As part of our efforts to detect and prevent online fraud, OWN discovered a burgeoning fraudulent and potential scam campaign which relies on Tik Tok as its primary channel for content dissemination and promotion.
In this article we unveil a scam campaign promoting fraudulent discounted offers for various services such as transportation, food services, software, investment or prepaid cards, all of which are promoted TikTok and Discord using an automated system commanded from a single server.
The starting point of this investigation is the skyywtww TikTok account. This account displays a pattern of excessive and repetitive posting, cycling through a set of a few videos published on and on every hour. This set of videos promotes a single offer: a service for the creation of an e-commerce online shop using the Shopify platform available on a website à profitlab[.]fr.
The promoted service is suspicious as it promotes an impressive 97% discount on online shop creation and suggests that the shop will generate almost immediate revenues. Moreover, the vendor boasts that they are certified by the Shopify platform, which cannot be verified on the official list of certified partners. These types of presentation, combining significant discounts, a money-back guarantee, a badge of legitimacy and testimonial videos, are typical of e-commerce fraud campaigns targeting retail consumers.
The publication rhythm is unlikely to result from ordinary human activity and instead strongly suggests the use of an automated system that drives publications through a dedicated backend. Also, each post has between 200 and 1000 views, which could be considered as quite low when looking at a single post, but they add up to several thousand in a 24-hour window, however, the distribution of the number of views really raises the question whether these figures might have been generated by bots.
We therefore turned to Internet search engines such as ONYPHE to try to discover if any admin panel, configuration panel, dashboard or exposed backend existed with references to the profitlab[.]fr domain name or the skyywtww account. It turned out to be only the tip of the operation.
Searching for “skyywtww” in the servers’ text responses on ONYPHE did not yield any result, however, searching for “profitlab” retrieved a handful of results which we could analyze. One of them indicated a TikTok Dashboard, which was consistent with our investigation. It turned out that this result was found on the server at 51.83.68[.]125, which is also the IP address that profitlab[.]fr resolved to, confirming that this server was involved in the fraud.

Analyzing the page titled "InfernoScript - Dashboard TikTok" at 51.83.68[.]125:8080 shows a comprehensive web interface designed for the automated generation and publication of content on TikTok, which was left open on the Internet. The interface consists of four distinct modules accessible from a horizontal navigation bar:
- Inferno Splitter
- DarkSnap
- SNCF -50%
- ProfitLab
Inferno Splitter
The first module, Inferno splitter, is the fundamental building block of the system. Using a single video uploaded on the interface, it will automatically generate several variants of the original video with overlaid personalized text. Its function is thus to generate multiple similar but distinct videos using a single source.

DarkSnap
The second module, DarkSnap, adds a comprehensive automation layer to Inferno Splitter’s logic: after uploading video files as source and defining the number of videos to be generated, the operator can activate the Full Auto H24 mode which then takes over the whole processus of video generation and publication automatically.

The interface is set to publish one video every 60 minutes on each of the TikTok accounts managed through the dashboard. At the time of analysis, the following six accounts were configured:
- yep.tiktok1
- deletedusrn
- romainfitness93
- sncfpascher
- sby_elt
- userx_salman.
Each account is also configured with an automatic description, which is injected for each publication without any intervention from the operator.

It is worth highlighting that several of these accounts have amassed a significant number of followers, from hundreds to tens of thousands, and have previously published content without any link with the fraudulent campaign which we have discovered. This suggests that these account may have belonged to other users before and may have been either hijacked or bought. Although we could not verify these hypotheses, they are worth mentioning.
All six accounts have been publishing the same videos in a synchronized way. Furthermore, these videos display another domain, snapdark[.]fr, which thus creates a strong link between the DarkSnap module and another part of the infrastructure which we will detail later.
SNCF -50%
The third module is entirely dedicated to a fraudulent travel ticket scheme. It generates videos promoting discounted SNCF tickets sold on a Discord server indicated in the description of the dedicated TikTok account. Examples of such videos promote a 50% reduction on train tickets for journeys between Paris and Lyon.

As for the other modules, the operator can define the number of variants to be generated.

ProfitLab
The fourth and last module links the service to the starting point of this investigation: profitlab[.]fr. This service generates videos for the promotion of this website. Thirty-five source videos have already been uploaded in the interface, along with a soundtrack and five rotating text descriptions that can be found in the publications of the skyywtww account.


This module also has a Full Auto H24 mode which is configured to publish videos automatically on the skyywtww account every 60 minutes, thus coming full circle with the starting point of this investigation.
InfernoScript is thus more than a simple video editing tool: it is a comprehensive automation platform operating from a centralized infrastructure capable of managing content publication across multiple accounts associated with several online fraud campaigns.

SnapDark[.]fr
As we mentioned earlier, the videos generated using the DarkSnap module mention the snapdark[.]fr domain name, which allows to pivot to another fraudulent service supported by this infrastructure. snapdark[.]fr describes itself as a Snapchat spying service promising to offer anonymous access to a target’s My Eyes Only (a private storage protected with a PIN code to save Snapchat content), their GPS coordinates, and their private messages, without the target being alerted. However, looking at the source code of the trial offer reveals the deception: all the supposedly stolen data is scripted inside the code of the page.

