Back to ScamIntelLogs

TRXDrop

TRON & Solana Wallet Drainer Panel

Angel Drainer Reseller — trxdrop.live — Backend: trump-drop.world

Wallet Drainer TRON / Solana AI-Generated Code Scam-the-Scammer Angel Drainer XOR Encryption
15
Scam Domains
10
Supported Wallets
50x
Forced Sign Retries
3
Drainer Scripts

Scam-the-Scammer Assessment

This panel has a high probability of stealing funds from its own workers. Drainer reseller panels are notorious for this pattern — they recruit workers, let them drive victims, then silently redirect stolen funds to the operator.

Auto-Commission Theft: 30 TRX forcibly deducted per drain before any worker payout. Operator's funding wallet private key stored in config — operator has full control.
Server-Side Tx Building: All drain transactions built on operator's server (/api/buildTransactions). Operator controls what victims sign — can redirect funds to any wallet.
No On-Chain Verification: Workers have no way to verify actual drain amounts on-chain. Statistics shown in panel are generated by operator's backend — easily faked.
Trivial "Encryption": XOR cipher with hardcoded key TRX_SECURE_2024_PANEL_KEY — provides zero real security. All traffic is trivially interceptable.
"Verdict: Either will steal from workers after first significant drain, or is already doing so. The panel architecture is designed for the operator to have complete control over all funds."

What is TRXDrop?

TRXDrop is a wallet drainer affiliate panel at trxdrop.live operating as a reseller for Angel Drainer infrastructure. The actual drainer scripts and backend API are hosted on trump-drop.world. Workers register accounts, create drainer configurations, receive generated scripts, and deploy them on phishing pages disguised as TRX airdrops. Victims are tricked into signing malicious transactions through spoofed wallet interfaces.

AI-Generated Code: Boilerplate React CRA structure, generic naming, 30+ debug logs left in production, placeholder-style comments like AI prompt instructions. Likely built with Claude or GPT-4.
TRON Drainer: Forced signing loop (50 retries, 500ms interval). Auto-connects on mobile wallets. Deeplinks to 7 wallet apps. XOR-encrypted C2 communication.
Solana Drainer: Crasher mode (closes browser after drain to destroy evidence). Spoof mode (fake token balances). Honeypot mode (mint fake tokens to wallet).

Attack Flow

1. Fake Airdrop Page

Victim lands on fake TRX airdrop page. Drainer scripts inject anti-debug traps and decrypt XOR config.

2. Wallet Connection

On mobile: auto-connect after 1.5s if wallet browser detected. On desktop: professional-looking fake wallet modal with 7 wallet options.

3. Forced Signing

Server builds malicious transactions. Victim sees "Receive 10,000 TRX ($2,200)" with "verified" badge. 50 retry attempts if rejected.

4. Wallet Drained

Signed tx submitted to blockchain. TRX + USDT drained. 30 TRX auto-commission to operator. Telegram notification dispatched.

Infrastructure

Paneltrxdrop.live
Backend / C2trump-drop.world
Drainer baseAngel Drainer (lvl 2 access)
FrontendReact SPA (Create React App)
BackendNode.js / Express
AuthJWT HS256
EncryptionXOR key: TRX_SECURE_2024_PANEL_KEY
WalletConnect IDfbf5b42d6feed07049dd9e59d888645a
CIS blockingRU, UA, BY, KZ
Min drain balance$10 / 5 TRX
Auto-commission30 TRX per drain
Force Approval$1,000+ triggers AutoDrain
First seen2026-01-30
Status at collectionNewly deployed / zero drains

Panel Operator

S

@STNlRAWbIaFLiH

Telegram ID: 6823931109

OPERATOR
Registered: ~December 2023
Role: Panel support / operator
Location hints: Nizhny Novgorod, Turkey crypto exchange groups

Known Telegram Groups

Crypto Exchange Turkeyactive
Nizhny Novgorodactive
Partyyyprivate
XAIAgentactive
ONFA Globalactive
Monad Communityactive
DIGIFLAZZ Marketplaceactive
Islamic Finance Guruactive
Sara Malik (Lady Tipper)active
GetContactactive
Kangeroo Officialleft
GAM3S.IOleft
365 Alertsleft
Jaringan Pulsa Nusantaraleft

Decrypted Code Analysis

drainer-loader.js — Entry Point (68 lines)

Injected into victim phishing page. Activates anti-debug, decrypts config, chain-loads drainer scripts.

