Threat analysis
Cyber attack

Analysis of a Homemade Fraud Infrastructure

OWN-CERT
-
1/7/2026
An automated TikTok account uncovered an infrastructure powering fraudulent AI services, cryptocurrency operations, Discord automation, and monetization services.OWN Security

As part of our efforts to detect and prevent online fraud, OWN discovered a burgeoning fraudulent and potential scam campaign which relies on Tik Tok as its primary channel for content dissemination and promotion.  

In this article we unveil a scam campaign promoting fraudulent discounted offers for various services such as transportation, food services, software, investment or prepaid cards, all of which are promoted TikTok and Discord using an automated system commanded from a single server.

The starting point of this investigation is the skyywtww TikTok account. This account displays a pattern of excessive and repetitive posting, cycling through a set of a few videos published on and on every hour. This set of videos promotes a single offer: a service for the creation of an e-commerce online shop using the Shopify platform available on a website à profitlab[.]fr.  

The promoted service is suspicious as it promotes an impressive 97% discount on online shop creation and suggests that the shop will generate almost immediate revenues. Moreover, the vendor boasts that they are certified by the Shopify platform, which cannot be verified on the official list of certified partners. These types of presentation, combining significant discounts, a money-back guarantee, a badge of legitimacy and testimonial videos, are typical of e-commerce fraud campaigns targeting retail consumers.

The publication rhythm is unlikely to result from ordinary human activity and instead strongly suggests the use of an automated system that drives publications through a dedicated backend. Also, each post has between 200 and 1000 views, which could be considered as quite low when looking at a single post, but they add up to several thousand in a 24-hour window, however, the distribution of the number of views really raises the question whether these figures might have been generated by bots.  

We therefore turned to Internet search engines such as ONYPHE to try to discover if any admin panel, configuration panel, dashboard or exposed backend existed with references to the profitlab[.]fr domain name or the skyywtww account. It turned out to be only the tip of the operation.  

Searching for “skyywtww” in the servers’ text responses on ONYPHE did not yield any result, however, searching for “profitlab” retrieved a handful of results which we could analyze. One of them indicated a TikTok Dashboard, which was consistent with our investigation. It turned out that this result was found on the server at 51.83.68[.]125, which is also the IP address that profitlab[.]fr resolved to, confirming that this server was involved in the fraud.

Figure 1. Displaying the interesting result for the search for "profitlab" on ONYPHE. Source: OWN/ONYPHE

Analyzing the page titled "InfernoScript - Dashboard TikTok" at 51.83.68[.]125:8080 shows a comprehensive web interface designed for the automated generation and publication of content on TikTok, which was left open on the Internet. The interface consists of four distinct modules accessible from a horizontal navigation bar:

  • Inferno Splitter
  • DarkSnap
  • SNCF -50%
  • ProfitLab

Inferno Splitter

The first module, Inferno splitter, is the fundamental building block of the system. Using a single video uploaded on the interface, it will automatically generate several variants of the original video with overlaid personalized text. Its function is thus to generate multiple similar but distinct videos using a single source.

Figure 2. The Inferno Splitter’s interface. Source: OWN

DarkSnap

The second module, DarkSnap, adds a comprehensive automation layer to Inferno Splitter’s logic: after uploading video files as source and defining the number of videos to be generated, the operator can activate the Full Auto H24 mode which then takes over the whole processus of video generation and publication automatically.  

Figure 3. The DarkSnap tool’s interface. Source: OWN

The interface is set to publish one video every 60 minutes on each of the TikTok accounts managed through the dashboard. At the time of analysis, the following six accounts were configured:

  • yep.tiktok1
  • deletedusrn
  • romainfitness93
  • sncfpascher
  • sby_elt
  • userx_salman.

Each account is also configured with an automatic description, which is injected for each publication without any intervention from the operator.