The deception can be confirmed further: a Supabase API key is visible in clear text inside the tracker.js file, available at hxxps://snapdark[.]fr/tracker.js. The exposed API key allows the user events database to be consulted thus revealing the steps performed by each victim, from their first visit to their payment. The Stripe payment form is indeed fully functional.
This service is available through three other domain names: snapcheck[.]fr, dark-snap[.]fr et darksnap[.]fr, probably for redundancy.

The fraud campaign was proven at this stage, however, investigating the IP address revealed different frauds and how they were promoted.
Five services on a single server
The ONYPHE search engine recorded several services exposed on 51.83.68[.]125.

Port 8080 — InfernoScript
This is the service that was documented in the previous paragraphs showing the operational core for the video generation tool.
Port 3000 — AutoBump
This service displays a configuration panel dedicated to the automated promotion of Discord servers. The principle is simple and works like this: bots submit “bump” commands on a regular basis to Disboard, a public Discord server listing platform. “bumps” push Discord servers higher in the listings such as Disboard or Discardia, so that they are found more rapidly by users looking for specific Discord communities. The fraudster thus uses this Discord servers listing platforms to promote their fraudulent services.
The AutoBump interface reveals a lot of information: all the fraudulent offers promoted by the fraudster on various Discord servers are enumerated, as well as the Discord accounts of the most recent victims, the detailed logs of the bots’ actions and daily statistics.
The list of fraudulent offers matches the observations on the InfernoScript service: transport fare fraud, delivery services fraud and online video gaming fraud for example.

Port 3001 — AutoBump Discadia
This service is similar to the previous one but for the Discardia platform, a Discord server listing platform similar to Disboard.
The discord servers promoted on this platform sell various virtual or physical assets linked to popular online video games such as accounts, real or virtual items, virtual currencies, etc.

Port 443 — SnapDark Graphics
This service offers to create and deliver “premium logos” for a monthly fee. The page content reproduces the same scheme than SnapDark: false recommendations, false statistics, and a gallery of logos whose origin cannot be verified, supported by seemingly real and convincing terms and conditions to enhance the veil of credibility.


A new domain name is shown in the specific server extract produced by ONYPHE from the server’s response: snapgraphics[.]fr, which is the hostname associated to this service.

Port 22 — SSH
This port offers a standard SSH connection, allowing the operator to control their server remotely. Nothing out of the ordinary has been detected on this port.
Going further with InfernoCard
The domain name infernocard[.]com was discovered by inspecting passive DNS data for 51.83.68[.]125. It leads to a web page offering anonymous prepaid cards that can be loaded in US dollars using the Solana cryptocurrency (SOL).

It was not possible to verify if or how this offer functioned, however, loading such a prepaid card implied transferring funds to one of the wallets used by the service as shown in the source code of the web page.

AI subscription fraud
ONYPHE also shows the SSL certificates associated with the 51.83.68[.]125 IP address, one of which is aiportal[.]fr.

This domain name sells discounted subscriptions for renown AI services, as always with a suspicious, significant discount, capitalizing with the current craze for generative AI.

Conclusion
This investigation, which began from a TikTok account with automatically published fraud content, unveiled a diversified fraud ecosystem operated from a unique infrastructure built (most probably with AI help) by a threat actor with genuine capabilities in the development of automation tools.
The first thing that strikes you is how consistent the fraud operation is. Each service running on the 51.83.68.[.]125 server contributes to a broader end-to-end monetization operation. InfernoScript is a tool built to generate and publish videos on a large scale on TikTok to promote Discord servers and websites that deliver the frauds. AutoBump and AutoBump Discardia bring traffic to those Discord servers. Profitlab, AIportal, SnapDark and SnapDark Graphics lure victims through fake services branded with unbelievable discounts but could also be used to launder money through intangible unverifiable services. InfernoCard comes full circle by offering anonymous payment services to those who provide or operate these frauds. The fraudsters do not simply operate a scam, they manage a portfolio of complementary frauds schemes which they develop.
The sophistication level for this kind of fraud goes beyond what one usually encounters in this type of operation. The development of proprietary tools, the TikTok multi-account management with automated publication every hour, the deployment of several separate services on a single server, and the integration of cryptocurrency payments for sensitive services demonstrate a significant investment.
Nevertheless, the fraudster made several basic OPSEC mistakes making this investigation relatively straightforward. All the services are hosted on a single server without any compartmentalization, the dashboards are exposed to the Internet without requiring any authentication, a Supabase API key and cryptocurrency wallet addresses are accessible in clear text on the JavaScript frontend. The exposed data made it possible to map the potential entire system.
These frauds are targeting private individuals on multiple scales. Consumers lured by attractive but fake discounts on transportation fares for SNCF, Eurostar or Flixbus or food delivery services such as Deliveroo or Uber Eats are exposed to financial losses, especially if their supposedly cheap tickets or discount vouchers are not valid. The Profitlab and SnapDark Graphics services’ values are questionable. The SnapDark spying service is fictious. Finally, the proposed InfernoCard service should raise the suspicion on whether these cards are used to facilitate fraudulent payment or launder money or are simply just another scam.






