Back to ScamIntelLogs

717Team

Crypto Drainer & Fake AML Verification Operation

Wallet Drainer Fake AML Phishing TRX/TRON Active Jan 2026
125
Group Members
85
TRX Wallets
15
Domains
30
TX Hashes

Operation Summary

717Team operates a fake AML verification and wallet drainer scheme on the TRON/TRX network. Victims are directed to phishing domains (checkscore.cc, amlbot.pw, wallet-invoice.pw, etc.) posing as legitimate AML/KYC verification services. Upon connecting their wallets, a smart contract drainer steals all USDT. The operation uses @withdraw_717_bot for automated payouts (~70% to workers). Coordination happens in Telegram with 125+ participants.

Method: Fake AML check → wallet connect → approve tx → drain USDT
Network: TRON (TRX) / TRC-20 USDT
Payout: @withdraw_717_bot (auto, ~70%)
D

Key Actor: user7149807602

Telegram ID: 7149807602

Display Name: debank
Telegram: @imdebank
Also known as: @bogiepnl
Role: Admin / Founder
ETH Wallet: 0x9943777f44053566fFa9d43869D33D1B48387A3B
Status: Active
TSA Intel: Active in 3 groups: [RublevkaTeam] Chat NOT, Solana (public), СОЛЕВАЯ НОРКА. Asked for fake Solana honeypot tokens in both Russian and English. Discussed auto-withdrawal setup and seed phrase leaks.

Phishing Domains & URLScan Evidence

checkscore.cc
Primary fake AML — "Trust AML" • IP: 188.114.97.3 • Cloudflare
Main
checkscore.cc screenshot
URLScan →
amlbot.pw
"AML Check" • IP: 172.67.177.155 • Cloudflare • @phish_report tagged
Phishing
amlbot.pw screenshot
URLScan →
wallet-invoice.pw
"USDT Receipt Creator" • IP: 172.67.222.10 • drainer.js from kick-facepunch.com
Malicious
wallet-invoice.pw screenshot
Loads drainer.js + modal.js from kick-facepunch.com • Wallet adapters: TronLink, Ledger, BitKeep, OKX, ByBit, Trust
URLScan →
wallet-receive.com
"USDT Receipt Creator" • IP: 172.67.146.101 • drainer.js • certstream-flagged
Malicious
wallet-receive.com screenshot
Exfiltrates to ncdomen.com • Wallet adapters: TronLink, Ledger, OKX, BitKeep, Bybit, WalletConnect
URLScan →
trust-receive.com
"USDT Receipt Creator" • IP: 188.114.96.3 • Trust Wallet impersonation
Malicious
trust-receive.com screenshot
drainer.js + modal.js from kick-facepunch.com • SSL cert issued Jan 25, 2026
URLScan →
cryptomus.ltd
"Cryptomus Exchange | Crypto Invoice" • IP: 172.67.167.134
Malicious
cryptomus.ltd screenshot
drainer.js + modal.js from kick-facepunch.com • Targets TronLink, Ledger, OKX, Bybit, Trust
URLScan →
cryptomus-invoice.com
Cryptomus payment impersonation
Impersonation
cryptomus-payment.com
Most active domain in logs — $2,200 theft
Active
manual.717team.cc
Internal operation manual / worker training
Manual
kick-facepunch.com
Serves drainer.js & modal.js to all phishing domains
Drainer C2
ncdomen.com
Data exfiltration endpoint for stolen wallet data
Exfil
dark.shopping
Darknet marketplace
Marketplace

Confirmed USDT Thefts — Victim Log

$2,946.25
Total Confirmed Drained (from bot logs)
Date Wallet Amount Domain IP Geo Status
Jan 23TQGLaa...KG552,200.40cryptomus-payment.com2402:4000:...Colombo, Sri LankaDRAINED
Jan 26TRgGey...QJA203.00cryptomus-payment.com94.246.204.214Kohtla-Järve, EstoniaDRAINED
Jan 10TVgTrv...wiTU133.55amlbot.pw185.138.166.85Amsterdam, NetherlandsDRAINED
Jan 29TNDRMe...WRi102.39cryptomus-payment.com2403:6200:...Phuket, ThailandAPPROVED
Jan 18TRTSwJ...1vZv90.01cryptomus-invoice.com88.252.231.95Erzincan, TurkeyDRAINED
Jan 28TDp7XR...JLL5A77.94checkscore.cc91.239.157.242Frankfurt, GermanyDRAINED
Jan 29TELbin...EHeh39.13cryptomus.ltd202.58.197.64Denpasar, Bali, IndonesiaDRAINED
Jan 26TQQaP8...Ach16.19cryptomus-payment.com2001:e60:...Gwanak-gu, Seoul, South KoreaAPPROVED
Jan 26TRTSwJ...1vZv38.83cryptomus-invoice.com88.252.231.95Erzincan, TurkeyDEPOSIT
Jan 15TGtALv...7gkU9.00amlbot.pwAPPROVED
Jan 28TAnje8...Dwk94.23wallet-invoice.pw2a02:8440:...Metz, FranceDEPOSIT
Jan 22TNDRMe...WRi2.39cryptomus-payment.com2403:6200:...Phuket, ThailandAPPROVED
Jan 24TVzwRJ...bmNo1.01cryptomus-payment.com146.70.193.15Belgrade, SerbiaAPPROVED
DRAINED = funds confirmed stolen • APPROVED = wallet gave approval (drainer has access) • DEPOSIT = new funds arrived to compromised wallet

All Victim Connections (85 wallets)

Date Wallet Domain IP Location Browser

Transaction Hashes (30)

#TX HashLink

Chat Logs (3,882 Messages)

1
Chat Export — Part 1
First segment of Telegram group
2
Chat Export — Part 2
Second segment
3
Chat Export — Part 3
Third segment
4
Chat Export — Part 4
Fourth segment

TRX Victim/Operator Wallets (85)

#Wallet AddressTronscan

Group Members (125)

User IDDisplay Name

Photo Evidence (70 images)

Intelligence collected by PhishDestroy | GitHub

This data is provided for law enforcement, security research, and anti-fraud purposes.