Figure 4. Example of TikTok accounts linked to this fraud. Source: OWN

It is worth highlighting that several of these accounts have amassed a significant number of followers, from hundreds to tens of thousands, and have previously published content without any link with the fraudulent campaign which we have discovered. This suggests that these account may have belonged to other users before and may have been either hijacked or bought. Although we could not verify these hypotheses, they are worth mentioning.

All six accounts have been publishing the same videos in a synchronized way. Furthermore, these videos display another domain, snapdark[.]fr, which thus creates a strong link between the DarkSnap module and another part of the infrastructure which we will detail later.

SNCF -50%

The third module is entirely dedicated to a fraudulent travel ticket scheme. It generates videos promoting discounted SNCF tickets sold on a Discord server indicated in the description of the dedicated TikTok account. Examples of such videos promote a 50% reduction on train tickets for journeys between Paris and Lyon.

Figure 5. Example of a video generated by the InfernoScript tool. Source: OWN

As for the other modules, the operator can define the number of variants to be generated.

Figure 6. Dashboard for the SNCF -50% section. Source: OWN

ProfitLab

The fourth and last module links the service to the starting point of this investigation: profitlab[.]fr. This service generates videos for the promotion of this website. Thirty-five source videos have already been uploaded in the interface, along with a soundtrack and five rotating text descriptions that can be found in the publications of the skyywtww account.

Figure 7. The Profitlab’s interface. Source: OWN

This module also has a Full Auto H24 mode which is configured to publish videos automatically on the skyywtww account every 60 minutes, thus coming full circle with the starting point of this investigation.

InfernoScript is thus more than a simple video editing tool: it is a comprehensive automation platform operating from a centralized infrastructure capable of managing content publication across multiple accounts associated with several online fraud campaigns.

Figure 8. TikTok videos for darksnap[.]fr generated by the DarkSnap module and published on @romainfitness9. Source: OWN

SnapDark[.]fr

As we mentioned earlier, the videos generated using the DarkSnap module mention the snapdark[.]fr domain name, which allows to pivot to another fraudulent service supported by this infrastructure. snapdark[.]fr describes itself as a Snapchat spying service promising to offer anonymous access to a target’s My Eyes Only (a private storage protected with a PIN code to save Snapchat content), their GPS coordinates, and their private messages, without the target being alerted. However, looking at the source code of the trial offer reveals the deception: all the supposedly stolen data is scripted inside the code of the page.

Figure 9. Source code for the snapdark[.]fr page. Source: OWN

The deception can be confirmed further: a Supabase API key is visible in clear text inside the tracker.js file, available at hxxps://snapdark[.]fr/tracker.js. The exposed API key allows the user events database to be consulted thus revealing the steps performed by each victim, from their first visit to their payment. The Stripe payment form is indeed fully functional.

This service is available through three other domain names: snapcheck[.]fr, dark-snap[.]fr et darksnap[.]fr, probably for redundancy.

Figure 10. The snapdark[.]fr offer. Source: OWN

The fraud campaign was proven at this stage, however, investigating the IP address revealed different frauds and how they were promoted.

Five services on a single server

The ONYPHE search engine recorded several services exposed on 51.83.68[.]125.

Figure 11. ONYPHE lists several open ports on 51.83.68[.]125. Source: OWN/ONYPHE

Port 8080 — InfernoScript

This is the service that was documented in the previous paragraphs showing the operational core for the video generation tool.

Port 3000 — AutoBump

This service displays a configuration panel dedicated to the automated promotion of Discord servers. The principle is simple and works like this: bots submit “bump” commands on a regular basis to Disboard, a public Discord server listing platform. “bumps” push Discord servers higher in the listings such as Disboard or Discardia, so that they are found more rapidly by users looking for specific Discord communities. The fraudster thus uses this Discord servers listing platforms to promote their fraudulent services.

The AutoBump interface reveals a lot of information: all the fraudulent offers promoted by the fraudster on various Discord servers are enumerated, as well as the Discord accounts of the most recent victims, the detailed logs of the bots’ actions and daily statistics.

