": "Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker \u201cRublevka Team\u201d. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a \u201ctraffer team,\u201d composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions.", "modified": "2026-03-07T03:01:37.719000", "created": "2026-02-05T03:05:06.506000", "tags": [ "email" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 11, "email": 1, "hostname": 3 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "698408e23725b5d83f3ac6f4", "name": "IOC - Rublevka Team: Anatomy of a Russian Crypto Drainer Operation", "description": "Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker \u201cRublevka Team\u201d. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a \u201ctraffer team,\u201d composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions.", "modified": "2026-03-07T03:01:37.719000", "created": "2026-02-05T03:05:06.506000", "tags": [ "email" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 11, "email": 1, "hostname": 3 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fontmaxplugin.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fontmaxplugin.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780286083.8227131 }