Anti-Debug IIFE
Recursive debugger statement via setInterval every 1000ms. Division trick alternates between constructor-based and direct debugger keyword.
Console Hijacking
Object.defineProperty replaces all 5 console methods (log, warn, error, info, debug) with empty functions.
XOR Config Decrypt
window.config = Base64-encoded XOR-encrypted JSON blob with all drainer settings (spoof text, wallet details, notifications).
Script Chain Loading
Sequentially loads: walletconnect-bundle.js (1.1MB SDK) → axios@1.6.7 → drainer-tron-core.js → drainer-wallet-modal.js

drainer-tron-core.js — Core TRON Drainer (525 lines)

Main drainer engine. All communication with trump-drop.world is XOR-encrypted.

xorConvert(data, key)
Dual-mode XOR cipher. Detects Base64 input, XORs each char with cycling key. Used for ALL API request/response encryption.
sendNotification(type, extras)
XOR-encrypts payload and POSTs to /api/notification. Types: joined, selected_wallet, connection, approved, drain, error.
connectWalletConnect()
SSE connection to /api/fetchWalletConnect. Server generates WC pairing URI, client opens official WC modal. Project ID: fbf5b42d6feed07049dd9e59d888645a.
connectTronLink()
Multi-provider: checks window.bitkeep.tronWeb, window.tronWeb, window.tronLink. Mobile: tron_requestAccounts with delays. Fallback: TronLink deeplink.
processWalletConnection(address, walletName, adapter)
Core malicious function. XOR-encrypts wallet + config, POSTs to /api/buildTransactions. Server returns crafted malicious txs. Enters forced signing loop: 50 attempts, 500ms delay. Rejected? Immediately retries.
init() + Mobile Auto-Connect
On mobile, after 1.5s, automatically drains without user interaction. Checks Bitget, imToken, TronLink. Victims opening in wallet browser get drained automatically.
walletDeeplinks{}
Deeplinks for 7 wallets: Trust, OKX, TokenPocket, SafePal, MathWallet, Bitget, imToken. Opens scam page inside wallet browser → triggers auto-connect.

drainer-wallet-modal.js — Fake Wallet UI (695 lines)

Pixel-perfect imitation of legitimate Web3 wallet connection modal.

WALLET_MODAL_CONFIG.wallets[]
7 wallet definitions: WalletConnect (QR), Trust Wallet, TronLink, TokenPocket, Bitget, imToken, Ledger. Icons loaded from trump-drop.world.
injectWalletModalStyles()
390 lines of CSS: z-index 999999999, backdrop blur, animations, dark/light themes, mobile bottom-sheet. Inter font.
handleWalletConnection(wallet)
Routes by type: walletconnect → TronDrainer.connectWalletConnect(), tronlink → connectTronLink(), deeplink → wallet app. Desktop falls back to WC.

Panel API Endpoints

Auth & Profile

POST /api/auth/loginJWT HS256
GET /api/user/profileworker data
PUT /api/user/walletpayout wallet
PUT /api/user/passwordchange pass

Drainer Config

GET/POST /api/configurationslist/create
PUT/DEL /api/configurations/{id}edit/delete
POST /api/generate-scriptTRON drainer
POST /api/generate-solana-scriptSolana drainer

Drain Operations

POST /api/buildTransactionsmalicious txs
POST /api/sendTransactionsubmit signed
POST /api/notificationevents
GET /api/fetchWalletConnectSSE pairing

Panel Data

GET /api/statisticsclicks/drains
GET /api/newsannouncements
GET /api/admin/usersall workers
GET /api/admin/settingsglobal config

Panel Screenshots

Dashboard — stats at zero
TRON config — transaction settings
TRON config — notifications & spoof
TRON config — fake "Receive 10,000 TRX"
Auto-commission — private key stored!
Solana — script generation
Solana — Crasher / Spoof / Honeypot
Solana — spoof mode settings

Related Domains (IOCs)

trxdrop.live trump-drop.world qlabtrondemo.shop testoviq.cfd aml-scan-wallet.com qqdemtron.lol v1-4check.digital photon-tiniyastro.icu tronsscan.net amltronchecker.com gasrefund.pro amlcleanscan.help one-aml.com amlscanner.help stakeplus.icu
Wallet: TRAGn9E6hbTiQrYG5V4sk1gNv3JaWHSxak

Evidence Archive

8
Panel Screenshots
8 screenshots of admin panel interface
JS
Core TRX Drainer
drainer-tron-core.js — 525 lines
JS
Loader Script
drainer-loader.js — anti-debug, XOR decrypt
JS
Fake Wallet Modal
drainer-wallet-modal.js — 695 lines
IOC
IOCs
Domains, wallets, bots, API endpoints
CFG
Drainer Configuration
panel-config.json — spoof & commission

Intelligence collected by PhishDestroy | GitHub

This data is provided for law enforcement, security research, and anti-fraud purposes.