The list of fraudulent offers matches the observations on the InfernoScript service: transport fare fraud, delivery services fraud and online video gaming fraud for example.

Figure 12. he AutoBump dahsboard. Source: OWN

Port 3001 — AutoBump Discadia

This service is similar to the previous one but for the Discardia platform, a Discord server listing platform similar to Disboard.

The discord servers promoted on this platform sell various virtual or physical assets linked to popular online video games such as accounts, real or virtual items, virtual currencies, etc.

Figure 13. The AutoBump Discadia dashboard. Source: OWN

Port 443 — SnapDark Graphics

This service offers to create and deliver “premium logos” for a monthly fee. The page content reproduces the same scheme than SnapDark: false recommendations, false statistics, and a gallery of logos whose origin cannot be verified, supported by seemingly real and convincing terms and conditions to enhance the veil of credibility.

Figure 14. The SnapDark Graphics page. Source: OWN
Figure 15. Payment for the SnapDark Graphics service. Source: OWN

A new domain name is shown in the specific server extract produced by ONYPHE from the server’s response: snapgraphics[.]fr, which is the hostname associated to this service.

Figure 16. List of domain names present in the body of the server’s response. Source: OWN/ONYPHE

Port 22 — SSH

This port offers a standard SSH connection, allowing the operator to control their server remotely. Nothing out of the ordinary has been detected on this port.

Going further with InfernoCard

The domain name infernocard[.]com was discovered by inspecting passive DNS data for 51.83.68[.]125. It leads to a web page offering anonymous prepaid cards that can be loaded in US dollars using the Solana cryptocurrency (SOL).  

Figure 17. Web page for infernocard[.]com. Source: OWN

It was not possible to verify if or how this offer functioned, however, loading such a prepaid card implied transferring funds to one of the wallets used by the service as shown in the source code of the web page.

Figure 18. Source code of the payment page of InfernoScript containing the wallets addresses used for the payment. Source: OWN

AI subscription fraud

ONYPHE also shows the SSL certificates associated with the 51.83.68[.]125 IP address, one of which is aiportal[.]fr.

Figure 19. List of SSL certificates associated with 51.83.68[.]125, including aiportal[.]fr. Source: OWN/ONYPHE

This domain name sells discounted subscriptions for renown AI services, as always with a suspicious, significant discount, capitalizing with the current craze for generative AI.

Figure 20. Discounted AI tool subscriptions offered on aiportal[.]fr. Source: OWN

Conclusion

This investigation, which began from a TikTok account with automatically published fraud content, unveiled a diversified fraud ecosystem operated from a unique infrastructure built (most probably with AI help) by a threat actor with genuine capabilities in the development of automation tools.

The first thing that strikes you is how consistent the fraud operation is. Each service running on the 51.83.68.[.]125 server contributes to a broader end-to-end monetization operation. InfernoScript is a tool built to generate and publish videos on a large scale on TikTok to promote Discord servers and websites that deliver the frauds. AutoBump and AutoBump Discardia bring traffic to those Discord servers. Profitlab, AIportal, SnapDark and SnapDark Graphics lure victims through fake services branded with unbelievable discounts but could also be used to launder money through intangible unverifiable services. InfernoCard comes full circle by offering anonymous payment services to those who provide or operate these frauds. The fraudsters do not simply operate a scam, they manage a portfolio of complementary frauds schemes which they develop.

The sophistication level for this kind of fraud goes beyond what one usually encounters in this type of operation. The development of proprietary tools, the TikTok multi-account management with automated publication every hour, the deployment of several separate services on a single server, and the integration of cryptocurrency payments for sensitive services demonstrate a significant investment.

Nevertheless, the fraudster made several basic OPSEC mistakes making this investigation relatively straightforward. All the services are hosted on a single server without any compartmentalization, the dashboards are exposed to the Internet without requiring any authentication, a Supabase API key and cryptocurrency wallet addresses are accessible in clear text on the JavaScript frontend. The exposed data made it possible to map the potential entire system.

These frauds are targeting private individuals on multiple scales. Consumers lured by attractive but fake discounts on transportation fares for SNCF, Eurostar or Flixbus or food delivery services such as Deliveroo or Uber Eats are exposed to financial losses, especially if their supposedly cheap tickets or discount vouchers are not valid. The Profitlab and SnapDark Graphics services’ values are questionable. The SnapDark spying service is fictious. Finally, the proposed InfernoCard service should raise the suspicion on whether these cards are used to facilitate fraudulent payment or launder money or are simply just another scam.

Indicator

Type 

Context

51.83.68[.]125 

IP address 

The core server for the fraud infrastructure, hosted by OVH. 

vps-9b2317f3.vps.ovh[.]net 

Hostname 

Reverse DNS for 51.83.68[.]125 

infernocard[.]com 

Domain name 

Anonymous prepaid cards fraudulent shop 

profitlab[.]fr 

Domain name 

Fraudulent Shopify e-commerce website creation service 

snapdark[.]fr 

Domain name 

Fraudulent fake Snapchat spying 

dark-snap[.]fr 

Domain name 

snapdark[.]fr clone 

darksnap[.]fr 

Domain name 

snapdark[.]fr clone 

snapgraphics[.]fr 

Domain name 

Website selling a subscription for a logo creation service 

boutiquerapide[.]fr 

Domain name 

profitlab[.]fr clone 

light-service[.]org 

Domain name 

profitlab[.]fr clone 

aiportal[.]fr 

Domain name 

Fraudulent fake AI tool subscription service 

nrqdxwpwxajtlrblwigx.supabase[.]co 

Domain name 

Base de données Supabase exposée, snapdark[.]fr 

delivery.zentyra@gmail[.]com 

Email address 

Contact factice utilisé par SnapDark 

skyywtww 

TikTok account 

Point de départ, diffusion ProfitLab 

sncfpascher 

TikTok account 

Account used for publishing fraudulent fare tickets 

userx_salman 

TikTok account 

Account used for publishing fraudulent content 

romainfitness93 

TikTok account 

Account used for publishing fraudulent content 

Indicator

Type 

Context

userx_salman 

TikTok account 

Account used for publishing fraudulent content 

romainfitness93 

TikTok account 

Account used for publishing fraudulent content 

sby_elt 

TikTok account 

Account used for publishing fraudulent content 

yep.tiktok1 

TikTok account 

Account used for publishing fraudulent content 

deletedusrn 

TikTok account 

Account used for publishing fraudulent content 

hxxps://buy.stripe[.]com/00wdR9dMe7461xFcPBb3q17 

URL 

Stripe payment link 

hxxps://buy.stripe[.]com/fZu3cv4bEewy4JR6rdb3q18 

URL 

Stripe payment link 

hxxps://snapdark[.]fr/tracker.js 

URL 

JavaScript file exposing a  Supabase API key 

fBGPqiRJuC6oKNtqzJ9TM9jmjmfEAdUSJwJYDyXkPnL 

Cryptocurrency wallet 

SOL/USDC/USDT wallet address 

bc1qhddq54xmsfarfs5pcv9r5emxwcyxelsjrehyag 

Cryptocurrency wallet 

BTC wallet address 

LRsJc9gfyZprPj44m3akQ9AvkBBhXKSzik 

Cryptocurrency wallet 

LTC wallet address 

0x12E9bcDb100f6a120F4bd652616a4Cc2148D255B 

Cryptocurrency wallet 

ETH wallet address 

48gNc4Kwnk1YWjTcXxf6gS6b7PWVYcAYJ75P7aQ8fmuaiJsoMdRjmpfBLs8gudSsgL
VEnhpg6kVs73gCcaz5GCUuB3DbU5D
 

Cryptocurrency wallet 

XMR wallet address 

Partager l'article :

Your OWN cyber expert.